openclaw onboard.
For the short guide, see Onboarding (CLI).
What the wizard does
Local mode (default) walks you through:- Model and auth setup (OpenAI Code subscription OAuth, Anthropic Claude CLI or API key, plus MiniMax, GLM, Ollama, Moonshot, StepFun, and AI Gateway options)
- Workspace location and bootstrap files
- Gateway settings (port, bind, auth, tailscale)
- Channels and providers (Telegram, WhatsApp, Discord, Google Chat, Mattermost, Signal, iMessage, and other bundled channel plugins)
- Daemon install (LaunchAgent, systemd user unit, or native Windows Scheduled Task with Startup-folder fallback)
- Health check
- Skills setup
Local flow details
Existing config detection
- If
~/.openclaw/openclaw.jsonexists, choose Keep, Modify, or Reset. - Re-running the wizard does not wipe anything unless you explicitly choose Reset (or pass
--reset). - CLI
--resetdefaults toconfig+creds+sessions; use--reset-scope fullto also remove workspace. - If config is invalid or contains legacy keys, the wizard stops and asks you to run
openclaw doctorbefore continuing. - Reset uses
trashand offers scopes:- Config only
- Config + credentials + sessions
- Full reset (also removes workspace)
Model and auth
- Full option matrix is in Auth and model options.
Workspace
- Default
~/.openclaw/workspace(configurable). - Seeds workspace files needed for first-run bootstrap ritual.
- Workspace layout: Agent workspace.
Gateway
- Prompts for port, bind, auth mode, and tailscale exposure.
- Recommended: keep token auth enabled even for loopback so local WS clients must authenticate.
- In token mode, interactive setup offers:
- Generate/store plaintext token (default)
- Use SecretRef (opt-in)
- In password mode, interactive setup also supports plaintext or SecretRef storage.
- Non-interactive token SecretRef path:
--gateway-token-ref-env <ENV_VAR>.- Requires a non-empty env var in the onboarding process environment.
- Cannot be combined with
--gateway-token.
- Disable auth only if you fully trust every local process.
- Non-loopback binds still require auth.
Channels
- WhatsApp: optional QR login
- Telegram: bot token
- Discord: bot token
- Google Chat: service account JSON + webhook audience
- Mattermost: bot token + base URL
- Signal: optional
signal-cliinstall + account config - iMessage:
imsgCLI path + Messages DB access; use an SSH wrapper when the Gateway runs off-Mac - DM security: default is pairing. First DM sends a code; approve via
openclaw pairing approve <channel> <code>or use allowlists.
Daemon install
- macOS: LaunchAgent
- Requires logged-in user session; for headless, use a custom LaunchDaemon (not shipped).
- Linux and Windows via WSL2: systemd user unit
- Wizard attempts
loginctl enable-linger <user>so gateway stays up after logout. - May prompt for sudo (writes
/var/lib/systemd/linger); it tries without sudo first.
- Wizard attempts
- Native Windows: Scheduled Task first
- If task creation is denied, OpenClaw falls back to a per-user Startup-folder login item and starts the gateway immediately.
- Scheduled Tasks remain preferred because they provide better supervisor status.
- Runtime selection: Node (recommended; required for WhatsApp and Telegram). Bun is not recommended.
Health check
- Starts gateway (if needed) and runs
openclaw health. openclaw status --deepadds the live gateway health probe to status output, including channel probes when supported.
Skills
- Reads available skills and checks requirements.
- Lets you choose node manager: npm, pnpm, or bun.
- Installs optional dependencies for trusted bundled skills when the required installer is available.
- Skips unavailable Homebrew, uv, and Go installers, then groups the affected
skills with manual setup guidance. Run
openclaw doctorafter installing the missing prerequisites.
If no GUI is detected, the wizard prints SSH port-forward instructions for the Control UI instead of opening a browser.
If Control UI assets are missing, the wizard attempts to build them; fallback is
pnpm ui:build (auto-installs UI deps).Remote mode details
Remote mode configures this machine to connect to a gateway elsewhere.Remote mode does not install or modify anything on the remote host.
- Remote gateway URL (
ws://...) - Token if remote gateway auth is required (recommended)
- If gateway is loopback-only, use SSH tunneling or a tailnet.
- Discovery hints:
- macOS: Bonjour (
dns-sd) - Linux: Avahi (
avahi-browse)
- macOS: Bonjour (
Auth and model options
Anthropic API key
Anthropic API key
Uses
ANTHROPIC_API_KEY if present or prompts for a key, then saves it for daemon use.OpenAI Code subscription (OAuth)
OpenAI Code subscription (OAuth)
Browser flow; paste
code#state.Sets agents.defaults.model to openai/gpt-5.5 through the Codex runtime when model is unset or already OpenAI-family.OpenAI Code subscription (device pairing)
OpenAI Code subscription (device pairing)
Browser pairing flow with a short-lived device code.Sets
agents.defaults.model to openai/gpt-5.5 through the Codex runtime when model is unset or already OpenAI-family.OpenAI API key
OpenAI API key
Uses
OPENAI_API_KEY if present or prompts for a key, then stores the credential in auth profiles.Sets agents.defaults.model to openai/gpt-5.5 when model is unset, openai/*, or legacy Codex model refs.xAI (Grok) OAuth
xAI (Grok) OAuth
Browser sign-in for eligible SuperGrok or X Premium accounts. This is the
recommended xAI path for most users. OpenClaw stores the resulting auth
profile for Grok models, Grok
web_search, x_search, and code_execution.xAI (Grok) device code
xAI (Grok) device code
Remote-friendly browser sign-in with a short code instead of a localhost
callback. Use this from SSH, Docker, or VPS hosts.
xAI (Grok) API key
xAI (Grok) API key
Prompts for
XAI_API_KEY and configures xAI as a model provider. Use this
when you want an xAI Console API key instead of subscription OAuth.OpenCode
OpenCode
Prompts for
OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY) and lets you choose the Zen or Go catalog.
Setup URL: opencode.ai/auth.API key (generic)
API key (generic)
Stores the key for you.
Vercel AI Gateway
Vercel AI Gateway
Prompts for
AI_GATEWAY_API_KEY.
More detail: Vercel AI Gateway.Cloudflare AI Gateway
Cloudflare AI Gateway
Prompts for account ID, gateway ID, and
CLOUDFLARE_AI_GATEWAY_API_KEY.
More detail: Cloudflare AI Gateway.MiniMax
MiniMax
Config is auto-written. Hosted default is
MiniMax-M3; API-key setup uses
minimax/..., and OAuth setup uses minimax-portal/....
More detail: MiniMax.StepFun
StepFun
Config is auto-written for StepFun standard or Step Plan on China or global endpoints.
Standard currently includes
step-3.5-flash, and Step Plan also includes step-3.5-flash-2603.
More detail: StepFun.Synthetic (Anthropic-compatible)
Synthetic (Anthropic-compatible)
Prompts for
SYNTHETIC_API_KEY.
More detail: Synthetic.Ollama (Cloud and local open models)
Ollama (Cloud and local open models)
Prompts for
Cloud + Local, Cloud only, or Local only first.
Cloud only uses OLLAMA_API_KEY with https://ollama.com.
The host-backed modes prompt for base URL (default http://127.0.0.1:11434), discover available models, and suggest defaults.
Cloud + Local also checks whether that Ollama host is signed in for cloud access.
More detail: Ollama.Moonshot and Kimi Coding
Moonshot and Kimi Coding
Moonshot (Kimi K2) and Kimi Coding configs are auto-written.
More detail: Moonshot AI (Kimi + Kimi Coding).
Custom provider
Custom provider
Works with OpenAI-compatible and Anthropic-compatible endpoints.Interactive onboarding supports the same API key storage choices as other provider API key flows:
- Paste API key now (plaintext)
- Use secret reference (env ref or configured provider ref, with preflight validation)
--auth-choice custom-api-key--custom-base-url--custom-model-id--custom-api-key(optional; falls back toCUSTOM_API_KEY)--custom-provider-id(optional)--custom-compatibility <openai|openai-responses|anthropic>(optional; defaultopenai)--custom-image-input/--custom-text-input(optional; override inferred model input capability)
Skip
Skip
Leaves auth unconfigured.
- Pick default model from detected options, or enter provider and model manually.
- Custom-provider onboarding infers image support for common model IDs and asks only when the model name is unknown.
- When onboarding starts from a provider auth choice, the model picker prefers
that provider automatically. For Volcengine and BytePlus, the same preference
also matches their coding-plan variants (
volcengine-plan/*,byteplus-plan/*). - If that preferred-provider filter would be empty, the picker falls back to the full catalog instead of showing no models.
- Wizard runs a model check and warns if the configured model is unknown or missing auth.
- Auth profiles (API keys + OAuth):
~/.openclaw/agents/<agentId>/agent/auth-profiles.json - Legacy OAuth import:
~/.openclaw/credentials/oauth.json
- Das standardmäßige Onboarding-Verhalten speichert API-Schlüssel als Klartextwerte in Auth-Profilen.
--secret-input-mode refaktiviert den Referenzmodus anstelle der Speicherung von Klartextschlüsseln. In der interaktiven Einrichtung können Sie eine der folgenden Optionen wählen:- Umgebungsvariablen-Ref (zum Beispiel
keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }) - konfigurierte Provider-Ref (
fileoderexec) mit Provider-Alias + ID
- Umgebungsvariablen-Ref (zum Beispiel
- Der interaktive Referenzmodus führt vor dem Speichern eine schnelle Preflight-Validierung aus.
- Env-Refs: validiert Variablenname + nicht leeren Wert in der aktuellen Onboarding-Umgebung.
- Provider-Refs: validiert die Provider-Konfiguration und löst die angeforderte ID auf.
- Wenn der Preflight fehlschlägt, zeigt das Onboarding den Fehler an und lässt Sie es erneut versuchen.
- Im nicht interaktiven Modus ist
--secret-input-mode refausschließlich env-gestützt.- Setzen Sie die Provider-Umgebungsvariable in der Prozessumgebung des Onboardings.
- Inline-Schlüsselflags (zum Beispiel
--openai-api-key) erfordern, dass diese Umgebungsvariable gesetzt ist; andernfalls schlägt das Onboarding schnell fehl. - Für benutzerdefinierte Provider speichert der nicht interaktive
ref-Modusmodels.providers.<id>.apiKeyals{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }. - In diesem Fall mit benutzerdefiniertem Provider erfordert
--custom-api-key, dassCUSTOM_API_KEYgesetzt ist; andernfalls schlägt das Onboarding schnell fehl.
- Gateway-Auth-Anmeldedaten unterstützen in der interaktiven Einrichtung die Auswahl zwischen Klartext und SecretRef:
- Token-Modus: Klartext-Token generieren/speichern (Standard) oder SecretRef verwenden.
- Passwortmodus: Klartext oder SecretRef.
- Nicht interaktiver Token-SecretRef-Pfad:
--gateway-token-ref-env <ENV_VAR>. - Vorhandene Klartext-Setups funktionieren unverändert weiter.
Headless- und Server-Tipp: Schließen Sie OAuth auf einem Computer mit Browser ab und kopieren Sie dann
die
auth-profiles.json dieses Agenten (zum Beispiel
~/.openclaw/agents/<agentId>/agent/auth-profiles.json oder den entsprechenden
$OPENCLAW_STATE_DIR/...-Pfad) auf den Gateway-Host. credentials/oauth.json
ist nur eine Legacy-Importquelle.Ausgaben und Interna
Typische Felder in~/.openclaw/openclaw.json:
agents.defaults.workspaceagents.defaults.skipBootstrap, wenn--skip-bootstrapübergeben wirdagents.defaults.model/models.providers(wenn Minimax ausgewählt wurde)tools.profile(lokales Onboarding verwendet standardmäßig"coding", wenn nicht gesetzt; vorhandene explizite Werte bleiben erhalten)gateway.*(Modus, Bind-Adresse, Auth, tailscale)session.dmScope(lokales Onboarding setzt dies standardmäßig aufper-channel-peer, wenn nicht gesetzt; vorhandene explizite Werte bleiben erhalten)channels.telegram.botToken,channels.discord.token,channels.matrix.*,channels.signal.*,channels.imessage.*- Kanal-Zulassungslisten (Slack, Discord, Matrix, Microsoft Teams), wenn Sie sich während der Eingabeaufforderungen dafür entscheiden (Namen werden nach Möglichkeit zu IDs aufgelöst)
skills.install.nodeManager- Das Flag
setup --node-managerakzeptiertnpm,pnpmoderbun. - Die manuelle Konfiguration kann später weiterhin
skills.install.nodeManager: "yarn"setzen.
- Das Flag
wizard.lastRunAtwizard.lastRunVersionwizard.lastRunCommitwizard.lastRunCommandwizard.lastRunModewizard.securityAcknowledgedAt
openclaw agents add schreibt agents.list[] und optionale bindings.
WhatsApp-Anmeldedaten werden unter ~/.openclaw/credentials/whatsapp/<accountId>/ abgelegt.
Sitzungen werden unter ~/.openclaw/agents/<agentId>/sessions/ gespeichert.
Einige Kanäle werden als Plugins bereitgestellt. Wenn sie während der Einrichtung ausgewählt werden, fordert der Assistent
Sie auf, das Plugin (npm oder lokaler Pfad) vor der Kanalkonfiguration zu installieren.
wizard.startwizard.nextwizard.cancelwizard.status
- Lädt das passende Release-Asset herunter
- Speichert es unter
~/.openclaw/tools/signal-cli/<version>/ - Schreibt
channels.signal.cliPathin die Konfiguration - JVM-Builds erfordern Java 21
- Native Builds werden verwendet, wenn verfügbar
- Windows verwendet WSL2 und folgt dem Linux-signal-cli-Ablauf innerhalb von WSL
Zugehörige Dokumentation
- Onboarding-Hub: Onboarding (CLI)
- Automatisierung und Skripte: CLI-Automatisierung
- Befehlsreferenz:
openclaw onboard