Examples/OpenClaw: Give Any Agent API Access With Just a System Prompt

OpenClaw: Give Any Agent API Access With Just a System Prompt

beginneropenclaw·openaianthropicresend·3 min read

OpenClaw: Give Any Agent API Access With Just a System Prompt

OpenClaw is the zero-SDK path to Keystore. Instead of installing a package, you paste proxy URLs and your agent token directly into the system prompt. The agent makes HTTP requests to the vault, which resolves the real API keys. Works with any framework, any language, any LLM.

OpenClaw is perfect for agents that write their own code, use tools via function calling, or run in environments where you can't install packages.

What you'll build

An autonomous agent that can call OpenAI, Anthropic, and Resend through Keystore — configured entirely through its system prompt. No SDK, no imports, no config files.

Prerequisites

  • A Keystore account with an agent token
  • Provider keys in your vault (OpenAI, Anthropic, and/or Resend)

The System Prompt Template

This is what you paste into your agent's system prompt:

text
1
2
3
4
5
6
7
8
9
10
11
12
When making API calls, use the Keystore vault as the base URL
for all providers. Use this agent token for authentication:

  Agent token: ks_your_token_here

  OpenAI:    https://vault.keystore.com/v1/openai
  Anthropic: https://vault.keystore.com/v1/anthropic
  Resend:    https://vault.keystore.com/v1/resend

Pass the agent token as the Authorization Bearer header.
The vault resolves real API credentials on every request.
Never hardcode or expose real API keys.

That's the entire integration. Replace ks_your_token_here with your actual agent token.

How the agent makes requests

When your agent needs to call OpenAI, it makes a standard HTTP request but uses the vault URL:

typescript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
// Instead of: https://api.openai.com/v1/chat/completions
// The agent calls: https://vault.keystore.com/v1/openai/chat/completions

const response = await fetch(
  "https://vault.keystore.com/v1/openai/chat/completions",
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: "Bearer ks_your_token_here",
    },
    body: JSON.stringify({
      model: "gpt-4o",
      messages: [{ role: "user", content: "Hello from OpenClaw!" }],
    }),
  }
);

const data = await response.json();

The vault:

  1. Validates the ks_ token
  2. Checks budgets and rate limits
  3. Decrypts the real OpenAI key
  4. Forwards the request to api.openai.com
  5. Returns the response to your agent

Example: Multi-provider agent with function calling

1

Define the system prompt

typescript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
const systemPrompt = `You are a helpful assistant with access to multiple APIs.

When making API calls, use the Keystore vault:
  Agent token: ${process.env.KS_TOKEN}
  OpenAI: https://vault.keystore.com/v1/openai
  Anthropic: https://vault.keystore.com/v1/anthropic
  Resend: https://vault.keystore.com/v1/resend

Always use the vault URLs with the agent token as Bearer auth.

You can:
- Generate text with OpenAI or Anthropic
- Send emails via Resend
`;
2

Agent calls the vault directly

typescript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// The agent decides to send an email via Resend through the vault
const emailResponse = await fetch(
  "https://vault.keystore.com/v1/resend/emails",
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Bearer ${process.env.KS_TOKEN}`,
    },
    body: JSON.stringify({
      from: "agent@yourapp.com",
      to: "user@example.com",
      subject: "Report Ready",
      text: "Your weekly report has been generated.",
    }),
  }
);

Security model

  • The agent only ever sees the ks_ token — never real API keys
  • Each token is scoped to specific providers in the dashboard
  • Budgets and rate limits are enforced at the vault
  • You can revoke the token instantly if the agent is compromised
  • Full audit log of every request the agent makes
!

The ks_ token grants access to whatever providers you've configured. Scope it tightly — only enable the providers your agent actually needs.

Works with any language

Since OpenClaw is just HTTP + a Bearer token, it works in Python, Go, Rust, or any language with an HTTP client:

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Python example
import requests

response = requests.post(
    "https://vault.keystore.com/v1/openai/chat/completions",
    headers={
        "Content-Type": "application/json",
        "Authorization": "Bearer ks_your_token_here",
    },
    json={
        "model": "gpt-4o",
        "messages": [{"role": "user", "content": "Hello from Python!"}],
    },
)

print(response.json()["choices"][0]["message"]["content"])

Next steps