Skip to content
Clawdemy

Lesson: API keys and the OAuth path

You finished lesson 2 with one conversation under your belt. You typed something, an AI replied, you switched the model once just to see what it felt like.

This lesson is about the invisible piece that made all of that possible.

Every message you sent in lesson 2 went to an AI provider, somewhere on the internet, and came back to you. The provider needed two things from you before it would answer. It needed to know you are allowed to use it (authentication). And it needed to know who to bill (accounting). Both of those answers live inside one small piece of text called an API key.

This lesson is about API keys. Where they come from, where they live, what happens if one breaks, and one specific alternative for people who already pay for ChatGPT.

About ten minutes to read, give or take.

What an API key actually is

Section titled “What an API key actually is”

An API key is a string of characters the provider gives you so their system can recognize your requests. It looks something like this:

sk-ant-1a2b3c4d5e6f...

You paste it into Clawless once. Clawless tucks it away in your operating system’s secure storage (the same place your other saved passwords live) and uses it on every message you send. The key never appears on screen again once it is saved.

The important mental model is that the key represents your account with the provider, not your account with Clawless. There is no “Clawless account” that holds your usage; you pay the AI provider directly for every message, and Clawless just sits in the middle making the conversation flow nicely.

This is what BYOK means. It stands for “bring your own key,” and it is how Clawless works. You bring your account with Anthropic (or OpenAI, or Google, or Groq, or any other supported provider). They bill you. Clawless does not get in the middle.

There are two reasons this matters in practice. First, whatever the provider offers you, you keep. Some providers run a generous free tier (Google’s Gemini free tier, Groq); others (Anthropic, OpenAI) are pay-as-you-go from the start, sometimes with a small one-time signup credit but no ongoing free allowance. Either way, the provider’s terms are the provider’s terms; Clawless does not change them. Second, when you do pay, you pay the provider their published rates, not a Clawless markup. There is no markup.

Where your keys live, after onboarding

Section titled “Where your keys live, after onboarding”

The four-step onboarding wizard from your first launch is where you added your first key. After that, the place to manage keys is in Settings.

Open Settings from the gear icon at the bottom of the navigation rail on the far left. The page opens, and on the left there is a sticky list of categories. Click the API Keys section.

You see a row for every supported provider: Anthropic, OpenAI, Google, Groq, Mistral, Cohere, Together, Fireworks, OpenRouter, and a few more. Each row shows whether you have a key set up and whether the key is currently working.

To add a key for a provider you have not connected yet, click that provider’s row. Three things appear: a Get API Key link that takes you straight to the right page on that provider’s site, an input box for the key, and a Save button. You go to the provider’s page, generate a key, copy it, paste it into Clawless, and click Save. Clawless verifies the key in the background; a green check on the row means it works.

To remove a key, click the small trash icon at the end of its row. The key is wiped from your operating system’s secure storage and the provider goes back to inactive.

You can have keys for several providers at once. Most people do not need more than one to start. Adding a second is useful when you want to compare models across providers, or when one provider is having a slow afternoon and you want the option to fall back to another.

The default model rule is worth remembering: when you create a new agent, the agent starts with whichever provider you connected first during onboarding as its default. If you later add a second provider and prefer it, you can change the default agent model in Settings, in the Models section, without re-doing anything else.

The OAuth path: Codex for ChatGPT subscribers

Section titled “The OAuth path: Codex for ChatGPT subscribers”

There is one specific path that is different from the standard “paste a key” flow. If you have a paid ChatGPT subscription (Plus or Pro), there is a way to use OpenAI’s models in Clawless without paying per-token on top of what you already pay for ChatGPT.

The path is called Codex, and the way you set it up is by signing in with your ChatGPT account instead of pasting an OpenAI API key. The sign-in is offered during the onboarding wizard’s API Keys step. Click Sign in with ChatGPT, finish the browser sign-in flow in your default browser, and Clawless connects to OpenAI through your subscription rather than through a billed API account.

Three small things change once Codex is set up.

The model picker, in the dock row below the input box, shows an OAuth indicator next to OpenAI models. That is your visual cue that those models are billing through your subscription, not through per-token API charges.

The Usage dashboard, which you reach from the navigation rail on the far left, shows your Codex sessions at $0 (OAuth) instead of a per-message dollar amount. The amount really is zero on the Clawless side; OpenAI bills you on their side through the subscription you already pay.

And the underlying model behavior is the same. The Codex path is a billing arrangement, not a different model. The same GPT family is on the other end of the wire either way.

One thing to know: the OAuth path bills through your ChatGPT subscription, so it is governed by that subscription’s consumer terms rather than the API terms; worth a glance if your messages are sensitive.

When does this matter? If you are already paying for ChatGPT Plus or Pro every month, signing in for Codex lets you use that subscription inside Clawless and skip the per-token API charges you would otherwise rack up. For people who use OpenAI models heavily, it is the difference between two bills (subscription plus per-token) and one bill (just the subscription).

If you do not have a ChatGPT subscription, ignore Codex entirely. Use a standard OpenAI API key the same way you would use any other provider’s key. The Codex path is only worth it if you already pay for the subscription separately for some other reason.

When a key stops working

Section titled “When a key stops working”

Sometimes a key you saved this morning stops working this afternoon. There are three common reasons, and the fix is different for each.

Typo on paste. This is the most common one. The provider’s dashboard often shows the key with a trailing whitespace, or the key gets truncated by an over-eager copy. Re-copy the key from the provider’s dashboard, paste again, and click Save. If you are not sure whether it was a typo, you can usually tell because the failure happens immediately on save, not later.

Revoked or rotated. You (or your team) may have rotated keys on the provider side, or the provider may have rotated a leaked key on your behalf. The fix is to generate a new key on the provider’s dashboard and paste the new one into Clawless. The old one is simply gone.

Out of credits. Most providers (Anthropic, OpenAI, and others on the pay-as-you-go model) require a positive balance to make calls; one-time signup credit, if there is one, eventually runs out. If your balance hits zero, every call fails with a credit-related error. The fix is to top up on the provider’s site. Clawless will resume sending the moment the next call succeeds.

Whichever of the three it is, the Clawless row for that provider in Settings, API Keys turns red and shows a brief description. Read the description, fix the underlying cause, and the row goes green again.

Adding more than one provider

Section titled “Adding more than one provider”

Most lessons later in this track assume you have at least one provider connected. Some practice exercises are easier if you have a second, because you can compare answers across providers without changing your subscription.

To add a second provider:

  1. Open Settings from the gear icon at the bottom of the navigation rail.
  2. Click the API Keys section in the sidebar on the left of the page.
  3. Find the provider you want to add. Click the row.
  4. Click the Get API Key link that opens; that takes you to the provider’s key-creation page.
  5. Generate a key on the provider’s site, copy it, paste it into the Clawless input box, click Save.

The row turns green when Clawless verifies the key. The model picker in the dock row updates the next time you open it; the new provider’s curated models appear under their own header in the dropdown.

You can repeat this for as many providers as you like. Practical advice: do not connect more providers than you actually use. Each connection is one more place to keep keys current and one more potential failure point. Two or three is plenty for most people.

A few small things you will notice

Section titled “A few small things you will notice”

The Get API Key link on each provider row takes you to the same page you would land on if you had gone hunting for it yourself. It is just a convenience, not a special back channel.

Your keys are encrypted using your operating system’s secure storage (the same secure store that holds your other saved passwords; Keychain on macOS and Credential Manager on Windows). Clawless does not store the key in a text file or in a Clawless database. If you uninstall Clawless, the keys go with it.

There is no syncing of keys across machines. If you install Clawless on a second computer, you start fresh on keys. This is intentional; syncing credentials between devices is the kind of thing where a small mistake becomes a big problem, and the right tool for that job is your operating system’s own password sync, not us.

Common first-day surprises

Section titled “Common first-day surprises”

Five things people often notice on the first day around API keys.

  1. You do not have to pay Clawless for AI usage. You pay the provider. The Clawless app itself has its own license; the AI conversations bill through whichever provider’s key you have set up. This catches people who assume there is one combined bill.

  2. Free tiers exist, but vary widely. Google’s Gemini free tier and Groq run a generous free allowance and are good places to experiment without spending. Anthropic and OpenAI are pay-as-you-go on the API side; a small one-time signup credit is sometimes included, but there is no ongoing free tier. If “I want to try without paying anything” is your first goal, Google or Groq is the gentler entry point.

  3. Codex is OpenAI-only. The sign-in-with-ChatGPT path connects to OpenAI’s models. It does not give you free access to Anthropic, Google, or anyone else. Each provider is its own connection.

  4. Removing a key does not delete your conversations. Keys are about authentication going forward. Your past conversations stay in your local conversation history regardless of whether the key that produced them is still saved.

  5. The “green check” is not a quality signal. A green check on a provider row only means the key authenticates and the account is reachable. It does not mean the model is fast today, or that the provider has no rate limits, or that your free credits have not run out. Those are runtime conditions you discover as you go.

What you should remember

Section titled “What you should remember”
  • An API key is your account with the provider, not your account with Clawless. BYOK means you bring your own key, the provider bills you directly, and Clawless takes no markup. The key lives in your operating system’s secure storage after you save it.
  • Keys are managed in Settings, in the API Keys section. That is where you add a new provider, see which keys are working, and remove a key when you stop using a provider.
  • The OAuth path (Codex) is for ChatGPT subscribers using OpenAI models. Sign in with your ChatGPT account instead of pasting an OpenAI API key; the model picker shows an OAuth indicator and the Usage dashboard shows those sessions at $0. No ChatGPT subscription means no Codex; use a regular key instead.
  • When a key stops working, the row turns red and tells you why. Typo, rotated key, and out-of-credits are the three common causes. Fix the underlying cause, and the row goes green again.

In the practice that goes with this lesson, you confirm your existing provider is connected and (optionally) add a second one. About fifteen minutes if you have a key handy from another provider, longer if you have to sign up. Either path lands you ready for the rest of the track.