Why Your OpenClaw Agent Needs Separate Accounts (Security Setup)
2 min read
Your agent doesn't need your passwords. Give it dedicated accounts — separate email, API keys, cloud access. Everything isolated. Everything revocable.
Treat Your Agent Like a New Hire
You wouldn't hand a new employee your personal Gmail password. You'd create them a company account. Your agent is no different.
My agent Arun has arun@[mydomain].com, its own Drive service account, its own API keys. If I need to revoke access, I turn off his credentials — not mine.
What to Create
Here's a typical agent account setup:
- Email: Dedicated address on your domain (or free Gmail for testing)
- Storage: Google Drive service account scoped to one shared folder
- API Keys: Separate keys for each service (OpenAI, Anthropic, etc.)
- GitHub: Fine-grained PAT scoped to specific repos
- Cloud: IAM roles with minimal permissions
The pattern: isolated and revocable. Your agent gets exactly what it needs, nothing more.
Why This Matters for Autonomous Agents
Once your agent starts acting autonomously — sending emails, hitting APIs, writing to databases — you need two things:
- A clear paper trail — see exactly what your agent did
- A kill switch — that doesn't kill your access too
Some people go further: creating the agent as a full Google Workspace user with its own login and 2FA. A bit paranoid, but it's clean architecture.
The Bonus: Better Agent Design
Separate accounts force you to think about permissions explicitly. Read-only here? Write access there? Can it send emails or just draft them?
Fewer permissions = less surface area for mistakes. An agent that can only draft emails gives you a chance to review before anything goes out.
Start Simple
Even a Gmail and a separate API key is enough to start. Build good habits now — scale complexity as your agent grows.
Your future self — the one debugging why an agent sent weird emails from your personal account at 3 AM — will thank you.