When running a fleet of agents, you may need different credentials for different model tiers — separate billing tracking, team vs personal keys, dev vs prod environments, or isolated rate limit pools. The problem: OpenClaw's auth system routes per-provider, not per-model. Every model under a single provider shares the same auth profile rotation.
The fix is surprisingly simple. Create a second provider entry that points to the same API endpoint but only lists the models you want on those credentials. Give it its own auth profile. OpenClaw treats it as a completely separate provider with isolated auth routing.
This gives you clean credential separation with zero cross-contamination. Your primary models use one set of credentials, fleet or batch models use another. No risk of one workload's rate limits affecting the other.
Separate provider entries are the workaround for per-model auth isolation. Same API, different credentials, cleanly separated by design.
The Problem
You want different credentials for different model tiers. Maybe you need separate billing tracking for your heavy reasoning model vs your lightweight fleet models. Maybe your team has separate API keys for different workloads. But OpenClaw's auth.order is per-provider — all models under one provider share the same credential rotation.
If you add a second set of credentials to the same provider's auth order, it becomes a failover for ALL models on that provider. That's not what you want when you need clean isolation.
The Solution
Create a separate provider entry in your openclaw.json. This example shows isolating Sonnet and Haiku onto separate credentials:
{
"models": {
"providers": {
"anthropic-fleet": {
"baseUrl": "https://api.anthropic.com",
"api": "anthropic-messages",
"models": [
{
"id": "claude-sonnet-4-5-20250929",
"name": "Claude Sonnet 4.5 (Fleet)",
"reasoning": false,
"input": ["text", "image"],
"cost": { "input": 3, "output": 15, "cacheRead": 0.3, "cacheWrite": 3.75 },
"contextWindow": 200000,
"maxTokens": 8192
},
{
"id": "claude-haiku-4-5-20251001",
"name": "Claude Haiku 4.5 (Fleet)",
"reasoning": false,
"input": ["text", "image"],
"cost": { "input": 1, "output": 5, "cacheRead": 0.1, "cacheWrite": 1.25 },
"contextWindow": 200000,
"maxTokens": 8192
}
]
}
}
}
}Auth Setup
Add the credentials for your second provider to auth-profiles.json:
{
"anthropic-fleet:default": {
"type": "token",
"provider": "anthropic-fleet",
"token": "sk-ant-oat01-YOUR-FLEET-TOKEN"
}
}Then wire up the config metadata and auth order:
{
"auth": {
"profiles": {
"anthropic-fleet:default": {
"provider": "anthropic-fleet",
"mode": "oauth"
}
},
"order": {
"anthropic": ["anthropic:oauth", "anthropic:default"],
"anthropic-fleet": ["anthropic-fleet:default"]
}
}
}Each provider has its own auth order. No cross-contamination.
Model Aliases
Make it easy to reference with aliases:
{
"agents": {
"defaults": {
"models": {
"anthropic-fleet/claude-sonnet-4-5-20250929": { "alias": "fleet-sonnet" },
"anthropic-fleet/claude-haiku-4-5-20251001": { "alias": "fleet-haiku" }
}
}
}
}Now in cron jobs or sub-agent spawns, just use fleet-sonnet or fleet-haiku and they'll automatically route through the isolated credentials.
Usage Examples
In cron jobs:
{ "model": "anthropic-fleet/claude-sonnet-4-5-20250929" }With aliases:
{ "model": "fleet-sonnet" }In sub-agent spawns:
sessions_spawn({ task: '...', model: 'fleet-haiku' })Common Use Cases
- Billing isolation — Track costs separately for different workloads
- Team access — Different team members' API keys for different model tiers
- Rate limit separation — Heavy batch jobs don't compete with interactive use
- Dev vs prod — Test credentials for development, production keys for live agents
Gotchas
- Use the right provider prefix —
anthropic-fleet/claude-sonnet-*routes through fleet credentials,anthropic/claude-sonnet-*still hits primary - Auth profiles are per-agent — each agent needs the profile in its own
auth-profiles.json - Provider name is arbitrary —
anthropic-fleetcan be anything, just keep it consistent across config, profiles, and auth order - Token lifecycle — if one provider's token expires, only those models are affected
This pattern works for any provider — Anthropic, OpenAI, Google, or any API where you need credential-level isolation between model tiers.