Skip to main content

Quickstart

Get from zero to a working integration in a few minutes. Start with the CLI if you want the fastest path — one command provisions a vault, agent, access policy, and wires your AI tools (Cursor, Claude Desktop, VS Code, and more).

Fastest path — recommended

Install the CLI and run 1claw setup. It logs you in, creates an agent + vault + policy, and configures MCP for every AI client it detects. No manual curl, no copy-pasting API keys into config files.

brew install 1clawAI/tap/oneclaw   # or: npm install -g @1claw/cli
1claw setup

When setup finishes, your AI assistant can call 1Claw tools (get_secret, list_secrets, and more) at runtime — secrets stay in the vault, not in prompts or .env files. See the CLI guide for all options (--client cursor, --local, existing agent keys).

How 1Claw works

1Claw has two roles. Humans own secrets and decide what agents can access. Agents fetch secrets at runtime through scoped, audited policies — they never get blanket vault access.

RoleYou are…You do…Auth
HumanDeveloper, operator, or team ownerCreate vaults, store secrets, register agents, write policiesEmail/password, Google, passkey, or personal API key (1ck_)
AgentAI assistant, service, or automationList and fetch secrets the human allowed; optionally sign txs or route LLM calls through ShroudAgent API key (ocv_) → short-lived JWT

Same API for both: https://api.1claw.xyz. The dashboard at 1claw.xyz is a UI on top of the same endpoints.


Pick your path

GoalFastest routeSteps
AI assistant with vault access (Cursor, Claude, etc.)1claw setup1 command
Store secrets as a human (scripts, apps, CI)Human path3–4 steps
Agent fetching secrets (service, LangChain, custom code)Agent path2–4 steps
Human grants agent access end-to-endGolden path or 1claw setup4 steps
No cloud / offline secrets1claw init --docker --local or local vaultSee CLI

Fastest: CLI setup

Best for: Cursor, Claude Desktop, Claude Code, VS Code, Windsurf, Zed, Continue — any tool that supports MCP.

brew install 1clawAI/tap/oneclaw
1claw setup

What setup does in one flow:

  1. Login — browser device flow at 1claw.xyz (no password in terminal)
  2. Provision — agent (Shroud + Intents enabled), vault, and read/write policy on secrets/*
  3. Configure — writes MCP config for each detected AI client

Already have an agent key? Skip provisioning:

1claw setup --agent-key ocv_YOUR_KEY

Import existing .env secrets:

1claw login
1claw vault create my-vault # or use default from setup
1claw import .env --vault <vault-id>

Run a command with secrets injected (CI/CD):

export ONECLAW_TOKEN="..."           # or ONECLAW_API_KEY + ONECLAW_VAULT_ID
1claw env run -- npm start

Full command reference: CLI guide.


Human path: store and use secrets

You own the vault. Sign up, create a vault, store a secret, read it back.

Option A — CLI (fewest steps)

1claw login
1claw vault create "My Vault"
1claw secret set api-keys/openai --value "sk-proj-..." --type api_key
1claw secret get api-keys/openai

Option B — Dashboard

  1. Sign up at 1claw.xyz
  2. Vaults → Create vault (or use the onboarding wizard)
  3. Secrets → Add secret at a path like api-keys/openai
  4. Optional: Agents → Register agent and Policies → Grant access

Option C — REST API / SDK

Step-by-step curl and TypeScript examples: Quickstart for humans.


Agent path: fetch secrets at runtime

An agent only sees what a human allowed. Zero access by default until a policy grants specific paths.

How an agent gets credentials

MethodWho initiatesWhen to use
Human registers agentYou in dashboard or 1claw agent createYou control provisioning; share ocv_ key once
Self-enrollmentAgent calls POST /v1/agents/enrollAgent-first flows; human approves via email or link
1claw setupCLI during setupFastest when wiring an AI client

Minimal agent flow (already have ocv_ key)

# Exchange key for JWT (CLI handles refresh automatically in scripts)
1claw agent token <agent-id>

# Or with curl — see full guide
curl -X POST https://api.1claw.xyz/v1/auth/agent-token \
-H "Content-Type: application/json" \
-d '{"api_key":"ocv_..."}'

Then list and fetch secrets the policy allows (metadata vs decrypted value):

1claw secret list --vault <vault-id>    # as agent: set ONECLAW_AGENT_API_KEY

Full walkthrough (enroll, token, list, fetch, share back): Quickstart for agents.

Policies are the gate

An agent with an API key but no policy gets zero secrets. After creating an agent, always add a policy (dashboard, 1claw policy create, or let 1claw setup do it). See Give an agent access.


Ways to integrate

Choose the interface that matches where your code runs:

IntegrationBest forGet started
CLIFastest onboarding, CI/CD, env run, local daemon1claw setup
DashboardVisual setup, policies, audit log, billingSign up → onboarding wizard
MCP ServerAI assistants (Claude, Cursor, GPT) calling vault tools1claw setup or MCP setup
TypeScript SDKNode.js apps, agents, platform backendsnpm install @1claw/sdk
REST APIAny language, curl, PostmanHuman or Agent quickstart
Shroud proxyLLM traffic — redaction, injection detection, vault-backed provider keys1claw proxy or agent with Shroud enabled
Intents APIOn-chain signing without exposing private keysEnable on agent → 1claw agent tx submit
Local vault + daemonOffline dev, secret never in model context1claw local init1claw setup --local
Docker agent runtimeIsolated agent in a container, chat UI on :30001claw init --docker

Common integration patterns

1. AI coding assistant (recommended)

1claw setup --client cursor    # or omit --client for all detected tools

Agent uses MCP tools at runtime; you manage secrets in the vault via dashboard or CLI.

2. Application / backend service

Use the SDK or REST API with a personal API key (1ck_) for human operations, or an agent key (ocv_) for automated fetch. See JavaScript SDK.

3. CI/CD pipeline

export ONECLAW_TOKEN="${{ secrets.ONECLAW_TOKEN }}"
1claw env pull -o .env.production
npm run deploy

4. LLM app with guardrails

Enable Shroud on the agent, store provider keys in the vault, point requests at https://shroud.1claw.xyz. See Shroud and IDE setup.

5. On-chain agent

Enable Intents API, provision signing keys, set transaction guardrails in the dashboard. See Intents API.


End-to-end in four steps (human + agent)

The shortest manual path if you are not using 1claw setup:

  1. Sign up1claw.xyz or 1claw login
  2. Vault + secret1claw vault create + 1claw secret set … (or dashboard)
  3. Agent + policy1claw agent create my-agent + 1claw policy create … (or golden path guide)
  4. Connect — MCP via 1claw setup, SDK in your app, or 1claw agent token + API calls

Prerequisites

RequirementDetails
AccountFree tier at 1claw.xyz — 1,000 requests/month, 3 vaults, 2 agents
CLINode 20+ for npm install -g @1claw/cli, or Homebrew tap above
API base URLhttps://api.1claw.xyz
curl / HTTP clientOnly needed if you skip the CLI and follow the REST quickstarts

Next steps