Credentials
Note on runtime references (2026-05-20): Some sections below reference OpenClaw config paths (e.g., .openclaw/...) and Pi-E token-sync mechanics that pre-date the 2026-05-20 OpenClaw retirement. The credential entries themselves (Bitwarden names, admin accounts, rotation cadence) remain accurate; OpenClaw paths should be read as historical artifacts — current agents Pi-E and Volt-E (and iBuild-E on launchd) run on agent-runner and use the token paths documented in agent-token-sync.md; Review-E now runs in the GCP k3s cluster (rig-agent-runtime) with a cluster-managed credential.
Credential inventory with Bitwarden entry names. NEVER store actual secrets in this file.
Admin Accounts
| Account |
Purpose |
| invotekas@gmail.com |
Invotek admin — Cloudflare login, Tailscale login, Cloudflare Access |
| codiedev42@gmail.com |
Dev/project — Bitwarden, Xcode Cloud notifications, Google Drive |
| post@stigjohnny.no |
Personal — vCluster Platform access |
Bitwarden Configuration
| Setting |
Value |
| Server |
vault.bitwarden.eu (EU) |
| Email |
codiedev42@gmail.com |
| Unlock |
See memory MCP (get_context(project: "global", key: "bitwarden_unlock")) |
Credential Inventory
GitHub
| Bitwarden Entry |
Purpose |
Used By |
Expiry |
| GitHub PAT (Claude) |
Legacy PAT — EXPIRED |
Was used by Docker runners |
Expired |
| GitHub OAuth Token |
OAuth token for gh CLI |
Docker runners (.env as GITHUB_TOKEN) |
— |
| RELEASE_PAT |
Review-E PAT for release PR auto-approval |
dashecorp dashe-* + dashe-cutie (via OpenTofu in dashecorp/infra) |
2026-05-30 (EXPIRED — rotation pending, #23) |
codi-e-bot App PEM (ORCHESTRATOR_BOT_PEM) |
Read-only GitHub App (ID 4127706, @dashecorp) for orchestrator cross-org reads; replaced the expired GH_PAT |
claude-3 monitor-infra.yml + build-unified-docs.yml (mint per-org tokens via actions/create-github-app-token) |
App key (no expiry) — must be PKCS#8 (#765) |
GitHub App PEMs: Stored locally on each agent host, not in Bitwarden. See .claude/skills/github-apps/SKILL.md for paths. Exception: the codi-e-bot App PEM is also held as the ORCHESTRATOR_BOT_PEM repo secret on Stig-Johnny/claude-3 (Bitwarden entry codi-e-bot); actions/create-github-app-token requires it in PKCS#8, so convert PKCS#1 keys before upload — runbook docs/runbooks/ops-e-reset-orchestrator-bot-pem.md.
Apple / App Store Connect
| Bitwarden Entry |
Purpose |
Used By |
| App Store Connect API Key |
ASC API (issuer ID, key ID, private key) |
appstoreconnect-mcp |
| Apple ID (u7232055051@gmail.com) |
ASC portal login, Xcode signing |
Browser automation |
Cloud Services
| Bitwarden Entry |
Purpose |
Used By |
| Cloudflare API Token |
Cloudflare API access |
cloudflare MCP, GitHub Actions |
| OpenAI API Key (Claude) |
DALL-E image generation, Nutri-E workers |
Blog images, Nutri-E |
| Google Service Account Key |
Play Store deployment |
dashe-reward-e Android |
Cloudflare account facts (non-secret): account ID 59710bf016d417f860051f1f00b00258 (dashboard identifier). The local wrangler OAuth token lives at ~/.config/.wrangler/config/default.toml on the operator machine (not in Bitwarden); the Cloudflare API Token above is what the cloudflare MCP + CI use.
Messaging / Notifications
| Bitwarden Entry |
Purpose |
Used By |
| Discord Bot Token (Codi-E) |
Codi-E Discord bot |
discord MCP |
| Discord Bot Token (Pi-E) |
Pi-E Discord bot |
Pi-E agent-runner |
| Discord Bot Token (Volt-E) |
Volt-E Discord bot |
Volt-E agent-runner |
| Discord Bot Token (Review-E) |
Review-E Discord bot |
Review-E agent-runner |
| ~~Discord Bot Token (ATL-E)~~ |
~~ATL-E Agent bot~~ — retired 2026-05-20 (ATL-E replaced by rig-conductor + rig-planner) |
— |
| Telegram Bot Token |
Telegram notifications (legacy) |
telegram-notifications-mcp |
| Pushbullet API Key |
SMS forwarding |
pushbullet-sms-mcp |
Revenue / Subscriptions
| Bitwarden Entry |
Purpose |
Used By |
| RevenueCat API Key |
Subscription management |
revenuecat MCP |
GCP
| Resource |
Value |
| Infra Project |
invotek-github-infra |
| Service Account |
github-actions@invotek-github-infra.iam.gserviceaccount.com |
| Auth |
Workload Identity Federation (keyless, no secret needed) |
| Billing Account |
015BBC-422A59-EB7AF4 |
Agent Authentication Methods
All agents share ONE Claude Max subscription: invotekas@gmail.com (max tier).
| Agent |
Claude Auth |
GitHub Auth |
How Token Stays Alive |
| Codi-E / Claude-4/5/6 |
Local Claude Max |
User's gh CLI |
Manual claude auth login |
| Pi-E |
OAuth (invotekas@gmail.com) |
pie-agent-bot GitHub App |
Claude cron job (3-day keepalive) |
| Volt-E |
OAuth (invotekas@gmail.com) |
volt-e-agent-bot GitHub App |
Claude cron job (3-day keepalive) |
| Review-E |
OAuth (invotekas@gmail.com) |
review-e-bot GitHub App |
Cluster-managed (GCP k3s rig-agent-runtime) |
| iBuild-E |
Local Claude Max |
ibuild-e-bot GitHub App |
Local LaunchAgent |
Token Lifecycle
- Primary: Each Pi/VPS remote agent (Pi-E, Volt-E) runs a Claude cron job that keeps the OAuth token alive for 3 days by refreshing it automatically. (Review-E runs in GCP k3s and uses a cluster-managed credential, not this cron path.)
- Bootstrap/Fallback: M4 MacBook pushes tokens via
push-claude-creds.sh (LaunchAgent, every 5 min). Only pushes when local token is newer than remote. Used to bootstrap new agents or recover from expiry.
- Emergency: VNC into agent host, run
claude login to get a fresh token directly.
Token Sync Infrastructure
LaunchAgents on MacBook Air M4:
- com.invotek.push-claude-creds — pushes OAuth to Pi-E only on credential change + 5-min interval (Volt-E disabled — it uses interactive claude login + VNC; Review-E migrated to GCP k3s and is no longer a push target)
- com.invotek.refresh-github-tokens — generates fresh ghs_ GitHub App tokens every 30 min
- ~~ai.invotek.claude3.token-sync — additional token sync~~ (DISABLED 2026-03-26)
- ai.invotek.claude3.heartbeat — heartbeat check
Push targets (from script):
- Pi-E: claude@100.107.48.17 (key: rpi-claude), path: /home/claude/.openclaw/agents/main/agent/auth-profiles.json
- Volt-E: root@100.111.142.118 (key: vps-srv1099021), path: ~/.claude/credentials.json (agent-runner)
- Review-E: migrated to GCP k3s (rig-agent-runtime) — credential is cluster-managed, no longer pushed to Pi4-02
Note: iBuild-E manages its own token via environment variable in ~/.zshrc and ai.invotek.mac-executor.plist LaunchAgent (disabled com.invotek.ibuild-e.token-sync), not through the push script.
Pi-E Token Watchdog: Cron every 5 min, Discord alert 1hr before OAuth expiry.
Rotation Schedule
| Credential |
Rotation |
Next Due |
| RELEASE_PAT |
Manual (Review-E PAT) |
2026-05-30 (EXPIRED — rotation pending, #23) |
| GitHub App tokens |
Auto (1hr lifetime, refreshed every 30min) |
— |
| OAuth tokens |
Auto (refreshed by push script / VNC login) |
— |
| Cloudflare API Token |
Manual |
Check Bitwarden |
| ASC API Key |
Manual |
Check Bitwarden |
Expired / Deprecated
| Entry |
Status |
Notes |
GitHub PAT (Claude) (ghp_*) |
EXPIRED |
Replaced by OAuth + GitHub Apps |
| Telegram Bot Token |
Deprecated |
Discord preferred, Telegram still configured |