FeaturesHow it worksPricingFAQSign inJoin Waitlist

Documentation

API Key Security & Data Flow Architecture

How ClawPulsar handles your LLM API keys, relays webhook payloads, and secures the entire data path from external providers to your self-hosted agent.

End-to-End Data Flow
[ External Provider (Stripe, GitHub, etc.) ]
| HTTPS POST + HMAC signature
v
ClawPulsar Relay Edge
Verify signature → Encrypt payload → Queue
| mTLS tunnel (outbound only)
v
Your network (no inbound ports)
[ Relay Client ] → [ OpenClaw Agent ]

API Key Storage Model

When you connect LLM API keys for budget monitoring, ClawPulsar uses a read-only usage model. Your keys are never used to make LLM calls — only to query provider usage and billing endpoints.

  • Encryption at rest — Keys are encrypted with AES-256-GCM before storage. Decryption keys are managed via HSM-backed key management (AWS KMS).
  • Read-only accessClawPulsar only calls usage/billing APIs. We never send prompts, completions, or any inference requests using your keys.
  • Scoped permissions — We recommend creating dedicated read-only API keys for each provider. Docs for scoping keys: OpenAI (billing:read), Anthropic (usage:read).
  • Automatic rotation — Keys can be rotated at any time. Updating a key in the dashboard takes effect immediately with zero downtime.
  • Deletion — Removing a key purges it from storage immediately. No backups or shadow copies are retained.

Webhook Relay Security

The relay is a forwarding proxy by design. Understanding its security model is critical for trust.

  • HMAC verification — Incoming webhooks are verified against provider signatures (Stripe whsec_, GitHub X-Hub-Signature-256, etc.) before forwarding.
  • Payload encryption — After verification, payloads are encrypted in transit through the mTLS tunnel. Failed deliveries are encrypted at rest during retry (up to 72 hours).
  • No payload inspectionClawPulsar does not parse, log, or inspect webhook payload contents. Metadata (timestamp, provider, status code) is logged for debugging.
  • Outbound-only tunnel — The relay client initiates all connections outbound. No inbound ports, firewall rules, or DNS changes are needed on your network.
  • Mutual TLS — The tunnel between relay client and ClawPulsar edge uses mutual TLS with per-agent certificates issued at registration.

Budget Alert Data Flow

Budget monitoring polls LLM provider usage APIs on a schedule and compares against your configured thresholds.

# Budget check flow (every 5 min)
1. Poll provider billing API (read-only key)
2. Compare current spend vs. configured threshold
3. If threshold exceeded → trigger alert (email/SMS/Slack)
4. If hard cap enabled → notify agent to pause LLM calls

Budget data (spend amounts, thresholds, alert history) is stored encrypted and retained for 90 days. You can export or delete budget history at any time from the dashboard.

Zero-Knowledge Relay Design

ClawPulsar is designed so that a full compromise of the relay infrastructure reveals minimal useful data:

  • Webhook payloads are encrypted end-to-end — the relay sees ciphertext only
  • API keys are HSM-encrypted and never exposed to application code at rest
  • Budget amounts are aggregated — individual LLM request data is not stored
  • Tunnel certificates are short-lived (24h) and automatically rotated

Questions about security?

Contact security@clawpulsar.com or join the waitlist for early access.

Join Waitlist