Authentication

OpenClaw supports OAuth and API keys for model providers. For always-on gateway hosts, API keys are usually the most predictable option. Subscription/OAuth flows are also supported when they match your provider account model.

See /concepts/oauth for the full OAuth flow and storage layout. For SecretRef-based auth (

// providers), see Secrets Management. For credential eligibility/reason-code rules used by , see Auth Credential Semantics.

Recommended setup (API key, any provider)

If you’re running a long-lived gateway, start with an API key for your chosen provider. For Anthropic specifically, API key auth is still the most predictable server setup, but OpenClaw also supports reusing a local Claude CLI login.

1. Create an API key in your provider console.
2. Put it on the gateway host (the machine running
   text

   Copy

   openclaw gateway
   ).

bash
Copy
export <PROVIDER>_API_KEY="..."
openclaw models status

3. If the Gateway runs under systemd/launchd, prefer putting the key in
   text

   Copy

   ~/.openclaw/.env
   so the daemon can read it:

bash
Copy
cat >> ~/.openclaw/.env <<'EOF'
<PROVIDER>_API_KEY=...
EOF

Then restart the daemon (or restart your Gateway process) and re-check:

bash
Copy
openclaw models status
openclaw doctor

If you’d rather not manage env vars yourself, onboarding can store API keys for daemon use:

.

See Help for details on env inheritance (

, , systemd/launchd).

Anthropic: Claude CLI and token compatibility

Anthropic setup-token auth is still available in OpenClaw as a supported token path. Anthropic staff has since told us that OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats Claude CLI reuse and

usage as sanctioned for this integration unless Anthropic publishes a new policy. When Claude CLI reuse is available on the host, that is now the preferred path.

For long-lived gateway hosts, an Anthropic API key is still the most predictable setup. If you want to reuse an existing Claude login on the same host, use the Anthropic Claude CLI path in onboarding/configure.

Recommended host setup for Claude CLI reuse:

bash
Copy
# Run on the gateway host
claude auth login
claude auth status --text
openclaw models auth login --provider anthropic --method cli --set-default

This is a two-step setup:

1. Log Claude Code itself into Anthropic on the gateway host.
2. Tell OpenClaw to switch Anthropic model selection to the local
   text

   Copy

   claude-cli
   backend and store the matching OpenClaw auth profile.

If

is not on , either install Claude Code first or set to the real binary path.

Manual token entry (any provider; writes

+ updates config):

bash
Copy
openclaw models auth paste-token --provider openrouter

stores credentials only. The canonical shape is:

json
Copy
{
  "version": 1,
  "profiles": {
    "openrouter:default": {
      "type": "api_key",
      "provider": "openrouter",
      "key": "OPENROUTER_API_KEY"
    }
  }
}

OpenClaw expects the canonical

+ shape at runtime. If an older install still has a flat file such as , run to rewrite it as an API-key profile; doctor keeps a copy beside the original. Endpoint details such as , , model ids, headers, and timeouts belong under in or , not in .

Auth profile refs are also supported for static credentials:

• text

  Copy

  api_key
  credentials can use
  text

  Copy

  keyRef: { source, provider, id }
• text

  Copy

  token
  credentials can use
  text

  Copy

  tokenRef: { source, provider, id }
• OAuth-mode profiles do not support SecretRef credentials; if
  text

  Copy

  auth.profiles.<id>.mode
  is set to
  text

  Copy

  "oauth"
  , SecretRef-backed
  text

  Copy

  keyRef
  /
  text

  Copy

  tokenRef
  input for that profile is rejected.

Automation-friendly check (exit

when expired/missing, when expiring):

bash
Copy
openclaw models status --check

Live auth probes:

bash
Copy
openclaw models status --probe

Notes:

• Probe rows can come from auth profiles, env credentials, or
  text

  Copy

  models.json
  .
• If explicit
  text

  Copy

  auth.order.<provider>
  omits a stored profile, probe reports
  text

  Copy

  excluded_by_auth_order
  for that profile instead of trying it.
• If auth exists but OpenClaw cannot resolve a probeable model candidate for that provider, probe reports
  text

  Copy

  status: no_model
  .
• Rate-limit cooldowns can be model-scoped. A profile cooling down for one model can still be usable for a sibling model on the same provider.

Optional ops scripts (systemd/Termux) are documented here: Auth monitoring scripts

Anthropic note

The Anthropic

backend is supported again.

• Anthropic staff told us this OpenClaw integration path is allowed again.
• OpenClaw therefore treats Claude CLI reuse and
  text

  Copy

  claude -p
  usage as sanctioned for Anthropic-backed runs unless Anthropic publishes a new policy.
• Anthropic API keys remain the most predictable choice for long-lived gateway hosts and explicit server-side billing control.

Checking model auth status

bash
Copy
openclaw models status
openclaw doctor

API key rotation behavior (gateway)

Some providers support retrying a request with alternative keys when an API call hits a provider rate limit.

• Priority order:
  • text

    Copy

    OPENCLAW_LIVE_<PROVIDER>_KEY
    (single override)
  • text

    Copy

    <PROVIDER>_API_KEYS
  • text

    Copy

    <PROVIDER>_API_KEY
  • text

    Copy

    <PROVIDER>_API_KEY_*
• Google providers also include
  text

  Copy

  GOOGLE_API_KEY
  as an additional fallback.
• The same key list is deduplicated before use.
• OpenClaw retries with the next key only for rate-limit errors (for example
  text

  Copy

  429
  ,
  text

  Copy

  rate_limit
  ,
  text

  Copy

  quota
  ,
  text

  Copy

  resource exhausted
  ,
  text

  Copy

  Too many concurrent requests
  ,
  text

  Copy

  ThrottlingException
  ,
  text

  Copy

  concurrency limit reached
  , or
  text

  Copy

  workers_ai ... quota limit exceeded
  ).
• Non-rate-limit errors are not retried with alternate keys.
• If all keys fail, the final error from the last attempt is returned.

Controlling which credential is used

Per-session (chat command)

Use

to pin a specific provider credential for the current session (example profile ids: , ).

Use

(or ) for a compact picker; use for the full view (candidates + next auth profile, plus provider endpoint details when configured).

Per-agent (CLI override)

Set an explicit auth profile order override for an agent (stored in that agent’s

):

bash
Copy
openclaw models auth order get --provider anthropic
openclaw models auth order set --provider anthropic anthropic:default
openclaw models auth order clear --provider anthropic

Use

to target a specific agent; omit it to use the configured default agent. When you debug order issues, shows omitted stored profiles as instead of silently skipping them. When you debug cooldown issues, remember that rate-limit cooldowns can be tied to one model id rather than the whole provider profile.

Troubleshooting

"No credentials found"

If the Anthropic profile is missing, configure an Anthropic API key on the gateway host or set up the Anthropic setup-token path, then re-check:

bash
Copy
openclaw models status

Token expiring/expired

Run

to confirm which profile is expiring. If an Anthropic token profile is missing or expired, refresh that setup via setup-token or migrate to an Anthropic API key.

Related

• Secrets management
• Remote access
• Auth storage