This page defines the strict contract enforced by If a target does not match these rules, apply fails before mutating configuration.<\/p>\n “`json5 theme={“theme”:{“light”:”min-light”,”dark”:”min-dark”}} No writes are committed for an invalid plan.<\/p>\n “`bash theme={“theme”:{“light”:”min-light”,”dark”:”min-dark”}}<\/p>\n openclaw secrets apply –from \/tmp\/openclaw-secrets-plan.json –dry-run<\/p>\n openclaw secrets apply –from \/tmp\/openclaw-secrets-plan.json<\/p>\n openclaw secrets apply –from \/tmp\/openclaw-secrets-plan.json –dry-run –allow-exec If apply fails with an invalid target path message, regenerate the plan with Secrets Apply Plan Contract Secrets apply plan contract […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-612","post","type-post","status-publish","format-standard","hentry","category-docs"],"_links":{"self":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/comments?post=612"}],"version-history":[{"count":3,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/612\/revisions"}],"predecessor-version":[{"id":813,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/posts\/612\/revisions\/813"}],"wp:attachment":[{"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/media?parent=612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/categories?post=612"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pa.yingzhi8.cn\/index.php\/wp-json\/wp\/v2\/tags?post=612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}openclaw secrets apply<\/code>.<\/p>\nPlan file shape<\/h2>\n
openclaw secrets apply --from <plan.json><\/code> expects a targets<\/code> array of plan targets:<\/p>\n
\n{
\n version: 1,
\n protocolVersion: 1,
\n targets: [
\n {
\n type: “models.providers.apiKey”,
\n path: “models.providers.openai.apiKey”,
\n pathSegments: [“models”, “providers”, “openai”, “apiKey”],
\n providerId: “openai”,
\n ref: { source: “env”, provider: “default”, id: “OPENAI_API_KEY” },
\n },
\n {
\n type: “auth-profiles.api_key.key”,
\n path: “profiles.openai:default.key”,
\n pathSegments: [“profiles”, “openai:default”, “key”],
\n agentId: “main”,
\n ref: { source: “env”, provider: “default”, id: “OPENAI_API_KEY” },
\n },
\n ],
\n}<\/p>\n\n## Supported target scope\n\nPlan targets are accepted for supported credential paths in:\n\n* [SecretRef Credential Surface](\/reference\/secretref-credential-surface)\n\n## Target type behavior\n\nGeneral rule:\n\n* `target.type` must be recognized and must match the normalized `target.path` shape.\n\nCompatibility aliases remain accepted for existing plans:\n\n* `models.providers.apiKey`\n* `skills.entries.apiKey`\n* `channels.googlechat.serviceAccount`\n\n## Path validation rules\n\nEach target is validated with all of the following:\n\n* `type` must be a recognized target type.\n* `path` must be a non-empty dot path.\n* `pathSegments` can be omitted. If provided, it must normalize to exactly the same path as `path`.\n* Forbidden segments are rejected: `__proto__`, `prototype`, `constructor`.\n* The normalized path must match the registered path shape for the target type.\n* If `providerId` or `accountId` is set, it must match the id encoded in the path.\n* `auth-profiles.json` targets require `agentId`.\n* When creating a new `auth-profiles.json` mapping, include `authProfileProvider`.\n\n## Failure behavior\n\nIf a target fails validation, apply exits with an error like:\n\n```text theme={"theme":{"light":"min-light","dark":"min-dark"}}\nInvalid plan target path for models.providers.apiKey: models.providers.openai.baseUrl\n<\/code><\/pre>\nExec provider consent behavior<\/h2>\n
\n
--dry-run<\/code> skips exec SecretRef checks by default.<\/li>\n--allow-exec<\/code> is set.<\/li>\n--allow-exec<\/code> in both dry-run and write commands.<\/li>\n<\/ul>\nRuntime and audit scope notes<\/h2>\n
\n
auth-profiles.json<\/code> entries (keyRef<\/code>\/tokenRef<\/code>) are included in runtime resolution and audit coverage.<\/li>\nsecrets apply<\/code> writes supported openclaw.json<\/code> targets, supported auth-profiles.json<\/code> targets, and optional scrub targets.<\/li>\n<\/ul>\nOperator checks<\/h2>\n
Validate plan without writes<\/h1>\n
Then apply for real<\/h1>\n
For exec-containing plans, opt in explicitly in both modes<\/h1>\n
\nopenclaw secrets apply –from \/tmp\/openclaw-secrets-plan.json –allow-exec
\n“`<\/p>\nopenclaw secrets configure<\/code> or fix the target path to a supported shape above.<\/p>\nRelated docs<\/h2>\n
\n
secrets<\/code><\/a><\/li>\n