discord_widget agent tool, and launch-button handler only when channels.discord.activities is present and a client secret resolves.
Prerequisites
- an existing OpenClaw Discord bot
- a public HTTPS hostname that reaches the OpenClaw gateway
- permission to configure Activities and OAuth2 for the bot’s Discord application
- an existing Discord user allowlist (
allowFromordm.allowFrom), unless the account intentionally uses open DMs
Setup
1
Expose the gateway over HTTPS
Start your tunnel or reverse proxy and verify that
https://openclaw.example.com/discord/activity/ reaches the gateway after Activities configuration is added. Replace the example hostname with your own.2
Enable Activities in Discord
Open the existing bot application in the Discord Developer Portal. Open Activities, enable Activities, and create a URL mapping:
- prefix:
ROOT(/) - target:
openclaw.example.com/discord/activity
/discord/activity, without a trailing slash.3
Copy the OAuth2 client secret
Open OAuth2 in the Developer Portal. Discord requires at least one redirect URI, so add a local placeholder such as the loopback address if the application has none yet; the Embedded App SDK handles the Activity return flow. Copy or reset the application client secret. Treat it as a credential: do not paste it into chat, logs, or a committed configuration file.
4
Configure OpenClaw
Add one block to the Discord account that should offer widgets:You may omit
clientSecret from the block when DISCORD_CLIENT_SECRET is set. The block itself must remain present to opt in.5
Restart and test
Restart the gateway. In a Discord conversation, ask the agent to show an interactive widget. The agent can call
discord_widget; click Open widget on the posted message.Security model
- OAuth identifies the Discord user before widget metadata is returned.
- The user must match the configured account’s
allowFromordm.allowFrom. An account with no allowlist allows everyone only when its DM policy is explicitlyopen. - OAuth sessions expire after 15 minutes. Widget document capabilities expire after 60 seconds and work once.
- Widgets expire after seven days, with at most 64 retained per Discord plugin instance.
- Widget HTML is authored by your agent and should be treated as trusted content. Do not embed secrets you would not want a buggy widget to expose.
- The widget can navigate within its own nested frame. The
sandbox="allow-scripts"iframe blocks top-level navigation, popups, and same-origin access, while its Content Security Policy blocks network connections and external resources. These controls are defense-in-depth, not a security boundary against the agent that authored the widget. - When Activities is disabled,
/discord/activityis not registered at all.
Troubleshooting
The Activity says “Gateway offline”
- confirm the tunnel is running and routes to the gateway’s actual bind port
- confirm the Developer Portal target includes
/discord/activity - restart the gateway after changing Discord or OpenClaw configuration
- check gateway logs for the one-line warning about a missing Activities client secret
Discord opens a blank page or reports blocked:csp
- verify the URL mapping uses
ROOTand does not add a second/discord/activitysegment - confirm the shell,
shell.js, and SDK module all return through the Discord proxy - inspect gateway logs for requests under
/discord/activity/
“Not authorized”
Add the user’s stable Discord ID toallowFrom or dm.allowFrom on the same Discord account that owns Activities. Restart after editing configuration.