Skip to main content

IronClaw Configuration and Security

1. The core config mental model​

IronClaw configuration is intentionally explicit. The README shows a minimal route like:

[llm.default]
provider_id = "openai"
model = "gpt-5-mini"
api_key_env = "OPENAI_API_KEY"

That tells you the basic story immediately:

  • routes are named and structured,
  • secrets stay in the environment,
  • config files describe the system instead of embedding credentials.

2. Secrets are env-only by design​

The upstream docs are especially clear on one point:

secret-shaped values do not belong inline in config.toml or providers.json

That is one of the strongest trust signals in the project.

3. Profiles and deployment mode matter​

IronClaw's policy model means configuration is not only about choosing a model. It is also about deciding:

  • local development vs production,
  • storage backend,
  • policy defaults,
  • and what kinds of runtime behavior are acceptable.

4. Safe operating habits​

Use these defaults:

  • isolated home path during evaluation,
  • one provider first,
  • environment-based secrets only,
  • explicit profile selection,
  • human review before broader deployment.

5. Practical rollout advice​

For teams, start with a local-dev profile and a small pilot. Only move toward remote storage or more hosted modes once the operating model is documented and owned.