---
name: credential-provisioning
description: Step-by-step guide for provisioning all API keys, tokens, and account credentials needed by the LeadsPanther agent organization. Use when setting up new credentials, rotating keys, or onboarding new services. Covers OpenRouter, GitHub, Vercel, Gmail, Google Sheets, Stripe, PayPal, lead enrichment APIs, and social media accounts. Trigger on "provision credentials", "API keys", "set up accounts", "credential setup", "onboard service".
---

# Credential Provisioning Guide

All credentials are stored in:
`C:\Users\Administrator\.openclaw\workspace-orchestrator\ops\credentials\service-credentials.json`

After adding any credential, update the corresponding agent's TOOLS.md to reflect its new status.

---

## TIER 1 — Immediate (This Week)

These unlock Phase 1 revenue. Do these first.

### 1. OpenRouter Credits ($10)

**Why:** Unlocks 1000 req/day free model limit (currently 50/day). Single biggest unlock.
**Who uses it:** All agents
**Time:** 2 minutes

**Steps:**
1. Go to https://openrouter.ai/credits
2. Log in with existing account (the API key is already configured)
3. Add $10 in credits (card or crypto)
4. Done — rate limits upgrade automatically, no config changes needed

**Verify:** Alfred can run `curl -s https://openrouter.ai/api/v1/credits -H "Authorization: Bearer $OPENROUTER_API_KEY"` and confirm `total_credits` shows $10+

---

### 2. GitHub Personal Access Token (PAT)

**Why:** Devin needs to create repos, push code, manage CI/CD
**Who uses it:** Devin (Delivery Ops)
**Time:** 3 minutes

**Steps:**
1. Go to https://github.com/settings/tokens?type=beta (Fine-grained tokens)
2. Click "Generate new token"
3. Name: `openclaw-leadspanther`
4. Expiration: 90 days (set a reminder to rotate)
5. Repository access: "All repositories" (or create a LeadsPanther org first and scope to that)
6. Permissions needed:
   - **Contents:** Read and write
   - **Pull requests:** Read and write
   - **Issues:** Read and write
   - **Actions:** Read and write (for CI/CD)
   - **Metadata:** Read (required)
7. Click "Generate token"
8. Copy the token (starts with `github_pat_`)

**Configure:**
Update `service-credentials.json`:
```json
"github": {
  "personal_access_token": "github_pat_XXXXX"
}
```

**Verify:** `curl -s -H "Authorization: Bearer github_pat_XXXXX" https://api.github.com/user | jq .login`

---

### 3. Gmail App Password

**Why:** Email triggers for workflows, professional outreach, notifications
**Who uses it:** Alfred (notifications), Rick (outreach)
**Time:** 5 minutes

**Steps:**
1. Go to https://myaccount.google.com/security
2. Ensure 2-Factor Authentication is ON (required for app passwords)
3. Go to https://myaccount.google.com/apppasswords
4. Select app: "Mail"
5. Select device: "Other" → name it `OpenClaw`
6. Click "Generate"
7. Copy the 16-character app password (format: `xxxx xxxx xxxx xxxx`)

**Configure:**
Update `service-credentials.json`:
```json
"gmail": {
  "email": "your.email@gmail.com",
  "app_password": "xxxx xxxx xxxx xxxx"
}
```

**Note:** If using a Google Workspace account (e.g. @leadspanther.com), the admin must enable "Less secure app access" or app passwords in the admin console.

---

### 4. Upwork Account

**Why:** Rick's entire Phase 1 revenue channel. Can't search or apply to jobs without it.
**Who uses it:** Rick (Revenue)
**Time:** 10-15 minutes

**Steps:**
1. Go to https://www.upwork.com/signup
2. Sign up as a **Freelancer** (not client)
3. Profile setup:
   - Title: "Lead Generation & CRM Automation Specialist"
   - Skills: Lead Generation, CRM, HubSpot, Data Entry Automation, Web Scraping, Workflow Automation
   - Rate: $75-150/hr (positions you professionally; you'll bid fixed-price anyway)
   - Overview: Focus on outcomes — "I automate lead generation pipelines: finding leads, enriching data, and loading into your CRM. My clients save X hours/week on manual prospecting."
4. Complete identity verification if prompted
5. Connect payment method for receiving funds

**Configure:**
This is a browser-based account, not an API key. Rick accesses it via browser tool.
No entry needed in `service-credentials.json`.

**Note:** Upwork also has an API, but it requires approval and is not needed for Phase 1. Rick uses the browser.

---

### 5. Google Sheets Master Spreadsheet

**Why:** Friedrich needs financial tracking, Rick needs prospect list management
**Who uses it:** Friedrich (Finance), Rick (Revenue)
**Time:** 2 minutes

**Steps:**
1. Go to https://sheets.google.com
2. Create a new spreadsheet named "LeadsPanther Operations"
3. Create tabs: "Finances", "Prospects", "Credentials Log"
4. Copy the spreadsheet ID from the URL: `https://docs.google.com/spreadsheets/d/SPREADSHEET_ID/edit`

**Configure:**
Update `service-credentials.json`:
```json
"google": {
  ...existing fields...,
  "sheets_master_id": "SPREADSHEET_ID"
}
```

**Note:** The Google OAuth credentials already in the config should grant Sheets access via the API. If not, you may need to enable the Google Sheets API at https://console.cloud.google.com/apis/library/sheets.googleapis.com

---

## TIER 2 — Client Delivery (Week 2-4)

These enable the lead gen pipeline Devin is building.

### 6. Apollo.io API Key

**Why:** Email finding, verification, and lead enrichment with phone and company data. Primary enrichment provider.
**Who uses it:** Devin (Delivery Ops), Rick (Revenue), Rene (R&D)
**Time:** 5 minutes
**Cost:** Free = 10,000 credits/mo. Paid from $49/mo.

**Steps:**
1. Go to https://www.apollo.io/sign-up
2. Sign up (use LeadsPanther email if available, otherwise personal)
3. Go to Settings → Integrations → API Keys
4. Generate a new API key

**Configure:**
Add to `service-credentials.json`:
```json
"apollo": {
  "api_key": "YOUR_APOLLO_API_KEY"
}
```

**API usage:**
- People search: `POST https://api.apollo.io/api/v1/mixed_people/search`
- Company search: `POST https://api.apollo.io/api/v1/mixed_companies/search`
- Enrich person: `POST https://api.apollo.io/api/v1/people/match`

---

### 7. SerpAPI Key

**Why:** Google search scraping for finding leads by industry/location
**Who uses it:** Devin (Delivery Ops), Rene (R&D)
**Time:** 2 minutes
**Cost:** Free = 100 searches/mo. Paid from $50/mo.

**Steps:**
1. Go to https://serpapi.com/users/sign_up
2. Sign up
3. Go to https://serpapi.com/manage-api-key
4. Copy API key

**Configure:**
Add to `service-credentials.json`:
```json
"serpapi": {
  "api_key": "YOUR_SERPAPI_KEY"
}
```

**API usage:**
- Google search: `GET https://serpapi.com/search?q=plumbers+in+miami&api_key=KEY`
- Google Maps: `GET https://serpapi.com/search?engine=google_maps&q=agencies+in+denver&api_key=KEY`

---

### 8. Vercel Token

**Why:** Deploy demos, landing pages, client deliverables
**Who uses it:** Devin (Delivery Ops), Daniel (Design)
**Time:** 2 minutes
**Cost:** Free tier (hobby plan)

**Steps:**
1. Go to https://vercel.com/signup (sign up with GitHub for easiest integration)
2. Go to https://vercel.com/account/tokens
3. Create token:
   - Name: `openclaw-deploy`
   - Scope: Full Account
   - Expiration: No expiration (or 1 year)
4. Copy the token

**Configure:**
Update `service-credentials.json`:
```json
"vercel": {
  "token": "YOUR_VERCEL_TOKEN"
}
```

**Verify:** `curl -s -H "Authorization: Bearer YOUR_TOKEN" https://api.vercel.com/v9/projects | jq .projects[].name`

---

### 9. LinkedIn Account

**Why:** Lead sourcing, social selling, company research
**Who uses it:** Rick (Revenue)
**Time:** 10 minutes
**Cost:** Free (LinkedIn Sales Navigator is $99/mo if needed later)

**Steps:**
1. Create or use existing LinkedIn account for LeadsPanther
2. Optimize profile:
   - Headline: "Helping B2B companies automate lead generation"
   - About: Focus on outcomes and automation
3. This is a browser-based account — Rick accesses via browser tool

**Configure:**
No API key needed for Phase 1. Rick uses the browser.
If you later want LinkedIn API access, you'd need to apply via https://developer.linkedin.com/ (approval process takes weeks).

---

## TIER 3 — Product Launch (Month 2)

### 10. Stripe API Key

**Why:** Accept payments from SaaS customers
**Who uses it:** Friedrich (read-only monitoring), Devin (billing integration)
**Time:** 10 minutes
**Cost:** Free (2.9% + $0.30 per transaction)

**Steps:**
1. Go to https://dashboard.stripe.com/register
2. Complete business registration
3. For Friedrich (read-only): Go to https://dashboard.stripe.com/apikeys
   - Click "Create restricted key"
   - Name: `openclaw-readonly`
   - Permissions: All READ, no WRITE
4. For Devin (billing): Use the default secret key (starts with `sk_live_` or `sk_test_`)
5. Start in TEST mode (`sk_test_`) until billing is validated

**Configure:**
Update `service-credentials.json`:
```json
"stripe": {
  "read_only_api_key": "rk_live_XXXXX",
  "secret_key": "sk_test_XXXXX",
  "publishable_key": "pk_test_XXXXX"
}
```

---

### 11. PayPal API Credentials

**Why:** Alternative payment method for clients
**Who uses it:** Friedrich (monitoring), Devin (integration)
**Time:** 10 minutes
**Cost:** Free (2.9% + $0.30 per transaction)

**Steps:**
1. Go to https://developer.paypal.com/
2. Log in with PayPal business account
3. Go to Dashboard → My Apps & Credentials
4. Create a new app:
   - Name: `LeadsPanther`
   - Start with Sandbox, switch to Live when ready
5. Copy Client ID and Secret

**Configure:**
Update `service-credentials.json`:
```json
"paypal": {
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "mode": "sandbox"
}
```

---

### 12. SendGrid API Key

**Why:** Send outreach emails at scale (for clients and for LeadsPanther marketing)
**Who uses it:** Rick (outreach), Devin (email automation in lead gen pipeline)
**Time:** 5 minutes
**Cost:** Free = 100 emails/day. Paid from $20/mo.

**Steps:**
1. Go to https://signup.sendgrid.com/
2. Sign up and verify your email
3. Go to Settings → API Keys
4. Create API key with "Full Access" (or restricted to Mail Send only)
5. Copy the key (starts with `SG.`)

**Configure:**
Add to `service-credentials.json`:
```json
"sendgrid": {
  "api_key": "SG.XXXXX"
}
```

**Important:** Before sending emails, you must:
- Verify your sender domain (DNS records)
- Set up SPF, DKIM, and DMARC
- This prevents emails from going to spam

---

### 13. Google Search Console

**Why:** Track SEO indexing of content pages Rick and Rene produce
**Who uses it:** Rick (Revenue), Rene (R&D)
**Time:** 5 minutes
**Cost:** Free

**Steps:**
1. Go to https://search.google.com/search-console
2. Add property → enter `leadspanther.com` (or whatever domain you use)
3. Verify ownership via DNS TXT record or HTML file
4. Access is via browser — no API key needed for basic use
5. For API access, enable Search Console API at https://console.cloud.google.com/apis/library/searchconsole.googleapis.com (uses existing Google OAuth)

---

### 14. Google Analytics

**Why:** Website traffic tracking for landing page conversion optimization
**Who uses it:** Rick (Revenue), Friedrich (Finance)
**Time:** 5 minutes
**Cost:** Free

**Steps:**
1. Go to https://analytics.google.com/
2. Create a GA4 property for LeadsPanther
3. Get the Measurement ID (format: `G-XXXXXXXXXX`)
4. Devin adds the tracking snippet to the landing page

**Configure:**
Add to `service-credentials.json`:
```json
"google_analytics": {
  "measurement_id": "G-XXXXXXXXXX"
}
```

---

## TIER 4 — Nice-to-Have

### 15. Image Generation API (Replicate)

**Why:** Daniel can generate brand assets, social graphics, proposal visuals
**Who uses it:** Daniel (Design)
**Cost:** Pay-per-use (~$0.01-0.05 per image)

**Steps:**
1. Go to https://replicate.com/signin
2. Sign up (GitHub login works)
3. Go to https://replicate.com/account/api-tokens
4. Create token

**Configure:**
Add to `service-credentials.json`:
```json
"replicate": {
  "api_token": "r8_XXXXX"
}
```

---

### 16. ScraperAPI (Proxy/Scraping)

**Why:** Web scraping without getting blocked (LinkedIn, directories)
**Who uses it:** Devin (Delivery Ops)
**Cost:** Free = 5,000 API credits. Paid from $49/mo.

**Steps:**
1. Go to https://www.scraperapi.com/signup
2. Sign up
3. Dashboard shows your API key

**Configure:**
Add to `service-credentials.json`:
```json
"scraperapi": {
  "api_key": "YOUR_SCRAPERAPI_KEY"
}
```

---

### 17-19. Social Media Accounts

**Why:** Content marketing presence for LeadsPanther brand
**Who uses it:** Rick (Revenue), Daniel (Design)
**Cost:** Free

These are browser-based accounts. Create them manually:
- X/Twitter: https://twitter.com/signup → handle: @LeadsPanther
- Instagram: https://instagram.com/accounts/emailsignup/ → handle: @leadspanther
- YouTube: Create a brand channel via YouTube Studio

No API keys needed for Phase 1. Rick posts via browser.

---

## After Provisioning

After adding credentials to `service-credentials.json`:

1. **Update TOOLS.md** for each affected agent — change "Needs Provisioning" items to "Available"
2. **Restart the gateway** so agents pick up new configs
3. **Test each credential** using the verify commands listed above
4. **Log the provisioning** in the "Credentials Log" tab of the master Google Sheet

## Credential Rotation Schedule

- **GitHub PAT:** Rotate every 90 days
- **OpenRouter API key:** Rotate if compromised
- **Gmail app password:** Rotate if compromised
- **Stripe keys:** Rotate annually or if compromised
- **All others:** Rotate if compromised or annually as good practice

Set calendar reminders for expiring tokens.