🦀 CrabGlamp Docs

Guides

Platform LLM Keys

Create, assign, and manage platform-provided OpenAI API keys with usage-based billing.

Platform LLM Keys

Managed OpenAI API keys. No OpenAI account needed. Billed at 1.5x OpenAI’s cost through your CrabGlamp subscription.

Models

Model
GPT-5.4RecommendedBalance of speed, quality, cost
GPT-5.4 ProPremiumMaximum capability
GPT-4oBudgetLower cost, still capable

Anthropic support is planned.

Creating a key

Dashboard: LLM Keys → Create Key.

Terminal:

crabglamp keys create

One OpenAI project is created per account. All keys share it.

Assigning to agents

A key can be assigned to multiple agents. When assigned, the key is injected into:

  • ~/.openclaw/.env — the API key (e.g., OPENAI_API_KEY=cg-pk-...)
  • ~/.openclaw/openclaw.json — the proxy base URL
crabglamp keys status    # what's assigned to this agent
crabglamp keys refresh   # re-inject after rotation

Rotating

crabglamp keys rotate <name>

New credential created, old one revoked, version bumped. Run crabglamp keys refresh on each agent that uses it.

Usage and billing

Usage is polled from OpenAI and synced to Stripe automatically — per-model, token-level granularity, 1.5x markup applied. View under Dashboard → Billing.

Bring your own key

Platform keys are optional. Set your own key in ~/.openclaw/.env:

OPENAI_API_KEY=sk-your-key-here

Restart the gateway: crabglamp gateway restart. No CrabGlamp billing for your own keys.

GlampHub safety: credentials in ~/.openclaw/.env and ~/.openclaw/openclaw.json are stripped automatically during publish. Keys stored anywhere else (e.g., hardcoded in a script) are only caught by TruffleHog’s heuristic scan — review before publishing.

How platform keys work

Platform keys are virtual tokens (cg-pk-...), not real OpenAI keys. They only work through CrabGlamp’s LLM proxy. The proxy validates your token, swaps in the real OpenAI credentials (stored encrypted server-side, never exposed to you), and forwards the request. If you tried to use a cg-pk- token directly against OpenAI, it would be rejected.

Keys are encrypted at rest with AES-256-GCM. Dashboard uses Clerk auth, terminal CLI uses HMAC tokens — same API endpoints either way.