openclaw daemon
Legacy alias for Gateway service management. openclaw daemon ... maps to the same service-control commands as openclaw gateway .... Prefer openclaw gateway for current docs and examples.
Usage
Subcommands and options
| Subcommand | Options |
|---|---|
status | --url, --token, --password, --timeout, --no-probe, --require-rpc, --deep, --json |
install | --port, --runtime <node|bun>, --token, --wrapper <path>, --force, --json |
uninstall | --json |
start | --json |
stop | --json, --disable (launchd only: persistently suppress KeepAlive/RunAtLoad until next start) |
restart | --force, --safe, --skip-deferral, --wait <duration>, --json |
status: shows service install state (launchd/systemd/schtasks) and probes Gateway health.install: installs the service;--forcereinstalls/overwrites an existing install.restart --safe: asks the running Gateway to preflight active work and schedule one coalesced restart after work drains, bounded bygateway.reload.deferralTimeoutMs(default 300000ms/5 minutes; set to0to wait indefinitely). When that budget expires, the restart is forced anyway. Plainrestartuses the service manager directly;--forceis the immediate override.restart --safe --skip-deferral: bypasses the active-work deferral gate so the Gateway restarts immediately even when blockers are reported. Requires--safe.
Notes
statusresolves configured auth SecretRefs for probe auth when possible. If a required SecretRef is unresolved,status --jsonreportsrpc.authWarning; pass--token/--passwordexplicitly or resolve the secret source first. Unresolved-auth warnings are suppressed once the probe otherwise succeeds.status --deepadds a best-effort system-level scan for other gateway-like services (prints cleanup hints; one Gateway per machine is still the recommendation) and runs config validation in plugin-aware mode, surfacing plugin manifest warnings that the fast default path skips.- On Linux systemd installs, token-drift checks inspect both
Environment=andEnvironmentFile=unit sources. - Token-drift checks resolve
gateway.auth.tokenSecretRefs using merged runtime env (service command env first, then process env). If token auth is not effectively active (gateway.auth.modeofpassword/none/trusted-proxy, or unset with password able to win), config token resolution is skipped. installvalidates a SecretRef-managedgateway.auth.tokenis resolvable but never persists the resolved value into service environment metadata; if it can’t resolve, install fails closed.- If both
gateway.auth.tokenandgateway.auth.passwordare configured andgateway.auth.modeis unset,installblocks until you set the mode explicitly. - On macOS,
installkeeps LaunchAgent plists and the generated env file/wrapper owner-only (mode0600/0700) instead of embedding secrets inEnvironmentVariables. - Running multiple Gateways on one host: isolate ports, config/state, and workspaces. See Multiple gateways.