Zum Hauptinhalt springen
This page is the full reference for openclaw onboard. For the short guide, see Onboarding (CLI).

What the wizard does

Local mode (default) walks you through:
  • Model and auth setup (OpenAI Code subscription OAuth, Anthropic Claude CLI or API key, plus MiniMax, GLM, Ollama, Moonshot, StepFun, and AI Gateway options)
  • Workspace location and bootstrap files
  • Gateway settings (port, bind, auth, tailscale)
  • Channels and providers (Telegram, WhatsApp, Discord, Google Chat, Mattermost, Signal, iMessage, and other bundled channel plugins)
  • Daemon install (LaunchAgent, systemd user unit, or native Windows Scheduled Task with Startup-folder fallback)
  • Health check
  • Skills setup
Remote mode configures this machine to connect to a gateway elsewhere. It does not install or modify anything on the remote host.

Local flow details

1

Existing config detection

  • If ~/.openclaw/openclaw.json exists, choose Keep, Modify, or Reset.
  • Re-running the wizard does not wipe anything unless you explicitly choose Reset (or pass --reset).
  • CLI --reset defaults to config+creds+sessions; use --reset-scope full to also remove workspace.
  • If config is invalid or contains legacy keys, the wizard stops and asks you to run openclaw doctor before continuing.
  • Reset uses trash and offers scopes:
    • Config only
    • Config + credentials + sessions
    • Full reset (also removes workspace)
2

Model and auth

3

Workspace

  • Default ~/.openclaw/workspace (configurable).
  • Seeds workspace files needed for first-run bootstrap ritual.
  • Workspace layout: Agent workspace.
4

Gateway

  • Prompts for port, bind, auth mode, and tailscale exposure.
  • Recommended: keep token auth enabled even for loopback so local WS clients must authenticate.
  • In token mode, interactive setup offers:
    • Generate/store plaintext token (default)
    • Use SecretRef (opt-in)
  • In password mode, interactive setup also supports plaintext or SecretRef storage.
  • Non-interactive token SecretRef path: --gateway-token-ref-env <ENV_VAR>.
    • Requires a non-empty env var in the onboarding process environment.
    • Cannot be combined with --gateway-token.
  • Disable auth only if you fully trust every local process.
  • Non-loopback binds still require auth.
5

Channels

  • WhatsApp: optional QR login
  • Telegram: bot token
  • Discord: bot token
  • Google Chat: service account JSON + webhook audience
  • Mattermost: bot token + base URL
  • Signal: optional signal-cli install + account config
  • iMessage: imsg CLI path + Messages DB access; use an SSH wrapper when the Gateway runs off-Mac
  • DM security: default is pairing. First DM sends a code; approve via openclaw pairing approve <channel> <code> or use allowlists.
6

Daemon install

  • macOS: LaunchAgent
    • Requires logged-in user session; for headless, use a custom LaunchDaemon (not shipped).
  • Linux and Windows via WSL2: systemd user unit
    • Wizard attempts loginctl enable-linger <user> so gateway stays up after logout.
    • May prompt for sudo (writes /var/lib/systemd/linger); it tries without sudo first.
  • Native Windows: Scheduled Task first
    • If task creation is denied, OpenClaw falls back to a per-user Startup-folder login item and starts the gateway immediately.
    • Scheduled Tasks remain preferred because they provide better supervisor status.
  • Runtime selection: Node (recommended; required for WhatsApp and Telegram). Bun is not recommended.
7

Health check

  • Starts gateway (if needed) and runs openclaw health.
  • openclaw status --deep adds the live gateway health probe to status output, including channel probes when supported.
8

Skills

  • Reads available skills and checks requirements.
  • Lets you choose node manager: npm, pnpm, or bun.
  • Installs optional dependencies for trusted bundled skills when the required installer is available.
  • Skips unavailable Homebrew, uv, and Go installers, then groups the affected skills with manual setup guidance. Run openclaw doctor after installing the missing prerequisites.
9

Finish

  • Summary and next steps, including iOS, Android, and macOS app options.
If no GUI is detected, the wizard prints SSH port-forward instructions for the Control UI instead of opening a browser. If Control UI assets are missing, the wizard attempts to build them; fallback is pnpm ui:build (auto-installs UI deps).

Remote mode details

Remote mode configures this machine to connect to a gateway elsewhere.
Remote mode does not install or modify anything on the remote host.
What you set:
  • Remote gateway URL (ws://...)
  • Token if remote gateway auth is required (recommended)
  • If gateway is loopback-only, use SSH tunneling or a tailnet.
  • Discovery hints:
    • macOS: Bonjour (dns-sd)
    • Linux: Avahi (avahi-browse)

Auth and model options

Uses ANTHROPIC_API_KEY if present or prompts for a key, then saves it for daemon use.
Browser flow; paste code#state.Sets agents.defaults.model to openai/gpt-5.5 through the Codex runtime when model is unset or already OpenAI-family.
Browser pairing flow with a short-lived device code.Sets agents.defaults.model to openai/gpt-5.5 through the Codex runtime when model is unset or already OpenAI-family.
Uses OPENAI_API_KEY if present or prompts for a key, then stores the credential in auth profiles.Sets agents.defaults.model to openai/gpt-5.5 when model is unset, openai/*, or legacy Codex model refs.
Browser sign-in for eligible SuperGrok or X Premium accounts. This is the recommended xAI path for most users. OpenClaw stores the resulting auth profile for Grok models, Grok web_search, x_search, and code_execution.
Remote-friendly browser sign-in with a short code instead of a localhost callback. Use this from SSH, Docker, or VPS hosts.
Prompts for XAI_API_KEY and configures xAI as a model provider. Use this when you want an xAI Console API key instead of subscription OAuth.
Prompts for OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY) and lets you choose the Zen or Go catalog. Setup URL: opencode.ai/auth.
Stores the key for you.
Prompts for AI_GATEWAY_API_KEY. More detail: Vercel AI Gateway.
Prompts for account ID, gateway ID, and CLOUDFLARE_AI_GATEWAY_API_KEY. More detail: Cloudflare AI Gateway.
Config is auto-written. Hosted default is MiniMax-M3; API-key setup uses minimax/..., and OAuth setup uses minimax-portal/.... More detail: MiniMax.
Config is auto-written for StepFun standard or Step Plan on China or global endpoints. Standard currently includes step-3.5-flash, and Step Plan also includes step-3.5-flash-2603. More detail: StepFun.
Prompts for SYNTHETIC_API_KEY. More detail: Synthetic.
Prompts for Cloud + Local, Cloud only, or Local only first. Cloud only uses OLLAMA_API_KEY with https://ollama.com. The host-backed modes prompt for base URL (default http://127.0.0.1:11434), discover available models, and suggest defaults. Cloud + Local also checks whether that Ollama host is signed in for cloud access. More detail: Ollama.
Moonshot (Kimi K2) and Kimi Coding configs are auto-written. More detail: Moonshot AI (Kimi + Kimi Coding).
Works with OpenAI-compatible and Anthropic-compatible endpoints.Interactive onboarding supports the same API key storage choices as other provider API key flows:
  • Paste API key now (plaintext)
  • Use secret reference (env ref or configured provider ref, with preflight validation)
Non-interactive flags:
  • --auth-choice custom-api-key
  • --custom-base-url
  • --custom-model-id
  • --custom-api-key (optional; falls back to CUSTOM_API_KEY)
  • --custom-provider-id (optional)
  • --custom-compatibility <openai|openai-responses|anthropic> (optional; default openai)
  • --custom-image-input / --custom-text-input (optional; override inferred model input capability)
Leaves auth unconfigured.
Model behavior:
  • Pick default model from detected options, or enter provider and model manually.
  • Custom-provider onboarding infers image support for common model IDs and asks only when the model name is unknown.
  • When onboarding starts from a provider auth choice, the model picker prefers that provider automatically. For Volcengine and BytePlus, the same preference also matches their coding-plan variants (volcengine-plan/*, byteplus-plan/*).
  • If that preferred-provider filter would be empty, the picker falls back to the full catalog instead of showing no models.
  • Wizard runs a model check and warns if the configured model is unknown or missing auth.
Credential and profile paths:
  • Auth profiles (API keys + OAuth): ~/.openclaw/agents/<agentId>/agent/auth-profiles.json
  • Legacy OAuth import: ~/.openclaw/credentials/oauth.json
Credential storage mode:
  • Das standardmäßige Onboarding-Verhalten speichert API-Schlüssel als Klartextwerte in Auth-Profilen.
  • --secret-input-mode ref aktiviert den Referenzmodus anstelle der Speicherung von Klartextschlüsseln. In der interaktiven Einrichtung können Sie eine der folgenden Optionen wählen:
    • Umgebungsvariablen-Ref (zum Beispiel keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" })
    • konfigurierte Provider-Ref (file oder exec) mit Provider-Alias + ID
  • Der interaktive Referenzmodus führt vor dem Speichern eine schnelle Preflight-Validierung aus.
    • Env-Refs: validiert Variablenname + nicht leeren Wert in der aktuellen Onboarding-Umgebung.
    • Provider-Refs: validiert die Provider-Konfiguration und löst die angeforderte ID auf.
    • Wenn der Preflight fehlschlägt, zeigt das Onboarding den Fehler an und lässt Sie es erneut versuchen.
  • Im nicht interaktiven Modus ist --secret-input-mode ref ausschließlich env-gestützt.
    • Setzen Sie die Provider-Umgebungsvariable in der Prozessumgebung des Onboardings.
    • Inline-Schlüsselflags (zum Beispiel --openai-api-key) erfordern, dass diese Umgebungsvariable gesetzt ist; andernfalls schlägt das Onboarding schnell fehl.
    • Für benutzerdefinierte Provider speichert der nicht interaktive ref-Modus models.providers.<id>.apiKey als { source: "env", provider: "default", id: "CUSTOM_API_KEY" }.
    • In diesem Fall mit benutzerdefiniertem Provider erfordert --custom-api-key, dass CUSTOM_API_KEY gesetzt ist; andernfalls schlägt das Onboarding schnell fehl.
  • Gateway-Auth-Anmeldedaten unterstützen in der interaktiven Einrichtung die Auswahl zwischen Klartext und SecretRef:
    • Token-Modus: Klartext-Token generieren/speichern (Standard) oder SecretRef verwenden.
    • Passwortmodus: Klartext oder SecretRef.
  • Nicht interaktiver Token-SecretRef-Pfad: --gateway-token-ref-env <ENV_VAR>.
  • Vorhandene Klartext-Setups funktionieren unverändert weiter.
Headless- und Server-Tipp: Schließen Sie OAuth auf einem Computer mit Browser ab und kopieren Sie dann die auth-profiles.json dieses Agenten (zum Beispiel ~/.openclaw/agents/<agentId>/agent/auth-profiles.json oder den entsprechenden $OPENCLAW_STATE_DIR/...-Pfad) auf den Gateway-Host. credentials/oauth.json ist nur eine Legacy-Importquelle.

Ausgaben und Interna

Typische Felder in ~/.openclaw/openclaw.json:
  • agents.defaults.workspace
  • agents.defaults.skipBootstrap, wenn --skip-bootstrap übergeben wird
  • agents.defaults.model / models.providers (wenn Minimax ausgewählt wurde)
  • tools.profile (lokales Onboarding verwendet standardmäßig "coding", wenn nicht gesetzt; vorhandene explizite Werte bleiben erhalten)
  • gateway.* (Modus, Bind-Adresse, Auth, tailscale)
  • session.dmScope (lokales Onboarding setzt dies standardmäßig auf per-channel-peer, wenn nicht gesetzt; vorhandene explizite Werte bleiben erhalten)
  • channels.telegram.botToken, channels.discord.token, channels.matrix.*, channels.signal.*, channels.imessage.*
  • Kanal-Zulassungslisten (Slack, Discord, Matrix, Microsoft Teams), wenn Sie sich während der Eingabeaufforderungen dafür entscheiden (Namen werden nach Möglichkeit zu IDs aufgelöst)
  • skills.install.nodeManager
    • Das Flag setup --node-manager akzeptiert npm, pnpm oder bun.
    • Die manuelle Konfiguration kann später weiterhin skills.install.nodeManager: "yarn" setzen.
  • wizard.lastRunAt
  • wizard.lastRunVersion
  • wizard.lastRunCommit
  • wizard.lastRunCommand
  • wizard.lastRunMode
  • wizard.securityAcknowledgedAt
openclaw agents add schreibt agents.list[] und optionale bindings. WhatsApp-Anmeldedaten werden unter ~/.openclaw/credentials/whatsapp/<accountId>/ abgelegt. Sitzungen werden unter ~/.openclaw/agents/<agentId>/sessions/ gespeichert.
Einige Kanäle werden als Plugins bereitgestellt. Wenn sie während der Einrichtung ausgewählt werden, fordert der Assistent Sie auf, das Plugin (npm oder lokaler Pfad) vor der Kanalkonfiguration zu installieren.
Gateway-Assistent-RPC:
  • wizard.start
  • wizard.next
  • wizard.cancel
  • wizard.status
Clients (macOS-App und Control UI) können Schritte rendern, ohne die Onboarding-Logik neu zu implementieren. Verhalten der Signal-Einrichtung:
  • Lädt das passende Release-Asset herunter
  • Speichert es unter ~/.openclaw/tools/signal-cli/<version>/
  • Schreibt channels.signal.cliPath in die Konfiguration
  • JVM-Builds erfordern Java 21
  • Native Builds werden verwendet, wenn verfügbar
  • Windows verwendet WSL2 und folgt dem Linux-signal-cli-Ablauf innerhalb von WSL

Zugehörige Dokumentation