Your key is correct. Your config looks right. But the agent won't respond. Here are the five causes in order of likelihood, starting with the one you probably haven't checked.
A user posted to r/OpenClaw at 2 AM: "My API key is 100% correct. I copied it directly. I've restarted the gateway three times. The agent just says 'Error generating response.' What am I doing wrong?"
Fourteen replies. Eight of them were "did you restart the gateway?" (He had. Three times.) Two were "try a different model." One was "reinstall OpenClaw." One was "are you sure the key is right?"
The actual answer was in reply number fourteen: "Do you have billing set up on your Anthropic account? A key without credits is a valid key that can't do anything."
The API key wasn't wrong. The account behind it had no money.
This is the most common pattern with OpenClaw API key errors. The key is technically correct. Something else is broken. Here are the five things to check, ranked by how often they're the actual cause.
Check 1: You're using a subscription token instead of an API key (post-Anthropic ban)
This is the #1 cause since April 4, 2026. Anthropic revoked OAuth for all third-party tools. If your OpenClaw config has a subscription-based OAuth token (the one from your Claude Pro/Max subscription), it no longer works. The token looks valid. It authenticates. But Anthropic's servers reject any request from a third-party application.
How to check: If your Anthropic credential starts with sk-ant- it's likely an API key (correct). If it was generated through a subscription OAuth flow before April 4, it's a subscription token (no longer works).
The fix: Go to console.anthropic.com. Create a new API key. Replace the old credential in your OpenClaw config. Restart the gateway. Anthropic offered a $200 credit to affected users. Check your email for the redemption link.
Since April 4, 2026, the most common "API key not working" error is caused by using a subscription OAuth token instead of an API key. The Anthropic ban affected every Claude-powered OpenClaw agent simultaneously. If your agent stopped working around that date, this is almost certainly the cause. For the complete migration walkthrough, our Anthropic migration guide covers the four paths forward.
Check 2: No billing set up or insufficient credits
What happens: You created an API key. The key is valid. But your account has no payment method or your credits are exhausted. The provider accepts the key, authenticates the request, and then rejects it because there's no money to charge.
How to check by provider:
Anthropic: Go to console.anthropic.com/billing. Is a payment method attached? Do you have remaining credits or an active billing plan?
OpenAI: Go to platform.openai.com/usage. Check your credit balance. Free tier credits expire. New accounts sometimes need to add a payment method before API access works.
DeepSeek: Go to platform.deepseek.com. Check your balance. DeepSeek requires pre-payment (you load credits before using).
The fix: Add a payment method. Load credits. If you're testing and don't want to spend money, use Gemini Flash (1,500 free requests/day, no payment method required). For the complete guide to free and budget model options, our provider guide covers five options under $5/month.
Check 3: The key is in the wrong config field
Here's where most people get it wrong.
OpenClaw stores API keys in multiple possible locations. The .env file. The openclaw.json config. The model provider section. Environment variables set in your shell. If the key is in the wrong location, or if two locations have conflicting values, OpenClaw uses the wrong one.
Common mistakes:
The key is in .env but the openclaw.json model config specifies a different provider field name. The key has the correct value but the environment variable name is wrong (ANTHROPIC_API_KEY vs CLAUDE_API_KEY vs AI_API_KEY). The key is set in a Docker environment variable but the container doesn't have access to it (Docker Compose .env file not mounted).
The fix: Check all three locations (.env, openclaw.json, shell environment). Make sure the key appears in the correct field for your provider. If using Docker, verify the .env file is mounted in your docker-compose.yml. For the OpenClaw troubleshooting guide, our guide covers configuration debugging step by step.
Check 4: Invisible characters in the key (the silent destroyer)
What happens: You copied the API key from your provider's dashboard. But the copy included a trailing space, a newline character, or a zero-width Unicode character. The key looks identical visually. It's actually sk-ant-abc123 (with a space) instead of sk-ant-abc123 (without).
How to check: Open your .env file in a text editor that shows whitespace characters. Or run a quick test: pipe the key through a trim command and compare the lengths. If the trimmed version is shorter, invisible characters are the problem.
The fix: Delete the key from your config. Type it manually (don't paste). Or paste it, then delete the last character and retype it to remove any trailing whitespace. Save. Restart the gateway.
If debugging API key placement across .env files, JSON configs, Docker mounts, and invisible characters sounds like more config troubleshooting than you signed up for, BetterClaw handles API key management through a dashboard. Paste your key in a single field. The platform validates it. No .env files. No config priority conflicts. No invisible character problems. Free tier with 1 agent and BYOK. $19/month per agent for Pro (up to 25 agents, each billed at $19/month).
Check 5: Provider outage or rate limit
What happens: Your key is correct, your billing is fine, your config is clean. But the provider is down or rate-limiting your account. This looks identical to an invalid API key from your agent's perspective.
How to check: Visit your provider's status page. Anthropic: status.anthropic.com. OpenAI: status.openai.com. Try the key directly with a curl command bypassing OpenClaw to confirm whether the provider is responding.
The fix: Wait for the outage to resolve. Or configure a fallback model provider so the agent switches automatically when one provider is down. For the security checklist that includes provider redundancy, our checklist covers the seven hardening steps including multi-provider setup.
The pattern behind API key errors
Here's the honest take.
Four of these five causes have nothing to do with the API key itself. Wrong token type (subscription vs API). No billing. Wrong config location. Invisible characters. Provider outage. The key is almost never wrong. Everything around the key is where the failure happens.
This is the same pattern across all OpenClaw troubleshooting. The core functionality (agent intelligence, conversation quality, memory) works well. The infrastructure around it (config files, environment variables, Docker mounts, billing setup, credential management) is where things break.
If you want the API key validated by the platform when you paste it, with clear error messages when billing isn't set up, and zero .env file management, give BetterClaw a try. Free tier with 1 agent and BYOK. $19/month per agent for Pro (up to 25 agents, each billed at $19/month). 60-second deploy. Paste your key. It works. No config file archaeology required.
Frequently Asked Questions
Why is my OpenClaw API key not working?
Five common causes in order of likelihood: using a subscription OAuth token instead of an API key (post-Anthropic ban on April 4, 2026), no billing set up or insufficient credits on your provider account, key in the wrong config field (.env vs openclaw.json vs environment variable), invisible trailing characters (space or newline) in the key, or provider outage/rate limit. Check these in order. The key itself is almost never wrong.
How do I fix the Anthropic API key error after the ban?
Go to console.anthropic.com and create a new API key (separate from your subscription). Replace the old subscription OAuth token in your OpenClaw config with the new API key. Restart the gateway. Check your email for Anthropic's $200 credit offer for affected users. The subscription token will not work again. API keys are the only authentication method for third-party tools going forward.
Where does OpenClaw store API keys?
Three locations with priority order: shell environment variables (highest priority), openclaw.json model config, and .env file (lowest priority). If the same key exists in multiple locations with conflicting values, the highest-priority source wins. This priority conflict is a common source of "key not working" errors. Check all three locations when debugging.
Can I use OpenClaw without paying for an API key?
Yes. Gemini 2.5 Flash offers 1,500 free requests/day with no payment method required. Create a key at ai.google.dev. Qwen3 runs locally via Ollama for free (requires 16GB+ RAM). Both work with OpenClaw. BetterClaw's free tier includes hosting with BYOK. You can run a free model on a free platform.
Does BetterClaw validate API keys before deployment?
Yes. BetterClaw validates the API key when you paste it into the dashboard. If the key is invalid, the format is wrong, or the provider returns an authentication error, the platform tells you immediately with a clear error message. No .env files. No config priority debugging. No invisible character problems. The key either works or the platform tells you exactly why it doesn't.
