FeaturesHow it worksPricingFAQJoin Waitlist

Documentation

OAuth SDK & Token Management API

Everything you need to add OAuth to your OpenClaw skills — quickstart, provider list, and token management API reference.

SDK Quickstart

The ClawCoil SDK lets skill developers add OAuth to any OpenClaw skill in minutes. No need to build auth flows from scratch.

1. Install the SDK

npm install @clawcoil/sdk

2. Initialize the Client

// skill.ts
import { ClawCoil } from "@clawcoil/sdk";
const coil = new ClawCoil({
skillId: "my-skill",
providers: ["gmail", "github", "slack"],
});

3. Request a Token

// Get a fresh access token — auto-refreshes if expired
const token = await coil.getToken("gmail");
const response = await fetch("https://gmail.googleapis.com/...", {
headers: { Authorization: `Bearer ${token.accessToken}`},
});

The SDK handles token refresh, expiry detection, and re-authentication automatically. Your skill never sees a stale credential.

Supported OAuth Providers

ClawCoil has pre-built connectors for 40+ services. Any service with OAuth 2.0 or API key authentication is supported.

Communication

  • Gmail
  • Slack
  • Discord
  • Microsoft Teams
  • Twilio

Developer Tools

  • GitHub
  • GitLab
  • Bitbucket
  • Jira
  • Linear

Payments

  • Stripe
  • PayPal
  • Square
  • Braintree

Productivity

  • Notion
  • Google Drive
  • Dropbox
  • Airtable
  • Asana

CRM & Marketing

  • HubSpot
  • Salesforce
  • Mailchimp
  • Intercom

Cloud & Infra

  • AWS
  • Google Cloud
  • Cloudflare
  • Vercel

Analytics

  • Google Analytics
  • Mixpanel
  • Amplitude
  • Segment

AI & LLM

  • OpenAI
  • Anthropic
  • Cohere
  • Replicate

Missing a provider? Custom OAuth connectors are available on Enterprise plans, or request one via the dashboard.

Token Management API

Programmatic access to connected accounts, token status, and credential lifecycle.

List Connected Accounts

GET /api/v1/accounts
Authorization: Bearer <api-key>
Response:
[{ "provider": "gmail", "status": "active", "expires_at": "..." },
{ "provider": "github", "status": "active", "expires_at": null }]

Get Token for Provider

POST /api/v1/tokens/:provider
Response:
{
"access_token": "gho_...",
"token_type": "bearer",
"expires_in": 3600,
"scopes": ["repo", "read:user"]
}

Revoke Access

DELETE /api/v1/accounts/:provider
Revokes OAuth grant and deletes all stored tokens immediately.

Token Lifecycle

Token Refresh Flow
[ Skill requests token via SDK ]
|
v
Token valid? → Yes → Return cached token
| No
v
Refresh token with provider
|
v
Store new token (AES-256) → Return to skill
  • Auto-refresh — Tokens are refreshed 5 minutes before expiry to prevent mid-request failures.
  • Encrypted storage — All tokens encrypted at rest with AES-256-GCM. Decryption keys in HSM.
  • Short-lived access — Skills receive short-lived access tokens. Refresh tokens never leave ClawCoil infrastructure.
  • Instant revocation — Revoking a provider disconnects immediately and deletes all stored tokens.

Ready to add OAuth to your skills?

Join the waitlist for early access to the ClawCoil SDK and 40+ pre-built connectors.

Join Waitlist