Use this file to discover all available pages before exploring further.

Nodes

A node is a companion device (macOS/iOS/Android/headless) that connects to the Gateway WebSocket (same port as operators) with

text

role: "node"

and exposes a command surface (e.g.

text

canvas.*

text

camera.*

text

device.*

text

notifications.*

text

system.*

) via

text

node.invoke

. Protocol details: Gateway protocol.

Legacy transport: Bridge protocol (TCP JSONL; historical only for current nodes).

macOS can also run in node mode: the menubar app connects to the Gateway’s WS server and exposes its local canvas/camera commands as a node (so

text

openclaw nodes …

works against this Mac). In remote gateway mode, browser automation is handled by the CLI node host (

text

openclaw node run

or the installed node service), not by the native app node.

Notes:

Nodes are peripherals, not gateways. They don’t run the gateway service.
Telegram/WhatsApp/etc. messages land on the gateway, not on nodes.
Troubleshooting runbook: /nodes/troubleshooting

Pairing + status

WS nodes use device pairing. Nodes present a device identity during

text

connect

; the Gateway creates a device pairing request for

text

role: node

. Approve via the devices CLI (or UI).

Quick CLI:


bash
openclaw devices list
openclaw devices approve <requestId>
openclaw devices reject <requestId>
openclaw nodes status
openclaw nodes describe --node <idOrNameOrIp>

If a node retries with changed auth details (role/scopes/public key), the prior pending request is superseded and a new

text

requestId

is created. Re-run

text

openclaw devices list

before approving.

Notes:

text
nodes status
marks a node as paired when its device pairing role includes
text
node
.
The device pairing record is the durable approved-role contract. Token rotation stays inside that contract; it cannot upgrade a paired node into a different role that pairing approval never granted.
text
node.pair.*
(CLI:
text
openclaw nodes pending/approve/reject/remove/rename
) is a separate gateway-owned node pairing store; it does not gate the WS
text
connect
handshake.
text
openclaw nodes remove --node <id|name|ip>
deletes stale entries from that separate gateway-owned node pairing store.
Approval scope follows the pending request's declared commands:
- commandless request:
  text
  operator.pairing
- non-exec node commands:
  text
  operator.pairing
  +
  text
  operator.write
- text
  system.run
  /
  text
  system.run.prepare
  /
  text
  system.which
  :
  text
  operator.pairing
  +
  text
  operator.admin

Remote node host (system.run)

Use a node host when your Gateway runs on one machine and you want commands to execute on another. The model still talks to the gateway; the gateway forwards

text

exec

calls to the node host when

text

host=node

is selected.

What runs where

Gateway host: receives messages, runs the model, routes tool calls.
Node host: executes
text
system.run
/
text
system.which
on the node machine.
Approvals: enforced on the node host via
text
~/.openclaw/exec-approvals.json
.

Approval note:

Approval-backed node runs bind exact request context.
For direct shell/runtime file executions, OpenClaw also best-effort binds one concrete local file operand and denies the run if that file changes before execution.
If OpenClaw cannot identify exactly one concrete local file for an interpreter/runtime command, approval-backed execution is denied instead of pretending full runtime coverage. Use sandboxing, separate hosts, or an explicit trusted allowlist/full workflow for broader interpreter semantics.

Start a node host (foreground)

On the node machine:


bash
openclaw node run --host <gateway-host> --port 18789 --display-name "Build Node"

Remote gateway via SSH tunnel (loopback bind)

If the Gateway binds to loopback (

text

gateway.bind=loopback

, default in local mode), remote node hosts cannot connect directly. Create an SSH tunnel and point the node host at the local end of the tunnel.

Example (node host -> gateway host):


bash
# Terminal A (keep running): forward local 18790 -> gateway 127.0.0.1:18789
ssh -N -L 18790:127.0.0.1:18789 user@gateway-host

# Terminal B: export the gateway token and connect through the tunnel
export OPENCLAW_GATEWAY_TOKEN="<gateway-token>"
openclaw node run --host 127.0.0.1 --port 18790 --display-name "Build Node"

Notes:

text
openclaw node run
supports token or password auth.
Env vars are preferred:
text
OPENCLAW_GATEWAY_TOKEN
/
text
OPENCLAW_GATEWAY_PASSWORD
.
Config fallback is
text
gateway.auth.token
/
text
gateway.auth.password
.
In local mode, node host intentionally ignores
text
gateway.remote.token
/
text
gateway.remote.password
.
In remote mode,
text
gateway.remote.token
/
text
gateway.remote.password
are eligible per remote precedence rules.
If active local
text
gateway.auth.*
SecretRefs are configured but unresolved, node-host auth fails closed.
Node-host auth resolution only honors
text
OPENCLAW_GATEWAY_*
env vars.

Start a node host (service)


bash
openclaw node install --host <gateway-host> --port 18789 --display-name "Build Node"
openclaw node start
openclaw node restart

Pair + name

On the gateway host:


bash
openclaw devices list
openclaw devices approve <requestId>
openclaw nodes status

If the node retries with changed auth details, re-run

text

openclaw devices list

and approve the current

text

requestId

Naming options:

text
--display-name
on
text
openclaw node run
/
text
openclaw node install
(persists in
text
~/.openclaw/node.json
on the node).
text
openclaw nodes rename --node <id|name|ip> --name "Build Node"
(gateway override).

Allowlist the commands

Exec approvals are per node host. Add allowlist entries from the gateway:


bash
openclaw approvals allowlist add --node <id|name|ip> "/usr/bin/uname"
openclaw approvals allowlist add --node <id|name|ip> "/usr/bin/sw_vers"

Approvals live on the node host at

text

~/.openclaw/exec-approvals.json

Point exec at the node

Configure defaults (gateway config):


bash
openclaw config set tools.exec.host node
openclaw config set tools.exec.security allowlist
openclaw config set tools.exec.node "<id-or-name>"

Or per session:


text
/exec host=node security=allowlist node=<id-or-name>

Once set, any

text

exec

call with

text

host=node

runs on the node host (subject to the node allowlist/approvals).

text

host=auto

will not implicitly choose the node on its own, but an explicit per-call

text

host=node

request is allowed from

text

auto

. If you want node exec to be the default for the session, set

text

tools.exec.host=node

text

/exec host=node ...

explicitly.

Invoking commands

Low-level (raw RPC):


bash
openclaw nodes invoke --node <idOrNameOrIp> --command canvas.eval --params '{"javaScript":"location.href"}'

Higher-level helpers exist for the common “give the agent a MEDIA attachment” workflows.

Command policy

Node commands must pass two gates before they can be invoked:

The node must declare the command in its WebSocket
text
connect.commands
list.
The gateway's platform policy must allow the declared command.

Windows and macOS companion nodes allow safe declared commands such as

text

canvas.*

text

camera.list

text

location.get

, and

text

screen.snapshot

by default. Dangerous or privacy-heavy commands such as

text

camera.snap

text

camera.clip

, and

text

screen.record

still require explicit opt-in with

text

gateway.nodes.allowCommands

text

gateway.nodes.denyCommands

always wins over defaults and extra allowlist entries.

Plugin-owned node commands can add a Gateway node-invoke policy. That policy runs after the allowlist check and before forwarding to the node, so raw

text

node.invoke

, CLI helpers, and dedicated agent tools share the same plugin permission boundary. Dangerous plugin node commands still require explicit

text

gateway.nodes.allowCommands

opt-in.

After a node changes its declared command list, reject the old device pairing and approve the new request so the gateway stores the updated command snapshot.

Screenshots (canvas snapshots)

If the node is showing the Canvas (WebView),

text

canvas.snapshot

returns

text

{ format, base64 }

CLI helper (writes to a temp file and prints

text

MEDIA:<path>


bash
openclaw nodes canvas snapshot --node <idOrNameOrIp> --format png
openclaw nodes canvas snapshot --node <idOrNameOrIp> --format jpg --max-width 1200 --quality 0.9

Canvas controls


bash
openclaw nodes canvas present --node <idOrNameOrIp> --target https://example.com
openclaw nodes canvas hide --node <idOrNameOrIp>
openclaw nodes canvas navigate https://example.com --node <idOrNameOrIp>
openclaw nodes canvas eval --node <idOrNameOrIp> --js "document.title"

Notes:

text
canvas present
accepts URLs or local file paths (
text
--target
), plus optional
text
--x/--y/--width/--height
for positioning.
text
canvas eval
accepts inline JS (
text
--js
) or a positional arg.

A2UI (Canvas)


bash
openclaw nodes canvas a2ui push --node <idOrNameOrIp> --text "Hello"
openclaw nodes canvas a2ui push --node <idOrNameOrIp> --jsonl ./payload.jsonl
openclaw nodes canvas a2ui reset --node <idOrNameOrIp>

Notes:

Only A2UI v0.8 JSONL is supported (v0.9/createSurface is rejected).

Photos + videos (node camera)

Photos (

text

jpg


bash
openclaw nodes camera list --node <idOrNameOrIp>
openclaw nodes camera snap --node <idOrNameOrIp>            # default: both facings (2 MEDIA lines)
openclaw nodes camera snap --node <idOrNameOrIp> --facing front

Video clips (

text

mp4


bash
openclaw nodes camera clip --node <idOrNameOrIp> --duration 10s
openclaw nodes camera clip --node <idOrNameOrIp> --duration 3000 --no-audio

Notes:

The node must be foregrounded for
text
canvas.*
and
text
camera.*
(background calls return
text
NODE_BACKGROUND_UNAVAILABLE
).
Clip duration is clamped (currently
text
<= 60s
) to avoid oversized base64 payloads.
Android will prompt for
text
CAMERA
/
text
RECORD_AUDIO
permissions when possible; denied permissions fail with
text
*_PERMISSION_REQUIRED
.

Screen recordings (nodes)

Supported nodes expose

text

screen.record

(mp4). Example:


bash
openclaw nodes screen record --node <idOrNameOrIp> --duration 10s --fps 10
openclaw nodes screen record --node <idOrNameOrIp> --duration 10s --fps 10 --no-audio

Notes:

text
screen.record
availability depends on node platform.
Screen recordings are clamped to
text
<= 60s
.
text
--no-audio
disables microphone capture on supported platforms.
Use
text
--screen <index>
to select a display when multiple screens are available.

Location (nodes)

Nodes expose

text

location.get

when Location is enabled in settings.

CLI helper:


bash
openclaw nodes location get --node <idOrNameOrIp>
openclaw nodes location get --node <idOrNameOrIp> --accuracy precise --max-age 15000 --location-timeout 10000

Notes:

Location is off by default.
“Always” requires system permission; background fetch is best-effort.
The response includes lat/lon, accuracy (meters), and timestamp.

SMS (Android nodes)

Android nodes can expose

text

sms.send

when the user grants SMS permission and the device supports telephony.

Low-level invoke:


bash
openclaw nodes invoke --node <idOrNameOrIp> --command sms.send --params '{"to":"+15555550123","message":"Hello from OpenClaw"}'

Notes:

The permission prompt must be accepted on the Android device before the capability is advertised.
Wi-Fi-only devices without telephony will not advertise
text
sms.send
.

Android device + personal data commands

Android nodes can advertise additional command families when the corresponding capabilities are enabled.

Available families:

text
device.status
,
text
device.info
,
text
device.permissions
,
text
device.health
text
notifications.list
,
text
notifications.actions
text
photos.latest
text
contacts.search
,
text
contacts.add
text
calendar.events
,
text
calendar.add
text
callLog.search
text
sms.search
text
motion.activity
,
text
motion.pedometer

Example invokes:


bash
openclaw nodes invoke --node <idOrNameOrIp> --command device.status --params '{}'
openclaw nodes invoke --node <idOrNameOrIp> --command notifications.list --params '{}'
openclaw nodes invoke --node <idOrNameOrIp> --command photos.latest --params '{"limit":1}'

Notes:

Motion commands are capability-gated by available sensors.

System commands (node host / mac node)

The macOS node exposes

text

system.run

text

system.notify

, and

text

system.execApprovals.get/set

. The headless node host exposes

text

system.run

text

system.which

, and

text

system.execApprovals.get/set

Examples:


bash
openclaw nodes notify --node <idOrNameOrIp> --title "Ping" --body "Gateway ready"
openclaw nodes invoke --node <idOrNameOrIp> --command system.which --params '{"name":"git"}'

Notes:

text
system.run
returns stdout/stderr/exit code in the payload.
Shell execution now goes through the
text
exec
tool with
text
host=node
;
text
nodes
remains the direct-RPC surface for explicit node commands.
text
nodes invoke
does not expose
text
system.run
or
text
system.run.prepare
; those stay on the exec path only.
The exec path prepares a canonical
text
systemRunPlan
before approval. Once an approval is granted, the gateway forwards that stored plan, not any later caller-edited command/cwd/session fields.
text
system.notify
respects notification permission state on the macOS app.
Unrecognized node
text
platform
/
text
deviceFamily
metadata uses a conservative default allowlist that excludes
text
system.run
and
text
system.which
. If you intentionally need those commands for an unknown platform, add them explicitly via
text
gateway.nodes.allowCommands
.
text
system.run
supports
text
--cwd
,
text
--env KEY=VAL
,
text
--command-timeout
, and
text
--needs-screen-recording
.
For shell wrappers (
text
bash|sh|zsh ... -c/-lc
), request-scoped
text
--env
values are reduced to an explicit allowlist (
text
TERM
,
text
LANG
,
text
LC_*
,
text
COLORTERM
,
text
NO_COLOR
,
text
FORCE_COLOR
).
For allow-always decisions in allowlist mode, known dispatch wrappers (
text
env
,
text
nice
,
text
nohup
,
text
stdbuf
,
text
timeout
) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
On Windows node hosts in allowlist mode, shell-wrapper runs via
text
cmd.exe /c
require approval (allowlist entry alone does not auto-allow the wrapper form).
text
system.notify
supports
text
--priority <passive|active|timeSensitive>
and
text
--delivery <system|overlay|auto>
.
Node hosts ignore
text
PATH
overrides and strip dangerous startup/shell keys (
text
DYLD_*
,
text
LD_*
,
text
NODE_OPTIONS
,
text
PYTHON*
,
text
PERL*
,
text
RUBYOPT
,
text
SHELLOPTS
,
text
PS4
). If you need extra PATH entries, configure the node host service environment (or install tools in standard locations) instead of passing
text
PATH
via
text
--env
.
On macOS node mode,
text
system.run
is gated by exec approvals in the macOS app (Settings → Exec approvals). Ask/allowlist/full behave the same as the headless node host; denied prompts return
text
SYSTEM_RUN_DENIED
.
On headless node host,
text
system.run
is gated by exec approvals (
text
~/.openclaw/exec-approvals.json
).

Exec node binding

When multiple nodes are available, you can bind exec to a specific node. This sets the default node for

text

exec host=node

(and can be overridden per agent).

Global default:


bash
openclaw config set tools.exec.node "node-id-or-name"

Per-agent override:


bash
openclaw config get agents.list
openclaw config set agents.list[0].tools.exec.node "node-id-or-name"

Unset to allow any node:


bash
openclaw config unset tools.exec.node
openclaw config unset agents.list[0].tools.exec.node

Permissions map

Nodes may include a

text

permissions

map in

text

node.list

text

node.describe

, keyed by permission name (e.g.

text

screenRecording

text

accessibility

) with boolean values (

text

true

= granted).

Headless node host (cross-platform)

OpenClaw can run a headless node host (no UI) that connects to the Gateway WebSocket and exposes

text

system.run

text

system.which

. This is useful on Linux/Windows or for running a minimal node alongside a server.

Start it:


bash
openclaw node run --host <gateway-host> --port 18789

Notes:

Pairing is still required (the Gateway will show a device pairing prompt).
The node host stores its node id, token, display name, and gateway connection info in
text
~/.openclaw/node.json
.
Exec approvals are enforced locally via
text
~/.openclaw/exec-approvals.json
(see Exec approvals).
On macOS, the headless node host executes
text
system.run
locally by default. Set
text
OPENCLAW_NODE_EXEC_HOST=app
to route
text
system.run
through the companion app exec host; add
text
OPENCLAW_NODE_EXEC_FALLBACK=0
to require the app host and fail closed if it is unavailable.
Add
text
--tls
/
text
--tls-fingerprint
when the Gateway WS uses TLS.

Mac node mode

The macOS menubar app connects to the Gateway WS server as a node (so
text
openclaw nodes …
works against this Mac).
In remote mode, the app opens an SSH tunnel for the Gateway port and connects to
text
localhost
.

OpenClaw Docs

Nodes

Pairing + status

Remote node host (system.run)

What runs where

Start a node host (foreground)

Remote gateway via SSH tunnel (loopback bind)

Start a node host (service)

Pair + name

Allowlist the commands

Point exec at the node

Invoking commands

Command policy

Screenshots (canvas snapshots)

Canvas controls

A2UI (Canvas)

Photos + videos (node camera)

Screen recordings (nodes)

Location (nodes)

SMS (Android nodes)

Android device + personal data commands

System commands (node host / mac node)

Exec node binding

Permissions map

Headless node host (cross-platform)

Mac node mode