openclaw.json: get/set/patch/unset a value by path, print the schema, validate, or print the active file path. Run openclaw config with no subcommand to open the same guided wizard as openclaw configure.
When
OPENCLAW_NIX_MODE=1, OpenClaw treats openclaw.json as immutable. Read-only commands (config get, config file, config schema, config validate) still work; config writers refuse. Edit the Nix source for the install instead; for the first-party nix-openclaw distribution, use the nix-openclaw Quick Start and set values under programs.openclaw.config or instances.<name>.config.Root options
Repeatable guided-setup section filter when you run
openclaw config without a subcommand.workspace, model, web, gateway, daemon, channels, plugins, skills, health.
Examples
Paths
Dot or bracket notation. Quote bracket paths in shell examples so zsh does not glob-expand[0]:
config get
Reads a value from the redacted config snapshot (secrets never print). --json prints the raw value as JSON; otherwise strings/numbers/booleans print bare and objects/arrays print as formatted JSON.
config file
Prints the active config file path, resolved from OPENCLAW_CONFIG_PATH or the default location. The path names a regular file, not a symlink; see Write safety.
config schema
Prints the generated JSON schema for openclaw.json to stdout.
What it includes
What it includes
- The current root config schema, plus a root
$schemastring field for editor tooling. - Field
title/descriptiondocs metadata used by the Control UI. - Nested object, wildcard (
*), and array-item ([]) nodes inherit the sametitle/descriptionmetadata when matching field docs exist. anyOf/oneOf/allOfbranches inherit the same docs metadata too.- Best-effort live plugin + channel schema metadata when runtime manifests can be loaded.
- A clean fallback schema even when the current config is invalid.
config validate
Validates the current config against the active schema without starting the gateway.
If validation is already failing, start with
openclaw configure or openclaw doctor --fix. openclaw chat does not bypass the invalid-config guard.Values
Values parse as JSON5 when possible; otherwise they are treated as raw strings. Use--strict-json to require standard JSON with no string fallback (JSON5-only syntax such as comments, trailing commas, or unquoted keys is then rejected). --json is a legacy alias for --strict-json on config set.
config get <path> --json prints the raw value as JSON instead of terminal-formatted text.
Object assignment replaces the target path by default. Protected paths that commonly hold user-added entries refuse replacements that would remove existing entries unless you pass
--replace: agents.defaults.models, agents.list, models.providers, models.providers.<id>, models.providers.<id>.models, plugins.entries, and auth.profiles.--merge when adding entries to those maps:
--replace only when the provided value should intentionally become the complete target value.
config set modes
- Value mode
- SecretRef builder mode
- Provider builder mode
- Batch mode
--batch-json/--batch-file) as the source of truth; --strict-json / --json do not change batch parsing behavior.
JSON path/value mode also works for SecretRefs and providers directly:
Provider builder flags
Provider builder targets must usesecrets.providers.<alias> as the path.
Common flags
Common flags
--provider-source <env|file|exec>--provider-timeout-ms <ms>(file,exec)
Env provider (--provider-source env)
Env provider (--provider-source env)
--provider-allowlist <ENV_VAR>(repeatable)
File provider (--provider-source file)
File provider (--provider-source file)
--provider-path <path>(required)--provider-mode <singleValue|json>--provider-max-bytes <bytes>--provider-allow-insecure-path
Exec provider (--provider-source exec)
Exec provider (--provider-source exec)
--provider-command <path>(required)--provider-arg <arg>(repeatable)--provider-no-output-timeout-ms <ms>--provider-max-output-bytes <bytes>--provider-json-only--provider-env <KEY=VALUE>(repeatable)--provider-pass-env <ENV_VAR>(repeatable)--provider-trusted-dir <path>(repeatable)--provider-allow-insecure-path--provider-allow-symlink-command
config patch
Paste or pipe a config-shaped JSON5 patch instead of running many path-based config set commands. Objects merge recursively; arrays and scalar values replace the target; null deletes the target path.
--replace-path <path> when one object or array must become exactly the provided value instead of being recursively patched:
--dry-run runs schema and SecretRef resolvability checks without writing. Exec-backed SecretRefs are skipped by default during dry-run; add --allow-exec when you intentionally want dry-run to execute provider commands.
Dry run
--dry-run validates changes without writing openclaw.json. Available on config set, config patch, and config unset.
Dry-run behavior
Dry-run behavior
- Builder mode: runs SecretRef resolvability checks for changed refs/providers.
- JSON mode (
--strict-json,--json, or batch mode): runs schema validation plus SecretRef resolvability checks. - Policy validation runs against the full post-change config, so parent-object writes (for example setting
hooksas an object) cannot bypass unsupported-surface validation. - Exec SecretRef checks are skipped by default to avoid command side effects; pass
--allow-execto opt in (this may execute provider commands).--allow-execis dry-run only and errors without--dry-run.
--dry-run --json fields
--dry-run --json fields
ok: whether dry-run passedoperations: number of assignments evaluatedchecks: whether schema/resolvability checks ranchecks.resolvabilityComplete: whether resolvability checks ran to completion (false when exec refs are skipped)refsChecked: number of refs actually resolved during dry-runskippedExecRefs: number of exec refs skipped because--allow-execwas not seterrors: structured missing-path, schema, or resolvability failures whenok=false
JSON output shape
- Success example
- Failure example
If dry-run fails
If dry-run fails
config schema validation failed: your post-change config shape is invalid; fix the path/value or provider/ref object shape.Config policy validation failed: unsupported SecretRef usage: move that credential back to plaintext/string input; keep SecretRefs on supported surfaces only.SecretRef assignment(s) could not be resolved: the referenced provider/ref cannot currently resolve (missing env var, invalid file pointer, exec provider failure, or provider/source mismatch).Dry run note: skipped <n> exec SecretRef resolvability check(s): rerun with--allow-execif you need exec resolvability validation.- For batch mode, fix failing entries and rerun
--dry-runbefore writing.
Applying changes
After every successfulconfig set / config patch / config unset, the CLI prints one of three hints so you know whether the gateway needs a restart:
| Hint | Meaning |
|---|---|
Restart the gateway to apply. | The changed path needs a full restart. |
Change will apply without restarting the gateway. | Hot reload picks it up automatically. |
No gateway restart needed. | Nothing runtime-relevant changed. |
plugins.entries (or any subpath) always require a restart, since the CLI cannot prove every plugin’s reload metadata is loaded.
Write safety
openclaw config set and other OpenClaw-owned config writers validate the full post-change config before committing it to disk. If the new payload fails schema validation or looks like a destructive clobber, the active config is left alone and the rejected payload is saved beside it as openclaw.json.rejected.*.
Prefer CLI writes for small edits:
openclaw.json. Run openclaw doctor --fix to repair prefixed/clobbered config or restore the last-known-good copy. See Gateway troubleshooting.
Whole-file recovery is reserved for doctor repair. Plugin schema changes or minHostVersion skew stay loud instead of rolling back unrelated user settings such as models, providers, auth profiles, channels, gateway exposure, tools, memory, browser, or cron config.
Repair loop
Afteropenclaw config validate passes, use the local TUI to have an embedded agent compare the active config against the docs while you validate each change from the same terminal:
! runs a literal local shell command (after a one-time per-session confirmation prompt):
Compare with docs
Ask the agent to compare your current config with the relevant docs page and suggest the smallest fix.