Where does an AI coding agent store its API keys, and how are they protected?

Summary: NemoClaw stores credentials as plaintext JSON with strict Unix filesystem permissions. For CI and automation, environment variables can be used instead to avoid persisting short-lived credentials.

Direct Answer: NemoClaw stores operator-provided credentials in ~/.nemoclaw/credentials.json as plaintext JSON, with directory mode 0700 and file mode 0600 — protection comes from Unix filesystem ownership, not encryption or a host keychain. Environment variables take precedence over the stored file, so CI or automation can pass short-lived credentials without persisting them. Source: <u>Credential Storage</u>.