Use this file to discover all available pages before exploring further.

Gateway runbook

Use this page for day-1 startup and day-2 operations of the Gateway service.

Deep troubleshooting

Symptom-first diagnostics with exact command ladders and log signatures.

Configuration

Task-oriented setup guide + full configuration reference.

Secrets management

SecretRef contract, runtime snapshot behavior, and migrate/reload operations.

Secrets plan contract

Exact `secrets apply` target/path rules and ref-only auth-profile behavior.

5-minute local startup

Start the Gateway

```bash} openclaw gateway --port 18789 # debug/trace mirrored to stdio openclaw gateway --port 18789 --verbose # force-kill listener on selected port, then start openclaw gateway --force ```

Verify service health

```bash} openclaw gateway status openclaw status openclaw logs --follow ```


text
Healthy baseline: `Runtime: running`, `Connectivity probe: ok`, and `Capability: ...` that matches what you expect. Use `openclaw gateway status --require-rpc` when you need read-scope RPC proof, not just reachability.

Validate channel readiness

```bash} openclaw channels status --probe ```


text
With a reachable gateway this runs live per-account channel probes and optional audits.
If the gateway is unreachable, the CLI falls back to config-only channel summaries instead
of live probe output.

note

Gateway config reload watches the active config file path (resolved from profile/state defaults, or `OPENCLAW_CONFIG_PATH` when set). Default mode is `gateway.reload.mode="hybrid"`. After the first successful load, the running process serves the active in-memory config snapshot; successful reload swaps that snapshot atomically.

Runtime model

One always-on process for routing, control plane, and channel connections.
Single multiplexed port for:
- WebSocket control/RPC
- HTTP APIs, OpenAI compatible (
  text
  /v1/models
  ,
  text
  /v1/embeddings
  ,
  text
  /v1/chat/completions
  ,
  text
  /v1/responses
  ,
  text
  /tools/invoke
  )
- Control UI and hooks
Default bind mode:
text
loopback
.
Auth is required by default. Shared-secret setups use
text
gateway.auth.token
/
text
gateway.auth.password
(or
text
OPENCLAW_GATEWAY_TOKEN
/
text
OPENCLAW_GATEWAY_PASSWORD
), and non-loopback reverse-proxy setups can use
text
gateway.auth.mode: "trusted-proxy"
.

OpenAI-compatible endpoints

OpenClaw’s highest-leverage compatibility surface is now:

text
GET /v1/models
text
GET /v1/models/{id}
text
POST /v1/embeddings
text
POST /v1/chat/completions
text
POST /v1/responses

Why this set matters:

Most Open WebUI, LobeChat, and LibreChat integrations probe
text
/v1/models
first.
Many RAG and memory pipelines expect
text
/v1/embeddings
.
Agent-native clients increasingly prefer
text
/v1/responses
.

Planning note:

text
/v1/models
is agent-first: it returns
text
openclaw
,
text
openclaw/default
, and
text
openclaw/<agentId>
.
text
openclaw/default
is the stable alias that always maps to the configured default agent.
Use
text
x-openclaw-model
when you want a backend provider/model override; otherwise the selected agent's normal model and embedding setup stays in control.

All of these run on the main Gateway port and use the same trusted operator auth boundary as the rest of the Gateway HTTP API.

Port and bind precedence

Setting	Resolution order
Gateway port	text `--port` → text `OPENCLAW_GATEWAY_PORT` → text `gateway.port` → text `18789`
Bind mode	CLI/override → text `gateway.bind` → text `loopback`

Installed gateway services record the resolved

text

--port

in supervisor metadata. After changing

text

gateway.port

, run

text

openclaw doctor --fix

text

openclaw gateway install --force

so launchd/systemd/schtasks starts the process on the new port.

Gateway startup uses the same effective port and bind when it seeds local Control UI origins for non-loopback binds. For example,

text

--bind lan --port 3000

seeds

text

http://localhost:3000

and

text

http://127.0.0.1:3000

before runtime validation runs. Add any remote browser origins, such as HTTPS proxy URLs, to

text

gateway.controlUi.allowedOrigins

explicitly.

Hot reload modes

text `gateway.reload.mode`	Behavior
text `off`	No config reload
text `hot`	Apply only hot-safe changes
text `restart`	Restart on reload-required changes
text `hybrid` (default)	Hot-apply when safe, restart when required

Operator command set


bash
openclaw gateway status
openclaw gateway status --deep   # adds a system-level service scan
openclaw gateway status --json
openclaw gateway install
openclaw gateway restart
openclaw gateway stop
openclaw secrets reload
openclaw logs --follow
openclaw doctor

text

gateway status --deep

is for extra service discovery (LaunchDaemons/systemd system units/schtasks), not a deeper RPC health probe.

Multiple gateways (same host)

Most installs should run one gateway per machine. A single gateway can host multiple agents and channels.

You only need multiple gateways when you intentionally want isolation or a rescue bot.

Useful checks:


bash
openclaw gateway status --deep
openclaw gateway probe

What to expect:

text
gateway status --deep
can report
text
Other gateway-like services detected (best effort)
and print cleanup hints when stale launchd/systemd/schtasks installs are still around.
text
gateway probe
can warn about
text
multiple reachable gateways
when more than one target answers.
If that is intentional, isolate ports, config/state, and workspace roots per gateway.

Checklist per instance:

Unique
text
gateway.port
Unique
text
OPENCLAW_CONFIG_PATH
Unique
text
OPENCLAW_STATE_DIR
Unique
text
agents.defaults.workspace

Example:


bash
OPENCLAW_CONFIG_PATH=~/.openclaw/a.json OPENCLAW_STATE_DIR=~/.openclaw-a openclaw gateway --port 19001
OPENCLAW_CONFIG_PATH=~/.openclaw/b.json OPENCLAW_STATE_DIR=~/.openclaw-b openclaw gateway --port 19002

Detailed setup: /gateway/multiple-gateways.

VoiceClaw real-time brain endpoint

OpenClaw exposes a VoiceClaw-compatible real-time WebSocket endpoint at

text

/voiceclaw/realtime

. Use it when a VoiceClaw desktop client should talk directly to a real-time OpenClaw brain instead of going through a separate relay process.

The endpoint uses Gemini Live for real-time audio and calls OpenClaw as the brain by exposing OpenClaw tools directly to Gemini Live. Tool calls return an immediate

text

working

result to keep the voice turn responsive, then OpenClaw executes the actual tool asynchronously and injects the result back into the live session. Set

text

GEMINI_API_KEY

in the gateway process environment. If gateway auth is enabled, the desktop client sends the gateway token or password in its first

text

session.config

message.

Real-time brain access runs owner-authorized OpenClaw agent commands. Keep

text

gateway.auth.mode: "none"

limited to loopback-only test instances. Non-local real-time brain connections require gateway auth.

For an isolated test gateway, run a separate instance with its own port, config, and state:


bash
OPENCLAW_CONFIG_PATH=/path/to/openclaw-realtime/openclaw.json \
OPENCLAW_STATE_DIR=/path/to/openclaw-realtime/state \
OPENCLAW_SKIP_CHANNELS=1 \
GEMINI_API_KEY=... \
openclaw gateway --port 19789

Then configure VoiceClaw to use:


text
ws://127.0.0.1:19789/voiceclaw/realtime

Remote access

Preferred: Tailscale/VPN. Fallback: SSH tunnel.


bash
ssh -N -L 18789:127.0.0.1:18789 user@host

Then connect clients locally to

text

ws://127.0.0.1:18789

warning

SSH tunnels do not bypass gateway auth. For shared-secret auth, clients still must send `token`/`password` even over the tunnel. For identity-bearing modes, the request still has to satisfy that auth path.

See: Remote Gateway, Authentication, Tailscale.

Supervision and service lifecycle

Use supervised runs for production-like reliability.

```bash} openclaw gateway install openclaw gateway status openclaw gateway restart openclaw gateway stop ```


text
Use `openclaw gateway restart` for restarts. Do not chain `openclaw gateway stop` and `openclaw gateway start`; on macOS, `gateway stop` intentionally disables the LaunchAgent before stopping it.

LaunchAgent labels are `ai.openclaw.gateway` (default) or `ai.openclaw.<profile>` (named profile). `openclaw doctor` audits and repairs service config drift.

```bash} openclaw gateway install systemctl --user enable --now openclaw-gateway[-].service openclaw gateway status ```


text
For persistence after logout, enable lingering:

```bash}
sudo loginctl enable-linger <user>
```

Manual user-unit example when you need a custom install path:

```ini}
[Unit]
Description=OpenClaw Gateway
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/openclaw gateway --port 18789
Restart=always
RestartSec=5
TimeoutStopSec=30
TimeoutStartSec=30
SuccessExitStatus=0 143
KillMode=control-group

[Install]
WantedBy=default.target
```

```powershell} openclaw gateway install openclaw gateway status --json openclaw gateway restart openclaw gateway stop ```


text
Native Windows managed startup uses a Scheduled Task named `OpenClaw Gateway`
(or `OpenClaw Gateway (<profile>)` for named profiles). If Scheduled Task
creation is denied, OpenClaw falls back to a per-user Startup-folder launcher
that points at `gateway.cmd` inside the state directory.

Use a system unit for multi-user/always-on hosts.


text
```bash}
sudo systemctl daemon-reload
sudo systemctl enable --now openclaw-gateway[-<profile>].service
```

Use the same service body as the user unit, but install it under
`/etc/systemd/system/openclaw-gateway[-<profile>].service` and adjust
`ExecStart=` if your `openclaw` binary lives elsewhere.

Do not also let `openclaw doctor --fix` install a user-level gateway service for the same profile/port. Doctor refuses that automatic install when it finds a system-level OpenClaw gateway service; use `OPENCLAW_SERVICE_REPAIR_POLICY=external` when the system unit owns the lifecycle.

Dev profile quick path


bash
openclaw --dev setup
openclaw --dev gateway --allow-unconfigured
openclaw --dev status

Defaults include isolated state/config and base gateway port

text

19001

Protocol quick reference (operator view)

First client frame must be
text
connect
.
Gateway returns
text
hello-ok
snapshot (
text
presence
,
text
health
,
text
stateVersion
,
text
uptimeMs
, limits/policy).
text
hello-ok.features.methods
/
text
events
are a conservative discovery list, not a generated dump of every callable helper route.
Requests:
text
req(method, params)
→
text
res(ok/payload|error)
.
Common events include
text
connect.challenge
,
text
agent
,
text
chat
,
text
session.message
,
text
session.tool
,
text
sessions.changed
,
text
presence
,
text
tick
,
text
health
,
text
heartbeat
, pairing/approval lifecycle events, and
text
shutdown
.

Agent runs are two-stage:

Immediate accepted ack (
text
status:"accepted"
)
Final completion response (
text
status:"ok"|"error"
), with streamed
text
agent
events in between.

See full protocol docs: Gateway Protocol.

Operational checks

Liveness

Open WS and send
text
connect
.
Expect
text
hello-ok
response with snapshot.

Readiness


bash
openclaw gateway status
openclaw channels status --probe
openclaw health

Gap recovery

Events are not replayed. On sequence gaps, refresh state (

text

health

text

system-presence

) before continuing.

Common failure signatures

Signature	Likely issue
text `refusing to bind gateway ... without auth`	Non-loopback bind without a valid gateway auth path
text `another gateway instance is already listening` / text `EADDRINUSE`	Port conflict
text `Gateway start blocked: set gateway.mode=local`	Config set to remote mode, or local-mode stamp is missing from a damaged config
text `unauthorized` during connect	Auth mismatch between client and gateway

For full diagnosis ladders, use Gateway Troubleshooting.

Safety guarantees

Gateway protocol clients fail fast when Gateway is unavailable (no implicit direct-channel fallback).
Invalid/non-connect first frames are rejected and closed.
Graceful shutdown emits
text
shutdown
event before socket close.

OpenClaw Docs

Gateway runbook

Deep troubleshooting

Configuration

Secrets management

Secrets plan contract

5-minute local startup

Start the Gateway

Verify service health

Validate channel readiness

note

Runtime model

OpenAI-compatible endpoints

Port and bind precedence

Hot reload modes

Operator command set

Multiple gateways (same host)

VoiceClaw real-time brain endpoint

Remote access

warning

Supervision and service lifecycle

Dev profile quick path

Protocol quick reference (operator view)

Operational checks

Liveness

Readiness

Gap recovery

Common failure signatures

Safety guarantees

Related