Authentication

Learn how to securely authenticate OpenClaw AI agents and applications with the ClawPay platform.

Overview

ClawPay provides on-chain banking infrastructure for autonomous AI agents. Authentication is handled through the Model Context Protocol (MCP) interface for secure, permission-based financial operations.

MCP Authentication

Configure your OpenClaw agent from the agent dashboard.

Agent Key Types

Type

Prefix

Usage

Permissions

Agent Key

ak_live_ or ak_test_

AI agent operations

Autonomous banking operations

Service Key

sk_live_ or sk_test_

Backend services

Full platform access

Observer Key

ok_live_ or ok_test_

Monitoring agents

Read-only access

Environments

Mainnet: *_live_* keys interact with real assets on Solana mainnet
Devnet: *_test_* keys use test SOL and tokens on Solana devnet

MCP Server Configuration

Configure your OpenClaw AI agent to connect to ClawPay's MCP server:

Claude Desktop Configuration

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "clawpay": {
      "command": "npx",
      "args": ["-y", "@clawpay/mcp-server"],
      "env": {
        "CLAWPAY_AGENT_KEY": "ak_live_abc123..."
      }
    }
  }
}

Programmatic MCP Connection

import { Client } from '@modelcontextprotocol/sdk/client/index.js';
import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';

const transport = new StdioClientTransport({
  command: 'npx',
  args: ['-y', '@clawpay/mcp-server'],
  env: {
    CLAWPAY_AGENT_KEY: process.env.CLAWPAY_AGENT_KEY
  }
});

const client = new Client({
  name: 'openclaw-agent',
  version: '1.0.0'
}, {
  capabilities: {}
});

await client.connect(transport);

Direct API Authentication

For non-MCP integrations:

curl https://api.useclawpay.app/v1/accounts \
  -H "Authorization: Bearer ak_live_abc123..." \
  -H "Content-Type: application/json"

Security Best Practices

1. Keep Agent Keys Secret

Never expose agent keys in:

Agent prompt configurations
Public repositories
Log files or error messages
Agent memory/context that might be shared

2. Rotate Agent Keys Regularly

clawpay agents keys create --agent "trading-agent-prod" --name "Q1 2026"
export CLAWPAY_AGENT_KEY="ak_live_new_key..."
clawpay agents keys revoke ak_live_old_key...

3. Use Permission Scopes

const tradingKey = await client.agents.keys.create({
  agentId: 'agent_123',
  name: 'Trading Agent Key',
  permissions: [
    'accounts:read',
    'transactions:create',
    'defi:swap'
  ],
  limits: {
    maxTransactionAmount: 1000_000_000,
    dailyTransactionLimit: 10000_000_000
  }
});

Agent Authorization Policies

Transaction Limits

await agent.security.setLimits({
  maxTransactionAmount: 1000_000_000,
  dailyLimit: 10000_000_000,
  requiresApproval: {
    above: 5000_000_000
  }
});

Multi-Agent Authorization

await client.agents.setAuthorizationPolicy(agentId, {
  type: 'multi_agent',
  requiresConsensus: {
    above: 5000_000_000,
    minAgents: 2,
    approvers: ['agent_treasury', 'agent_risk', 'agent_compliance'],
    votingStrategy: 'majority'
  }
});

Rate Limiting

Tier

Rate Limit

On-Chain Ops/min

MCP Calls/min

Starter

60 API req/min

10 tx/min

120 calls/min

Pro

600 API req/min

60 tx/min

1200 calls/min

Enterprise

Custom

Unlimited

On-Chain Transaction Signatures

All blockchain transactions require proper signing for agent autonomy.

Agent Wallet Configuration

import { ClawPayAgent } from '@clawpay/agent-sdk';
import { Keypair } from '@solana/web3.js';

// Option 1: Use ClawPay-managed wallet (recommended)
const agent = new ClawPayAgent({
  agentKey: process.env.CLAWPAY_AGENT_KEY,
  wallet: 'managed'
});

// Option 2: Bring your own wallet
const keypair = Keypair.fromSecretKey(
  Buffer.from(process.env.AGENT_WALLET_PRIVATE_KEY, 'base64')
);

const agent = new ClawPayAgent({
  agentKey: process.env.CLAWPAY_AGENT_KEY,
  wallet: keypair
});

Transaction Verification

const transaction = await agent.transactions.prepare({
  type: 'transfer',
  from: agentAccountId,
  to: recipientAddress,
  amount: 100_000_000,
  token: 'USDC'
});

const verification = await agent.transactions.verify(transaction);

if (verification.safe && verification.withinLimits) {
  const signature = await agent.transactions.execute(transaction);
  console.log(`Transaction: https://solscan.io/tx/${signature}`);
}

Agent Session Management

const session = await client.agents.sessions.create({
  agentId: 'agent_123',
  expiresIn: '24h',
  permissions: ['accounts:read', 'transactions:create', 'defi:swap'],
  metadata: {
    purpose: 'portfolio_rebalancing'
  }
});

const agent = new ClawPayAgent({
  sessionToken: session.token
});

Encryption & Security

All sensitive data and agent credentials are encrypted:

Agent keys: AES-256-GCM encryption at rest
Wallet private keys: Hardware security modules (HSMs)
Agent memory/state: Encrypted and isolated per agent
Transaction metadata: Zero-knowledge proofs on-chain
MCP communications: TLS 1.3 with certificate pinning

Compliance & Regulatory

ClawPay neobank is compliant with:

SOC 2 Type II: Annual security audits
GDPR: EU data protection and agent data handling
CCPA: California privacy rights
Bank Secrecy Act (BSA): AML/KYC for agent-initiated transactions
FinCEN: Virtual currency reporting requirements

Security Audits

View our latest security and smart contract audit reports:

Reporting Security Issues

Found a vulnerability in ClawPay or our MCP server? Please report it responsibly:

Email: [email protected]
PGP Key: Download public key
Bug Bounty: Immunefi program - Up to $250,000 for critical smart contract vulnerabilities
On-chain Issues: Solana bug bounty for core protocol issues

Do not disclose security issues publicly until we've had a chance to address them. We aim to respond within 24 hours and patch critical issues within 7 days.

Next Steps

Quickstart Guide - Get your first AI agent connected
MCP Tools Reference - Available banking operations for agents
Agent Examples - Sample OpenClaw agent implementations
On-chain Operations - Understanding Solana transactions

PreviousQuickstart Guide NextCard Management

Last updated 1 hour ago

Good evening

hashtagOverview

hashtagMCP Authentication

hashtagAgent Key Types

hashtagEnvironments

hashtagMCP Server Configuration

hashtagClaude Desktop Configuration

hashtagProgrammatic MCP Connection

hashtagDirect API Authentication

hashtagSecurity Best Practices

hashtag1. Keep Agent Keys Secret

hashtag2. Rotate Agent Keys Regularly

hashtag3. Use Permission Scopes

hashtagAgent Authorization Policies

hashtagTransaction Limits

hashtagMulti-Agent Authorization

hashtagRate Limiting

hashtagOn-Chain Transaction Signatures

hashtagAgent Wallet Configuration

hashtagTransaction Verification

hashtagAgent Session Management

hashtagEncryption & Security

hashtagCompliance & Regulatory

hashtagSecurity Audits

hashtagReporting Security Issues

hashtagNext Steps