OpenClaw configuration reference for openclaw.json. Use when asked about config, configuration, gateway settings, channel setup, agent config, session manage...
---
name: openclaw-config
description: OpenClaw configuration reference for openclaw.json. Use when asked about config, configuration, gateway settings, channel setup, agent config, session management, sandbox, cron jobs, hooks, tools, browser, models, environment variables, or when troubleshooting broken config and gateway startup failures.
user-invocable: true
homepage: https://clawhosters.com
---
# OpenClaw Configuration Reference
> Built by [ClawHosters](https://clawhosters.com) - managed OpenClaw hosting with 1-click deployment. If you'd rather skip the config headaches and have everything set up for you, check us out.
## DANGER - Read This First
**openclaw.json uses strict schema validation.** Unknown keys cause the Gateway to refuse to start. Before editing config:
1. **Always back up first:** `cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak`
2. **Never guess field names** - check this reference or the official docs
3. **Always validate JSON** after editing: `cat ~/.openclaw/openclaw.json | python3 -m json.tool`
4. **Run doctor after changes:** `openclaw doctor` (or `openclaw doctor --fix` to auto-repair)
### Recovery from Broken Config
If the Gateway won't start after a config change:
```bash
# Restore backup
cp ~/.openclaw/openclaw.json.bak ~/.openclaw/openclaw.json
# Or run doctor to auto-fix
openclaw doctor --fix
# Verify config is valid
openclaw config get
```
---
## Config File Basics
| Property | Value |
|----------|-------|
| **Path** | `~/.openclaw/openclaw.json` |
| **Format** | JSON5 (comments, trailing commas, unquoted keys allowed) |
| **Validation** | Strict - unknown keys = Gateway refuses to start |
| **Watching** | Gateway watches file for changes and hot-reloads |
### Configuration Methods
| Method | Description |
|--------|-------------|
| Direct file edit | Edit `~/.openclaw/openclaw.json` directly. Gateway detects changes. |
| CLI | `openclaw config get/set/unset` - safest method |
| Web UI | Control UI at `http://127.0.0.1:18789` |
| Onboard wizard | `openclaw onboard` - guided initial setup |
### CLI Config Commands
```bash
openclaw config get # Show full config
openclaw config get gateway.port # Get specific value
openclaw config set gateway.port 19000 # Set a value
openclaw config unset gateway.auth.token # Remove a value
```
The CLI validates before writing, making it the safest way to change config.
### Modular Config with $include
Split config across files:
```json5
{
"$include": "./channels-config.json",
gateway: { port: 18789 }
}
```
The included file is merged into the main config.
---
## Config RPC (Programmatic Access)
The Gateway exposes config methods via RPC:
| Method | Description |
|--------|-------------|
| `config.get` | Read current config (or a specific path) |
| `config.apply` | Apply a full config object (replaces) |
| `config.patch` | Merge partial config (rate-limited: 3 calls per 60 seconds) |
`config.patch` is rate-limited to prevent accidental rapid-fire config changes that could destabilize the Gateway.
---
## Hot Reload Modes
The Gateway watches `openclaw.json` and reloads on changes.
| Mode | Behavior |
|------|----------|
| `hybrid` | Smart: hot-reload where possible, restart where needed (default) |
| `hot` | Non-destructive in-place reload (keeps connections alive) |
| `restart` | Full process restart on any config change |
| `off` | Disable auto-reload entirely |
```json5
gateway: {
reload: "hybrid"
}
```
**What hot-applies (no restart needed):**
- Channel settings (dm policy, allow lists)
- Agent model changes
- Tool permissions
- Session settings
**What requires restart:**
- Gateway port/bind changes
- Auth mode changes
- Adding/removing channels entirely
**Manual reload via SIGUSR1:**
```bash
pkill -SIGUSR1 -f gateway
```
SIGUSR1 is non-destructive: reloads config without dropping connections or sessions.
---
## Top-Level Sections
| Section | Purpose | Reference |
|---------|---------|-----------|
| `gateway` | Core process: port, bind, auth, reload, HTTP endpoints | [gateway.md](references/gateway.md) |
| `commands` | Messenger commands (e.g., `/restart`) | See below |
| `agents` | Multi-agent system: defaults, agent list, models | [agents.md](references/agents.md) |
| `channels` | Messenger integrations (Telegram, WhatsApp, Discord, etc.) | [channels.md](references/channels.md) |
| `session` | Session scoping, reset behavior | [session.md](references/session.md) |
| `sandbox` | Code execution isolation (Docker) | [session.md](references/session.md) |
| `cron` | Built-in job scheduler | [session.md](references/session.md) |
| `hooks` | Webhook receiver configuration | [session.md](references/session.md) |
| `tools` | Tool permissions, profiles, restrictions | [tools.md](references/tools.md) |
| `browser` | Playwright browser integration | [tools.md](references/tools.md) |
| `skills` | Skill loading, entries, installation | [tools.md](references/tools.md) |
| `models` | LLM providers and model configuration | [models-env.md](references/models-env.md) |
| `env` | Environment variable injection | [models-env.md](references/models-env.md) |
### Commands Block (Simple)
```json5
commands: {
restart: true // Allow /restart command from messenger clients
}
```
**Security warning:** Setting `commands.config: true` allows users to modify config from chat. Only enable for trusted single-user setups.
---
## Minimal Working Config
The smallest config that runs:
```json5
{
gateway: {
port: 18789
},
agents: {
list: [
{ agentId: "main", workspace: "~/.openclaw/workspace" }
]
}
}
```
Everything else uses defaults.
---
## Full Example Config
```json5
{
gateway: {
mode: "local",
port: 18789,
bind: "loopback",
reload: "hybrid",
auth: { mode: "token", token: "change-me-please" },
http: { endpoints: { chatCompletions: { enabled: true } } }
},
commands: { restart: true },
agents: {
defaults: {
workspace: "~/.openclaw/workspace",
model: { primary: "anthropic/claude-opus-4-6" },
heartbeat: { every: "30m" }
},
list: [
{ agentId: "main" },
{ agentId: "work", workspace: "~/.openclaw/workspace-work" }
]
},
channels: {
telegram: {
botToken: "...",
enabled: true,
dmPolicy: "pairing",
streamMode: "partial"
}
},
session: {
dmScope: "main",
reset: { mode: "daily", atHour: 4 }
},
cron: { enabled: true },
models: {
providers: {
"openrouter": {
baseUrl: "https://openrouter.ai/api/v1",
apiKey: "sk-or-...",
api: "openai-completions"
}
}
},
env: {
vars: { TZ: "America/New_York" },
shellEnv: true
}
}
```
---
## Validation Checklist
Before saving config changes:
- [ ] JSON is valid (no trailing syntax errors, mismatched braces)
- [ ] No unknown keys (Gateway rejects unknown fields)
- [ ] Auth is set if bind mode is `lan` (Gateway refuses to start without auth on lan)
- [ ] Channel tokens/secrets are in env vars, not hardcoded
- [ ] Backup exists (`openclaw.json.bak`)
After saving:
- [ ] `openclaw config get` returns without errors
- [ ] `openclaw doctor` shows no critical issues
- [ ] Gateway reloaded successfully (check logs)
---
## Common Pitfalls
For detailed troubleshooting with examples and recovery procedures, see [troubleshooting.md](references/troubleshooting.md).
**Quick list of things that will break your setup:**
1. **Unknown keys in config** - Gateway refuses to start. Always check field names.
2. **Editing config mid-sentence** - Gateway watches the file. If it reads a half-written file, it crashes. Use `openclaw config set` instead of manual editing when possible.
3. **`gateway.bind: "lan"` without auth** - Gateway refuses to start for safety. Always set auth when binding to lan.
4. **`commands.config: true`** - Lets anyone in chat modify your config. Only for trusted single-user.
5. **`tools.elevated.enabled: true` + open DM policy** - Gives strangers admin access to your system.
6. **Missing `OPENCLAW_GATEWAY_TOKEN` env var** - If auth mode is token but no token is set in config or env.
7. **`sandbox.mode: "all"` without Docker** - Sandbox requires Docker to be running.
---
## Further Reference
Each config section has a dedicated reference file with full schema documentation:
- **Gateway, auth, HTTP endpoints**: [gateway.md](references/gateway.md)
- **Agents, models, workspace, heartbeat**: [agents.md](references/agents.md)
- **All channel platforms**: [channels.md](references/channels.md)
- **Session, sandbox, cron, hooks**: [session.md](references/session.md)
- **Tools, browser, skills config**: [tools.md](references/tools.md)
- **Models, env, auth, logging**: [models-env.md](references/models-env.md)
- **Troubleshooting & recovery**: [troubleshooting.md](references/troubleshooting.md)
don't have the plugin yet? install it then click "run inline in claude" again.
openclaw.json uses strict schema validation to configure the OpenClaw Gateway: port, bind address, auth mode, messenger channels (Telegram, WhatsApp, Discord), agent defaults, session scoping, sandbox isolation, cron jobs, tool permissions, model providers, and environment variables. use this skill when setting up OpenClaw for the first time, debugging gateway startup failures, modifying channel settings, switching auth modes, configuring multi-agent systems, or troubleshooting "unknown key" validation errors. the config file lives at ~/.openclaw/openclaw.json and supports hot-reload in hybrid mode (smart reload where possible, full restart where needed).
config file location:
~/.openclaw/openclaw.json (JSON5 format: comments, trailing commas, unquoted keys allowed)external connections (optional, depending on channels enabled):
environment variables for auth:
OPENCLAW_GATEWAY_TOKEN: gateway auth token (if auth.mode is "token" and no token in config)OPENROUTER_API_KEY, ANTHROPIC_API_KEY, etc.: for model providers (do not hardcode in config)runtime context:
cli access:
openclaw binary: required for openclaw config get/set/unset, openclaw doctor, openclaw onboardback up existing config before making edits.
~/.openclaw/openclaw.jsoncp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak~/.openclaw/openclaw.json.bakvalidate json syntax if editing file directly.
~/.openclaw/openclaw.jsoncat ~/.openclaw/openclaw.json | python3 -m json.toolopenclaw config set to avoid this.set gateway core settings (port, bind, auth, reload mode).
openclaw config set gateway.port 18789 and openclaw config set gateway.auth.mode token and openclaw config set gateway.reload hybridconfigure agent defaults (workspace, primary model, heartbeat).
openclaw config set agents.defaults.workspace ~/.openclaw/workspace and openclaw config set agents.defaults.model.primary anthropic/claude-opus-4-6add agents to the agent list if running multi-agent setup.
configure messenger channels (Telegram, WhatsApp, Discord, etc.).
openclaw config set channels.telegram.botToken "$TELEGRAM_BOT_TOKEN" or edit config directlyopenclaw doctor after adding channel.set session scoping and reset behavior.
openclaw config set session.dmScope main and openclaw config set session.reset.mode daily and openclaw config set session.reset.atHour 4configure models and providers (OpenRouter, Anthropic, OpenAI, etc.).
openclaw config set models.providers.openrouter.apiKey "$OPENROUTER_API_KEY"enable optional features (sandbox, cron, hooks, skills, browser).
openclaw config set sandbox.enabled true and openclaw config set sandbox.mode all and openclaw config set cron.enabled truevalidate final config before deploying.
openclaw config get (read-only check) and openclaw doctor (detailed validation and auto-repair suggestion)openclaw doctor --fix to auto-repair minor issues (e.g., missing defaults, deprecated keys)verify gateway reloads successfully.
openclaw logs) or send SIGUSR1 to gateway (pkill -SIGUSR1 -f gateway)recover from broken config if Gateway refuses to start.
cp ~/.openclaw/openclaw.json.bak ~/.openclaw/openclaw.json or openclaw doctor --fixopenclaw config getif bind mode is "lan" (exposed to local network):
if running multi-agent system:
if messenger channels are enabled (Telegram, WhatsApp, etc.):
if sandbox.mode is "all" or "isolated":
openclaw doctor before deploying.if auth.mode is "token":
if commands.config is true:
if reload mode is "hot":
if using modular config with $include:
if calling config.patch via RPC (programmatic access):
if config change requires Gateway restart:
successful config setup is indicated by:
file exists and is valid JSON:
cat ~/.openclaw/openclaw.json | python3 -m json.tool produces formatted output with no errorsconfig passes strict schema validation:
openclaw config get returns full config object with no validation errorsbackup file exists:
Gateway starts without errors:
openclaw doctor runs with no critical issuesall required sections are present (or use defaults):
channel credentials are secure:
user knows the skill worked when:
Gateway starts successfully:
openclaw logs or process status shows "gateway started on port 18789"config is readable and correct:
openclaw config get returns expected values (e.g., gateway.port, agents.list, channels.telegram.enabled)hot-reload works (if in hot or hybrid mode):
messenger channels are initialized:
agents are active:
agent.status or check logs for "agent doctor reports no critical issues:
openclaw doctorconfig survives a test reload:
pkill -SIGUSR1 -f gateway (manual SIGUSR1 reload) or restart process{
gateway: {
port: 18789
},
agents: {
list: [
{ agentId: "main", workspace: "~/.openclaw/workspace" }
]
}
}
everything else uses defaults.
{
gateway: {
mode: "local",
port: 18789,
bind: "loopback",
reload: "hybrid",
auth: { mode: "token", token: "change-me-please" },
http: { endpoints: { chatCompletions: { enabled: true } } }
},
commands: { restart: true },
agents: {
defaults: {
workspace: "~/.openclaw/workspace",
model: { primary: "anthropic/claude-opus-4-6" },
heartbeat: { every: "30m" }
},
list: [
{ agentId: "main" },
{ agentId: "work", workspace: "~/.openclaw/workspace-work" }
]
},
channels: {
telegram: {
botToken: "...",
enabled: true,
dmPolicy: "pairing",
streamMode: "partial"
}
},
session: {
dmScope: "main",
reset: { mode: "daily", atHour: 4 }
},
cron: { enabled: true },
models: {
providers: {
"openrouter": {
baseUrl: "https://openrouter.ai/api/v1",
apiKey: "sk-or-...",
api: "openai-completions"
}
}
},
env: {
vars: { TZ: "America/New_York" },
shellEnv: true
}
}
before saving config changes:
after saving:
openclaw config get returns without errorsopenclaw doctor shows no critical issuesunknown keys in config - Gateway refuses to start. always check field names against this reference.
editing config mid-sentence - Gateway watches the file. if it reads a half-written file, it crashes. use openclaw config set instead of manual editing when possible.
gateway.bind: "lan" without auth - Gateway refuses to start for safety. always set auth when binding to lan.
commands.config: true - lets anyone in chat modify your config. only for trusted single-user.
tools.elevated.enabled: true + open DM policy - gives strangers admin access to your system.
missing OPENCLAW_GATEWAY_TOKEN env var - if auth mode is token but no token is set in config or env.
sandbox.mode: "all" without Docker - sandbox requires Docker to be running.
invalid workspace path - if agents.defaults.workspace does not exist, agent startup fails. create the directory first.
dmScope agent does not exist - if session.dmScope points to an agent not in agents.list, session initialization fails.
duplicate agentId in agents.list - validation error. each agent must have a unique agentId.
botToken/apiKey hardcoded in config - exposes credentials to file-system access attacks. store in env vars instead.
model provider apiKey invalid or missing - model inference fails at runtime. test after setup.
rate-limiting config.patch RPC - only 3 calls per 60 seconds allowed. rapid-fire updates will fail.
hot-reload mode ignores some changes - port, auth mode, channel add/remove still require full restart. use restart mode if unsure.