๐ฆ OpenClaw Gateway โ Config Cheat Sheet
~/.openclaw/openclaw.json ยท Models ยท Agents ยท Skills ยท Nodes ยท Workflows ยท Instances
Config: JSON5
Hot-reload: hybrid
Strict schema โ unknown keys = crash
Port 18789
Golden Rules Before Editing
๐
Always Backup First
cp ~/.openclaw/openclaw.json \
~/.openclaw/openclaw.json.bak
โ Unknown keys or wrong types cause the gateway to refuse to start. Backup before every edit.
โ
Validate After Edit
openclaw doctor openclaw doctor --fix # auto-repair
โนRun after every config change. Shows field path + reason for any validation errors.
โก
Prefer CLI over File Edit
openclaw config get agents.defaults.workspace openclaw config set agents.defaults.heartbeat.every "2h" openclaw config unset tools.web.search.apiKey
๐
Hot Reload Modes
hybrid = default| Mode | Behavior |
|---|---|
hybrid | Hot where possible, restart when needed |
hot | In-place only, keeps connections alive |
restart | Full restart on any change |
off | No auto reload |
โModel changes, channel policies, tool permissions hot-apply. Gateway port, auth mode require restart.
Filesystem Layout
๐
~/.openclaw/ Directory
~/.openclaw/
โโโ openclaw.json # main config (JSON5)
โโโ credentials/ # API keys โ chmod 600
โ โโโ openrouter
โ โโโ anthropic
โ โโโ synthetic
โโโ skills/ # shared skills (all agents)
โ โโโ your-skill/
โ โโโ SKILL.md
โโโ agents/ # per-agent state dirs
โ โโโ <agentId>/
โ โโโ auth-profiles.json
โ โโโ sessions/
โโโ workspace/ # default agent workspace
โโโ AGENTS.md # agent persona/instructions
โโโ SOUL.md # agent identity/personality
โโโ USER.md # user-specific context
โโโ TOOLS.md # tool usage instructions
โโโ HEARTBEAT.md # scheduled tasks checklist
โโโ memory/
โ โโโ 2026-03-07.md
โโโ skills/ # per-agent skills (override shared)
๐
Modular Config with $include
RECOMMENDEDโนSplit a large config into focused files. Gateway deep-merges them. Arrays concatenate, later files win on primitives.
// openclaw.json โ root file { gateway: { port: 18789 }, agents: { $include: "./agents.json5" }, channels: { $include: "./channels/telegram.json5" }, broadcast: { $include: ["./clients/a.json5", "./clients/b.json5"] } }
Max depth
10 levels of nested includes
Circular includes
Detected and rejected with a clear error
Sibling keys
Always override included values
Config path env
OPENCLAW_CONFIG_PATH overrides default locationModels โ Add / Change / Fallback
๐ง
Model Config
primary must not be empty{
agents: {
defaults: {
model: {
// REQUIRED โ gateway won't start without it
primary: "anthropic/claude-sonnet-4-5",
// Fallback chain with exponential backoff
fallbacks: ["openrouter/openrouter/auto", "openai/gpt-4o"],
},
// Model catalog = allowlist for /model command
models: {
"anthropic/claude-sonnet-4-5": { alias: "Sonnet" },
"openrouter/openrouter/auto": { alias: "OR-Auto" },
"ollama/llama3.2": { alias: "Local" },
},
},
},
}
๐กUse
openrouter/openrouter/auto as primary to auto-route simple tasks (heartbeats) to cheap models and complex ones to frontier models โ big cost savings.๐
Custom / Local / Self-hosted Providers
{
models: {
mode: "merge", // merge with built-ins, or "replace"
providers: {
// Ollama (local)
ollama: {
baseUrl: "http://localhost:11434",
apiKey: "ollama-local",
api: "openai-completions",
models: [{
id: "ollama/llama3.2",
contextWindow: 131072,
maxTokens: 8000,
cost: { input:0, output:0, cacheRead:0, cacheWrite:0 }
}]
},
// OpenRouter (cloud proxy)
openrouter: {
baseUrl: "https://openrouter.ai/api/v1",
apiKey: "${OPENROUTER_API_KEY}"
}
}
}
}
โนAny OpenAI-compatible endpoint works โ LM Studio, vLLM, Groq, etc. Set
api: "openai-completions" and the right baseUrl.โ๏ธ
CLI Model Commands
# Switch primary model openclaw config set \ agents.defaults.model.primary \ "anthropic/claude-opus-4" # Add to catalog openclaw config set \ 'agents.defaults.models["openai/gpt-4o"]' \ '{"alias":"GPT4o"}' --json # RPC patch (from any client) openclaw gateway call config.patch \ --params '{"raw":"{agents:{defaults:{model:{primary:\"openai/gpt-4o\"}}}}"}'
๐ณ
Auth Profiles (Keychain)
SecureโStores API keys in system keychain โ NOT in openclaw.json file.
# Recommended: run onboard wizard openclaw onboard # Manual: add auth profile to config // openclaw.json { authProfiles: { openrouter: { provider: "openrouter" } } } # Then store key in keychain openclaw auth set openrouter
๐
Context & Cost Control
{
agents: { defaults: {
contextPruning: {
mode: "cache-ttl" // prune old context
},
heartbeat: {
every: "30m" // "1h" with Anthropic OAuth
}
}}
}
โ No contextPruning = token usage spirals. Add it for any long-running agent.
๐
Model Quick Reference
| Provider prefix | Example ID |
|---|---|
anthropic/ | anthropic/claude-sonnet-4-5 |
openai/ | openai/gpt-4o |
openrouter/ | openrouter/openrouter/auto |
ollama/ | ollama/llama3.2 |
google/ | google/gemini-2.0-flash |
Agents โ Create, Configure, Bind
๐ค
Single Agent (Default)
{
agents: {
defaults: {
workspace: "~/.openclaw/workspace",
model: { primary: "anthropic/claude-sonnet-4-5" },
identity: { name: "My Assistant" },
}
}
}
โนNo
agents.list needed for a single agent. Defaults apply to the implicit main agent.๐ค๐ค
Multi-Agent Setup
Multi-agent{
agents: {
list: [
{
id: "main",
default: true,
workspace: "~/.openclaw/workspace-main",
identity: { name: "Assistant" },
},
{
id: "coder",
workspace: "~/.openclaw/workspace-coder",
model: { primary: "anthropic/claude-opus-4" },
identity: { name: "Code Bot" },
tools: {
allow: ["exec", "read", "write", "browser"],
deny: ["canvas"],
},
},
],
},
bindings: [
{ agentId: "main", match: { channel: "telegram", accountId: "personal" } },
{ agentId: "coder", match: { channel: "discord", accountId: "dev-server" } },
]
}
๐ก
Per-Agent Tool Permissions
| Tool | What it does |
|---|---|
exec | Run shell commands |
read | Read files |
write | Write/create files |
browser | Web automation |
canvas | Visual workspace (port 18793) |
nodes | Spawn sub-agent nodes |
cron | Schedule jobs |
sessions_spawn | Start child sessions |
โ Tool allow/deny lists control capability. Skills are separate โ a skill needing
exec still requires it in the allow list.๐ฆ
Per-Agent Sandbox
{
agents: { list: [{
id: "untrusted",
sandbox: {
mode: "all", // sandbox all tool calls
scope: "agent" // per-agent isolation
},
tools: {
allow: ["read", "exec"],
deny: ["write", "browser"],
}
}]}
}
๐กWorkspace path is default cwd, not a hard jail. Absolute paths can escape unless sandbox mode is set.
๐
Agent Identity Files
in workspace/AGENTS.md
Instructions, rules, how to behave. Primary prompt shaping file.
SOUL.md
Personality, tone, identity. Who the agent is.
USER.md
Facts about the user โ preferences, context, background.
TOOLS.md
Tool-specific instructions bundled into each turn.
HEARTBEAT.md
Checklist read every 30min heartbeat. Autonomous task loop.
โนEach agent in
agents.list has its own workspace with its own set of these files. They are plain Markdown โ edit in any text editor.Skills โ Install, Create, Manage
๐
What Are Skills
โSkills are Markdown files (SKILL.md) with YAML frontmatter that inject instructions into the agent's prompt when relevant. They are NOT code โ they are instruction manuals for tools/workflows.
workspace/skills/
โโโ my-skill/
โโโ SKILL.md # YAML frontmatter + instructions
โโโ references/ # optional extra files
~/.openclaw/skills/ # shared skills (all agents)
<workspace>/skills/ # per-agent skills (override shared)
Precedence
workspace > managed/local (~/.openclaw/skills) > bundled > extraDirs
Injection
Only relevant skills are injected per turn (not all). Selective to avoid prompt bloat.
Cost
~195 chars base + ~97 chars per skill when โฅ1 skill is eligible
โฌ๏ธ
Install Skills from ClawHub / Repos
# Install from ClawHub registry (interactive) clawdhub install <skill-name> # Install from GitHub URL clawdhub install https://github.com/org/repo/skill-dir # Installs into ./skills (current dir) by default # Agent picks it up as <workspace>/skills on next session # List installed skills clawdhub list # Configure skill with API key (env injection) // openclaw.json { skills: { entries: { my-skill: { apiKey: "${MY_SKILL_API_KEY}" // from env var } } } }
โ Treat third-party skills as trusted code. Read them before enabling. Never install blindly from unknown sources.
โ๏ธ
Write a Skill (SKILL.md)
--- name: my-workflow description: > Use this skill when the user asks to do X or Y. Triggers on keywords: "run X", "start Y workflow". user-invocable: true homepage: https://example.com --- # My Workflow Skill ## Overview Brief description of what this skill does. ## Steps 1. Step one: do this 2. Step two: call this tool with these params 3. Step three: return result ## Notes - Use {baseDir} to reference this skill's folder - Always confirm before destructive actions
โ๏ธ
Skill Config Keys
{
skills: {
// Allowlist bundled skills (whitelist mode)
allowBundled: ["git", "github", "web-search"],
// Extra skill directories
load: {
extraDirs: ["/shared/team-skills"]
},
// Per-skill config
entries: {
my-skill: {
apiKey: "${MY_KEY}",
env: { TOOL_URL: "https://..." }
}
}
}
}
๐กBundled skills auto-enable if their required CLI tool is present on the system. Use
allowBundled whitelist to control which ones activate.๐
Notable Skill Categories
Coding
git, github, codeberg, code-1-0-4, code-security-audit
Memory
chaos-mind, continuity, claw-progressive-memory, context-anchor
Multi-agent
agent-team-orchestration, agent-commons, multi-workplace
Productivity
alex-session-wrap-up, adhd-founder-planner, agentdo
Security
clawdstrike, agent-access-control, authensor-gateway
Data sync
claw-roam, bitwarden, cloudflare-r2
โน5,400+ skills in the ClawHub registry. Browse at
clawdhub search <keyword> or github.com/VoltAgent/awesome-openclaw-skillsNodes & Sub-Agent Instances
๐
Nodes (Sub-Agent Spawning)
v2026.1+โนNodes are child agent processes spawned by a parent agent to parallelize or delegate work. Enable the
nodes tool to allow an agent to spawn them.{
agents: { defaults: {
tools: {
allow: [
"nodes", // spawn/manage sub-agent nodes
"sessions_spawn", // start child sessions
"sessions_list", // list active sessions
"sessions_send", // send message to session
"session_status", // check session status
]
}
}}
}
Spawn node
Agent calls
nodes tool โ new isolated process starts โ reports backCommunication
Via
sessions_send / sessions_history tools between parent & childIsolation
Each node has its own session, workspace context, and tool scope
๐กCanvas runs as its own node too (port 18793). If Canvas crashes, the main Gateway keeps running.
๐
Multi-Workplace (Project Instances)
skill requiredโนThe
multi-workplace skill adds project-switching. Each workplace = a Git repo with its own agents, memory, and deploy config in a .workplace/ directory.# Install the skill first npx playbooks add skill openclaw/skills --skill multi-workplace # Then in chat with your agent: workplace init [path] # init current dir as workplace workplace list # list all registered workplaces workplace switch <name|uuid> # switch active workplace workplace scan [path] # auto-detect .git repos workplace agents # list agents in current workplace workplace agent start <name> # start a sub-agent workplace kernel start # start persistent kernel agent workplace export [zip|json] # export for transfer workplace import <file> # import on another server
Colon syntax
workplace switch parent:child โ fast nested project switchingState location
~/.openclaw/workspace/.workplaces/ โ registry.json, current.jsonWorkflows โ Cron Jobs, Hooks, Automation
โฑ
Cron Jobs (Scheduled Workflows)
{
cron: {
jobs: [
{
id: "daily-brief",
schedule: "0 8 * * *", // 8am every day
agentId: "main",
prompt: "Run the daily brief: check emails, summarise news, list tasks",
sessionKey: "cron:daily-brief",
},
{
id: "ci-monitor",
schedule: "*/10 * * * *", // every 10 min
agentId: "coder",
prompt: "Check GitHub Actions for failures and notify me",
}
],
// Prune cron run logs
runLog: { mode: "size", maxLines: 1000 }
}
}
โนHEARTBEAT.md in the workspace is a simpler alternative โ the agent reads it every heartbeat and decides what to act on. Better for loose, self-directed tasks.
๐ช
Webhooks / HTTP Hooks
{
hooks: {
enabled: true,
token: "${HOOKS_SECRET}", // shared secret
path: "/hooks", // endpoint prefix
defaultSessionKey: "hook:ingress",
mappings: [
{
match: { path: "github" },
action: "agent",
agentId: "coder",
deliver: true,
},
{
match: { path: "gmail" },
action: "agent",
agentId: "main",
deliver: true,
},
]
}
}
โ Treat all hook payload content as untrusted. Keep
allowUnsafeExternalContent disabled unless debugging.๐กIncoming URL:
http://gateway:18789/hooks/github โ POST with Authorization header bearing the token.Config RPC โ Programmatic Changes
๐ง
RPC Methods
| Method | Use |
|---|---|
config.get | Read current config or a path |
config.apply | Replace full config (requires baseHash) |
config.patch | Merge partial config โ rate limited: 3/60s |
# Get current config + hash openclaw gateway call config.get --params '{}' # Patch a single value openclaw gateway call config.patch \ --params '{ "raw": "{agents:{defaults:{model:{primary:\"openai/gpt-4o\"}}}}" }'
๐
Gateway Auth Config
{
gateway: {
port: 18789,
bind: "loopback", // "loopback" | "0.0.0.0"
reload: "hybrid",
auth: {
mode: "token", // "local" for dev only
token: "${OPENCLAW_GATEWAY_TOKEN}",
allowTailscale: true, // if using Tailscale
},
trustedProxies: ["10.0.0.0/8"], // Docker subnet
}
}
โ If
bind: "0.0.0.0" your gateway is exposed to the network. Fix immediately โ use "loopback" in prod with a reverse proxy.๐ฉบ
Doctor & Security Audit
# Detect + repair config issues openclaw doctor openclaw doctor --fix # Full security audit openclaw security audit --deep # Lock down permissions chmod 700 ~/.openclaw chmod 600 ~/.openclaw/openclaw.json chmod 700 ~/.openclaw/credentials # Verify gateway port binding netstat -an | grep 18789 | grep LISTEN # Check for leaked secrets in config grep -r "sk-" ~/.openclaw/ # should find nothing
Channels โ Quick Reference
โ๏ธ
Telegram
{
channels: {
telegram: {
enabled: true,
botToken: "${TELEGRAM_BOT_TOKEN}",
dmPolicy: "pairing",
// pairing|allowlist|open|disabled
allowFrom: ["tg:123456789"],
}
}
}
๐ฎ
Discord
{
channels: {
discord: {
groupPolicy: "allowlist",
accounts: {
default: {
token: "${DISCORD_BOT_TOKEN}",
guilds: { "GUILD_ID": {
channels: { "CHAN_ID": { allow: true } }
}}
}
}
}
}
}
๐ฌWhatsApp
{
channels: {
whatsapp: {
dmPolicy: "allowlist",
allowFrom: ["+15555550123"],
// Multi-account:
accounts: {
personal: { ... },
biz: { ... }
}
}
}
}
๐
DM Policy Modes
pairing
Default. Unknown senders get a one-time pairing code.
allowlist
Only senders in
allowFrom list.open
Allow all inbound. Requires
allowFrom: ["*"]disabled
Ignore all DMs on this channel.
Quick Fix Reference
๐ด
Common Errors โ Fix
Gateway won't start
Unknown key in config. Run
openclaw doctor โ remove the offending key (top-level memory is a common culprit).model.primary empty error
Set
agents.defaults.model.primary to a real model ID. Cannot be blank.Skill not activating
SKILL.md frontmatter description doesn't match your query keywords. Or
allowBundled whitelist is blocking it.Costs too high
No contextPruning. Expensive primary model. Switch primary to
openrouter/auto, add contextPruning: {mode:"cache-ttl"}.config.patch rejected
Rate limited (3 calls/60s). Wait and retry. Or edit file directly + doctor.
Multi-agent session bleed
Never reuse
agentDir across agents. Each agent must have its own dedicated agentDir.Node can't spawn
nodes tool not in tools.allow list for that agent.๐ก
Useful One-liners
# Full setup wizard openclaw onboard # Interactive config editor openclaw configure # View gateway status openclaw gateway status # Validate JSON5 manually python3 -m json.tool ~/.openclaw/openclaw.json # Restore from backup after bad edit cp ~/.openclaw/openclaw.json.bak \ ~/.openclaw/openclaw.json && openclaw doctor # Open config in Control UI (browser) # http://127.0.0.1:18789 โ Config tab # See all available agents openclaw agents list # Restart gateway after critical config change openclaw gateway restart
openclaw/openclaw ยท gateway config cheat sheet ยท march 2026
docs.openclaw.ai
~/.openclaw/openclaw.json
openclaw doctor
openclaw configure