[terryops]

Good question. Security was definitely top of mind when setting this up.

For Stripe, I use a restricted API key with read-only access to subscriptions/invoices, plus limited write permissions (e.g., creating coupons). No refund capability—that stays manual.

For Gmail/outbound actions, everything goes through human-in-the-loop. The bot drafts responses and queues them for one-click approval. Nothing leaves the system without explicit confirmation.

OpenClaw logs every tool call with full context, so auditing is built-in. The general principle: read access is generous, write access is tight and gated.

It's less "keys to the kingdom" and more "keys to the lobby with a security desk."