clawkeyVerifiable human ownership for OpenClaw agents. Register your agent under your human owner via VeryAI palm verification.
Register your agent under your human owner powered by VeryAI palm verification. The agent starts registration with a signed challenge showing it controls its key; the human opens a URL and completes VeryAI's palm verification. Once the human finishes, the agent is registered under their ownership and can be verified by third parties.
CRITICAL: Never open browsers
>
Do not useopen,xdg-open,start, or any command that opens a browser. Always output the registration URL as a text or markdown link for the user to click.
>
- WRONG: open "https://api.very.org/oauth2/..."
- CORRECT: "Open this link to complete verification: https://api.very.org/oauth2/..."
| File | Purpose |
| ------------ | ----------------------------------------------------------------------------------------- |
| SKILL.md | https://clawkey.ai/skill.md β registration flow, challenge generation, verification, API |
| HEARTBEAT.md | https://clawkey.ai/heartbeat.md β periodic checklist: registration status, etc |
| Identity | ~/.openclaw/identity/device.json β OpenClaw deviceId and keys (do not send private key) |
publicKey, message, and signature.The AgentChallenge is a signed payload that shows you control an Ed25519 key. It has the shape used by standard OpenClaw identity flows: deviceId, publicKey, message, signature, timestamp. Generate it once and send it to /agent/register/init or /agent/verify/signature.
If you run on OpenClaw, device identity is stored at:
~/.openclaw/identity/device.jsonThat file contains (never send privateKeyPem to any server):
| Field | Use |
| --------------- | ------------------------------------------------------------------------ |
| deviceId | Use as deviceId in the challenge. Stable id for this agent/device. |
| publicKeyPem | Use to derive publicKey (see below). |
| privateKeyPem | Use only locally to sign the message. Never include in API requests. |
If you donβt use OpenClaw, use your own identity store; ensure you have a stable deviceId, an Ed25519 key pair, and that you sign the exact string you send as message.
For registration, use a one-time challenge to avoid replay, e.g.:
clawkey-register- Example: clawkey-register-1738500000000
For verify/signature, the message is whatever you are proving (e.g. a nonce from a third party).
message (no extra prefix/suffix).Date.now()).deviceId β from your identity (e.g. device.json)publicKey β base64 DER SPKImessage β exact string that was signedsignature β base64 signaturetimestamp β number (ms)const crypto = require("crypto");
const fs = require("fs");
const identityPath = `${process.env.HOME}/.openclaw/identity/device.json`;
const identity = JSON.parse(fs.readFileSync(identityPath, "utf8"));
const message = `clawkey-register-${Date.now()}`;
const privateKey = crypto.createPrivateKey(identity.privateKeyPem);
const signature = crypto.sign(null, Buffer.from(message, "utf8"), privateKey);
const publicKeyDer = crypto
.createPublicKey(identity.publicKeyPem)
.export({ type: "spki", format: "der" });
const challenge = {
deviceId: identity.deviceId,
publicKey: publicKeyDer.toString("base64"),
message,
signature: signature.toString("base64"),
timestamp: Date.now(),
};
// POST challenge to https://api.clawkey.ai/v1/agent/register/initIf you have a script that already produces an AgentChallenge (e.g. signs a message and outputs JSON with deviceId, publicKey, message, signature, timestamp), you can reuse it for ClawKey:
clawkey-register-$(date +%s)000 (seconds + "000" for ms) or use your scriptβs convention.https://api.clawkey.ai/v1/agent/register/init.Same challenge format works for POST /agent/verify/signature when verifying a signature remotely.
Build an AgentChallenge as above, then send it to ClawKey to create a session and get a registration URL.
curl -X POST https://api.clawkey.ai/v1/agent/register/init \
-H "Content-Type: application/json" \
-d '{
"deviceId": "my-agent-device-id",
"publicKey": "<base64-DER-SPKI-Ed25519>",
"message": "clawkey-register-1738500000000",
"signature": "<base64-Ed25519-signature>",
"timestamp": 1738500000000
}'Response (201):
sessionId β use to poll statusregistrationUrl β output this as a link for the human; do not open it in a browserexpiresAt β session expiry (ISO 8601)If the agent is already registered (deviceId exists), the API returns 409 Conflict.
Tell the human owner to open the registrationUrl in their browser. They will go through VeryAI's palm verification via OAuth. When they finish, the agent is registered under their ownership.
Poll until the human has completed or the session has expired:
curl "https://api.clawkey.ai/v1/agent/register/SESSION_ID/status"Response: status is one of pending | completed | expired | failed. When status is completed, the response includes deviceId and registration (e.g. publicKey, registeredAt).
curl -X POST https://api.clawkey.ai/v1/agent/verify/signature \
-H "Content-Type: application/json" \
-d '{
"deviceId": "...",
"publicKey": "...",
"message": "...",
"signature": "...",
"timestamp": 1738500000000
}'Response: verified (signature valid), registered (agent under verified human).
curl "https://api.clawkey.ai/v1/agent/verify/device/DEVICE_ID"Response: registered, verified, and optionally registeredAt.
Base URL: https://api.clawkey.ai/v1
Local: http://localhost:3000/v1
| Method | Endpoint | Auth | Description |
| ------ | ------------------------------------ | ---- | -------------------------------------------------------------------------------- |
| POST | /agent/register/init | None | Start registration session; returns sessionId, registrationUrl, expiresAt. |
| GET | /agent/register/{sessionId}/status | None | Poll registration status: pending / completed / expired / failed. |
| POST | /agent/verify/signature | None | Verify a signature and whether the agent is registered under a verified human. |
| GET | /agent/verify/device/{deviceId} | None | Get agent registration and verification status by device id. |
AgentChallenge (used in register/init and verify/signature):
| Field | Type | Required | Description |
| --------- | ------ | -------- | -------------------------------------------------------- |
| deviceId | string | yes | Key/device id (e.g. public key hash or app id). |
| publicKey | string | yes | Ed25519 public key, base64 DER SPKI. |
| message | string | yes | Exact message that was signed (e.g. challenge or nonce). |
| signature | string | yes | Ed25519 signature over message, base64. |
| timestamp | int64 | yes | Unix timestamp (ms) when the challenge was created. |
Register init response (201):
{
"sessionId": "uuid",
"registrationUrl": "https://clawkey.ai/register/...",
"expiresAt": "2026-02-02T12:00:00Z"
}Register status response (200):
{
"status": "completed",
"deviceId": "my-agent-device-id",
"registration": {
"publicKey": "...",
"registeredAt": "2026-02-02T12:00:00Z"
}
}Verify signature response (200):
{
"verified": true,
"registered": true
}Device status response (200):
{
"registered": true,
"verified": true,
"registeredAt": "2026-02-02T12:00:00Z"
}Error (4xx/5xx):
{
"error": "Human-readable message",
"code": "optional_code",
"details": {}
}| Code | Meaning |
| ---- | ---------------------------------------------------- |
| 400 | Bad request (invalid or missing fields). |
| 404 | Session or device not found. |
| 409 | Agent already registered (device_id already exists). |
| 500 | Server error. |
After registration and VeryAI verification:
/agent/verify/signature or /agent/verify/device/{deviceId} to confirm an agent is registered and verified.Generated Mar 1, 2026
Financial institutions can use ClawKey to register AI agents that handle sensitive transactions, ensuring each agent is verifiably owned by an authorized human employee. This prevents unauthorized AI operations and meets compliance requirements for accountability in automated financial systems, providing an audit trail for regulatory oversight.
Healthcare providers deploy AI agents for patient data analysis and administrative tasks, with ClawKey verifying that each agent is owned by a licensed medical professional. This ensures data privacy under HIPAA by linking AI actions to human responsibility, reducing risks of misuse in handling confidential health records.
Research organizations use ClawKey to register AI agents conducting experiments or data collection, tying each agent to a specific researcher for accountability. This allows verification of ownership in collaborative projects, ensuring proper attribution and compliance with ethical guidelines in scientific work.
Law firms and legal departments employ ClawKey to register AI agents that draft documents or analyze cases, verifying human ownership to maintain ethical standards. This helps meet legal industry regulations by ensuring AI outputs are supervised by qualified professionals, mitigating liability risks.
E-commerce platforms integrate ClawKey to register AI agents handling customer inquiries or fraud detection, linking each agent to a human manager. This enhances trust by verifying that automated interactions are owned by authorized staff, improving security and customer satisfaction in online transactions.
ClawKey charges organizations a monthly or annual fee per registered AI agent for ongoing ownership verification and API access. This model provides recurring revenue from enterprises needing continuous compliance, with tiered pricing based on verification frequency or additional features like audit logs.
Users pay a small fee each time they initiate a new registration or verification request through ClawKey's API. This suits businesses with sporadic AI agent deployments, offering flexibility and scalability without long-term commitments, and can be integrated into larger platform ecosystems.
ClawKey offers custom enterprise licenses for large organizations requiring bulk agent registrations, dedicated support, and integration with existing identity management systems. This model generates high-value contracts through tailored solutions, including on-premise deployments or enhanced security features.
π¬ Integration Tip
Ensure your identity store supports Ed25519 key pairs and stable device IDs; test the challenge generation locally before API integration to avoid registration failures.
Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. Now with WAL Protocol, Working Buffer, Autonomous Crons, and battle-tested patterns. Part of the Hal Stack π¦
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
Clawdbot documentation expert with decision tree navigation, search scripts, doc fetching, version tracking, and config snippets for all Clawdbot features
Interact with Moltbook social network for AI agents. Post, reply, browse, and analyze engagement. Use when the user wants to engage with Moltbook, check their feed, reply to posts, or track their activity on the agent social network.
OpenClaw CLI wrapper β gateway, channels, models, agents, nodes, browser, memory, security, automation.
MoltGuard β runtime security plugin for OpenClaw agents by OpenGuardrails. Helps users install, register, activate, and check the status of MoltGuard. Use wh...