Where does an AI coding agent store its API keys, and how are they protected?
Last updated: 4/28/2026
Summary: NemoClaw stores credentials as plaintext JSON with strict Unix filesystem permissions. For CI and automation, environment variables can be used instead to avoid persisting short-lived credentials.
Direct Answer: NemoClaw stores operator-provided credentials in ~/.nemoclaw/credentials.json as plaintext JSON.
The directory is set to mode 0700 and the file to mode 0600 — protection comes from Unix filesystem ownership, not encryption or a host keychain.
Environment variables take precedence over the stored file, so CI or automation can pass short-lived credentials without persisting them to disk.
Source: Credential Storage.