This is a production-ready Paperclip company template that uses the SupraWall plugin to secure all external API keys and credentials.
Zero hardcoded credentials exist in this repository.
Instead of storing long-lived OpenAI, GitHub, or Stripe keys in a .env file where any agent can access them, this template delegates credential management to the SupraWall Vault engine.
- An agent starts a task.
- The agent asks SupraWall for permission to use a tool (e.g., "Twitter").
- SupraWall verifies the agent's role (e.g.,
marketing). - SupraWall intercepts the HTTP request, injects the real Twitter API key at the network layer, and returns the response to the agent.
- The agent never sees the raw API key, preventing credential theft via prompt injection.
First, install the SupraWall Vault plugin:
paperclipai plugin install suprawall-vaultThis will guide you through creating a free SupraWall dashboard account and will automatically generate your temporary API keys.
Copy the example environment file:
cp .env.example .envAdd the SUPRAWALL_API_KEY you received during the plugin installation.
This template comes with four preconfigured agents. Hire them via the CLI:
paperclipai hire agents/ceo.json
paperclipai hire agents/marketing.json
paperclipai hire agents/engineering.json
paperclipai hire agents/finance.jsonThe SupraWall engine automatically maps the following default permissions based on the agent's role property:
| Agent Role | Granted Scopes |
|---|---|
| ceo | read:all |
| marketing | linkedin, twitter, google_ads |
| engineering | github, supabase, vercel |
| finance | stripe |
If a marketing agent tries to use the stripe tool, the SupraWall API will automatically block the request and log an audit event in your dashboard.