TapAuth — OAuth Tokens via OpenClaw Secrets Manager
TapAuth provides OAuth tokens through OpenClaw's exec secrets provider. Tokens are resolved at gateway startup and held in memory — they never appear in shell commands or config files as plaintext.
You must NEVER use tapauth.sh --token directly in shell commands, curl calls, or $(...) substitutions. Tokens are always resolved through the secrets manager. Your job as an agent is to configure the secrets provider, not to fetch tokens yourself.
When a user asks you to do something that needs an OAuth token
Follow these steps in order. Do not skip to step 3. Do not run --token yourself.
1. Create a grant and show the approval URL
Run the script without --token to create a grant. Set TAPAUTH_HOME so the grant cache is stored in a stable location that the exec provider can also find:
TAPAUTH_HOME=/home/node/.tapauth /home/node/.openclaw/skills/tapauth/scripts/tapauth.sh <provider> <scopes>
Example for Google Calendar:
TAPAUTH_HOME=/home/node/.tapauth /home/node/.openclaw/skills/tapauth/scripts/tapauth.sh google calendar.readonly
Output:
Approve access: https://tapauth.ai/approve/abc123
Show this URL to the user. Once they approve, run with --token to get the bearer token.
Show the approval URL to the user and ask them to approve. Wait for them to confirm before proceeding.
That final line is the script's generic output. In OpenClaw, do not run --token yourself — proceed to step 2 and let the secrets manager invoke it.
2. Configure the exec secrets provider in openclaw.json
After the user confirms they approved, edit ~/.openclaw/openclaw.json to add an exec provider under secrets.providers:
{
"secrets": {
"providers": {
"tapauth_google_calendar": {
"source": "exec",
"command": "/home/node/.openclaw/skills/tapauth/scripts/tapauth.sh",
"args": ["--token", "google", "calendar.readonly"],
"passEnv": ["HOME"],
"env": {"TAPAUTH_HOME": "/home/node/.tapauth"},
"jsonOnly": false
}
}
}
}
Key fields:
command: Absolute path toscripts/tapauth.shin this skill directoryargs:["--token", "<provider>", "<scopes>"]— must match the grant you created in step 1jsonOnly: false: The script outputs a raw token string, not JSONpassEnv: Must includeHOMEenv.TAPAUTH_HOME: Must be/home/node/.tapauth— the same path used when creating the grant in step 1
Use the naming convention tapauth_<provider> or tapauth_<provider>_<scope> for the provider key.
3. Reload secrets and confirm
After editing openclaw.json, run:
openclaw secrets reload
This tells the gateway to re-resolve all secret providers. The exec provider runs tapauth.sh --token in the background and stores the result in the in-memory secrets snapshot.
Tell the user the setup is complete. The token is now resolved and will be available at every gateway startup. If the user repeats their request in a new session, the token will already be available.
If you need to verify immediately, run openclaw secrets reload and then retry the user's request through the normal OpenClaw secret path. Do not invoke tapauth.sh --token directly.
Rules
- NEVER run
tapauth.sh --tokendirectly. Do not use it in$(...), do not capture its output, do not pipe it to curl. The secrets manager runs it for you. - NEVER skip the approval step. Always create the grant first (step 1), get user approval, then configure the provider (step 2).
- No API key or credentials needed. TapAuth is zero-config. Do not look for API keys, client secrets, or environment variables.
- Always use absolute paths for the
commandfield in the exec provider config.
Quick Reference — Provider + Scopes
| Provider | Args for exec provider | Scopes Reference |
|---|---|---|
| Google Calendar | ["--token", "google", "calendar.readonly"] | references/google.md |
| Google Drive | ["--token", "google", "drive.readonly"] | references/google.md |
| Google Sheets | ["--token", "google", "spreadsheets.readonly"] | references/google.md |
| Gmail | ["--token", "google", "gmail.send"] | references/gmail.md |
| GitHub | ["--token", "github", "repo"] | references/github.md |
| Vercel | ["--token", "vercel", "deployment"] | references/vercel.md |
| Notion | ["--token", "notion", "read_content"] | references/notion.md |
| Slack | ["--token", "slack", "users:read"] | references/slack.md |
| Asana | ["--token", "asana", "tasks:read"] | references/asana.md |
| Linear | ["--token", "linear", "read"] | references/linear.md |
| Sentry | ["--token", "sentry", "project:read"] | references/sentry.md |
| Discord | ["--token", "discord", "identify"] | references/discord.md |
| Apify | ["--token", "apify", "full_api_access"] | references/apify.md |
Multiple scopes: comma-separate in a single string, e.g. ["--token", "google", "calendar.readonly,drive.readonly"].
Token Lifecycle
- Resolution: Fresh tokens fetched at each gateway startup and
openclaw secrets reload. - Caching:
tapauth.shcaches tokens locally with expiry. Subsequent calls return instantly if valid. - Refresh: Expired tokens are refreshed automatically from the TapAuth API. No user interaction needed.
- Re-approval: If a grant is revoked, delete
~/.tapauth/<provider>-<scopes>.envand re-runscripts/tapauth.shto create a new grant.
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
token refresh failed | Grant revoked or expired | Delete ~/.tapauth/<provider>-<scopes>.env, re-run scripts/tapauth.sh |
| Token works locally but not in OpenClaw | passEnv missing HOME | Add HOME to passEnv array |
command must be absolute path | Relative path in command | Resolve scripts/tapauth.sh to its absolute path |
| Symlink error | Skill installed via symlink | Add allowSymlinkCommand: true and trustedDirs to provider config |
tapauth: timed out | Grant not pre-approved | Run scripts/tapauth.sh <provider> <scopes> without --token first |