openclaw onboard.
For a high-level overview, see Onboarding (CLI). For step-by-step
behavior and outputs, see CLI setup reference.
Flow details (local mode)
Reset (optional)
--resetresets state before setup runs; without it, re-running onboarding keeps existing config and reuses it as defaults.--reset-scopecontrols what--resetremoves:config(config file only),config+creds+sessions(default), orfull(also removes the workspace).- If the config file is invalid, onboarding stops and tells you to run
openclaw doctorfirst, then re-run setup. - Reset moves state to Trash (never deletes directly).
Risk acknowledgement
- First run (or any run before
wizard.securityAcknowledgedAtis set) asks you to confirm you understand that agents are powerful and full system access is risky. --non-interactiverequires--accept-riskexplicitly; without it, onboarding exits with an error instead of prompting.- Interactive runs get a confirm prompt instead of the flag; declining cancels setup.
Model/Auth
- Anthropic API key: uses
ANTHROPIC_API_KEYif present or prompts for a key, then saves it for daemon use. - Anthropic Claude CLI: preferred local path when a Claude CLI sign-in already exists; OpenClaw still supports Anthropic setup-token auth as an alternative.
- OpenAI Code (Codex) subscription (OAuth): browser flow; paste the
code#state.- Sets
agents.defaults.modeltoopenai/gpt-5.5through the Codex runtime when model is unset or already OpenAI-family.
- Sets
- OpenAI Code (Codex) subscription (device pairing): browser pairing flow with a short-lived device code.
- Sets
agents.defaults.modeltoopenai/gpt-5.5through the Codex runtime when model is unset or already OpenAI-family.
- Sets
- OpenAI API key: uses
OPENAI_API_KEYif present or prompts for a key, then stores it in auth profiles.- Sets
agents.defaults.modeltoopenai/gpt-5.5when model is unset,openai/*, or legacy Codex model refs.
- Sets
- xAI OAuth: device-code browser sign-in with no localhost callback required, so it works over SSH/Docker/VPS too (
--auth-choice xai-oauth). - xAI API key: prompts for
XAI_API_KEY(--auth-choice xai-api-key). --auth-choice xai-device-codestill works as a manual-only compatibility alias for the same xAI OAuth device-code flow; usexai-oauthfor new scripts.- OpenCode: prompts for
OPENCODE_API_KEY(orOPENCODE_ZEN_API_KEY, get it at https://opencode.ai/auth) and lets you pick the Zen or Go catalog. - Ollama: offers Cloud + Local, Cloud only, or Local only first.
Cloud onlyprompts forOLLAMA_API_KEYand useshttps://ollama.com; the host-backed modes prompt for the Ollama base URL (defaulthttp://127.0.0.1:11434), discover available models, and auto-pull the selected local model when needed;Cloud + Localalso checks whether that Ollama host is signed in for cloud access. - More detail: Ollama
- API key: stores the key for you.
- Vercel AI Gateway (multi-model proxy): prompts for
AI_GATEWAY_API_KEY. - More detail: Vercel AI Gateway
- Cloudflare AI Gateway: prompts for Account ID, Gateway ID, and
CLOUDFLARE_AI_GATEWAY_API_KEY. - More detail: Cloudflare AI Gateway
- MiniMax: config is auto-written; hosted default is
MiniMax-M3. API-key setup usesminimax/..., and OAuth setup usesminimax-portal/.... - More detail: MiniMax
- StepFun: config is auto-written for StepFun standard or Step Plan on China or global endpoints.
- Standard currently defaults to
step-3.5-flash; Step Plan also includesstep-3.5-flash-2603. - More detail: StepFun
- Synthetic (Anthropic-compatible): prompts for
SYNTHETIC_API_KEY. - More detail: Synthetic
- Moonshot (Kimi K2): config is auto-written.
- Kimi Coding: config is auto-written.
- More detail: Moonshot AI (Kimi + Kimi Coding)
- Custom Provider: works with OpenAI-compatible, OpenAI Responses-compatible, or Anthropic-compatible endpoints. Non-interactive flags:
--auth-choice custom-api-key,--custom-base-url,--custom-model-id,--custom-api-key(optional; falls back toCUSTOM_API_KEY),--custom-provider-id(optional; auto-derived from the base URL),--custom-compatibility openai|openai-responses|anthropic(defaultopenai),--custom-image-input/--custom-text-input(override inferred vision-model detection). - Skip: no auth configured yet.
- Pick a default model from detected options (or enter provider/model manually). For best quality and lower prompt-injection risk, choose the strongest latest-generation model available in your provider stack.
- Onboarding runs a model check and warns if the configured model is unknown or missing auth.
- API key storage mode defaults to plaintext auth-profile values. Use
--secret-input-mode refto store env-backed refs instead (for examplekeyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }); the referenced env var must already be set, or onboarding fails fast. - Auth profiles live in
~/.openclaw/agents/<agentId>/agent/auth-profiles.json(API keys + OAuth).~/.openclaw/credentials/oauth.jsonis legacy import-only. - More detail: OAuth
Headless/server tip: complete OAuth on a machine with a browser, then copy
that agent’s
auth-profiles.json (for example
~/.openclaw/agents/<agentId>/agent/auth-profiles.json, or the matching
$OPENCLAW_STATE_DIR/... path) to the gateway host. credentials/oauth.json
is only a legacy import source.Workspace
- Default
~/.openclaw/workspace(configurable). - Seeds the workspace files needed for the agent bootstrap ritual.
- Full workspace layout + backup guide: Agent workspace
Gateway
- Port (default 18789), bind, auth mode, tailscale exposure.
- Auth recommendation: keep Token even for loopback so local WS clients must authenticate.
- In token mode, interactive setup offers:
- Generate/store plaintext token (default)
- Use SecretRef (opt-in)
- Quickstart reuses existing
gateway.auth.tokenSecretRefs acrossenv,file, andexecproviders for onboarding probe/dashboard bootstrap. - If that SecretRef is configured but cannot be resolved, onboarding fails early with a clear fix message instead of silently degrading runtime auth.
- In password mode, interactive setup also supports plaintext or SecretRef storage.
- Non-interactive token SecretRef path:
--gateway-token-ref-env <ENV_VAR>.- Requires a non-empty env var in the onboarding process environment.
- Cannot be combined with
--gateway-token.
- Disable auth only if you fully trust every local process.
- Non-loopback binds still require auth.
Channels
- WhatsApp: optional QR login.
- Telegram: bot token.
- Discord: bot token.
- Google Chat: service account JSON + webhook audience.
- Mattermost (plugin): bot token + base URL.
- Signal (plugin): optional
signal-cliinstall + account config. - iMessage:
imsgCLI path + Messages DB access; use an SSH wrapper when the Gateway runs off-Mac. - Discord, Feishu, Microsoft Teams, QQ Bot, Slack, and other channels ship as plugins onboarding can install for you. Full catalog: Channels.
- DM security: default is pairing. First DM sends a code; approve via
openclaw pairing approve <channel> <code>or use allowlists.
Web search
- Pick a supported provider such as Brave, Codex (Hosted Search), DuckDuckGo, Exa, Firecrawl, Gemini, Grok, Kimi, MiniMax Search, Ollama Web Search, Parallel, Perplexity, SearXNG, or Tavily (or skip).
- API-backed providers can use env vars or existing config for quick setup; key-free providers use their provider-specific prerequisites instead.
- Skip with
--skip-search. - Configure later:
openclaw configure --section web.
Daemon install
- macOS: LaunchAgent
- Requires a logged-in user session; for headless, use a custom LaunchDaemon (not shipped).
- Linux (and Windows via WSL2): systemd user unit
- Onboarding attempts to enable lingering via
loginctl enable-linger <user>so the Gateway stays up after logout. - May prompt for sudo (writes
/var/lib/systemd/linger); it tries without sudo first.
- Onboarding attempts to enable lingering via
- Native Windows: Scheduled Task first; if task creation is denied, OpenClaw falls back to a per-user Startup-folder login item and starts the Gateway immediately.
- Runtime selection: Node (recommended; required for WhatsApp/Telegram - Bun can corrupt memory on reconnect). Only Node is offered interactively;
--daemon-runtime bunis CLI-only. - If token auth requires a token and
gateway.auth.tokenis SecretRef-managed, daemon install validates it but does not persist resolved plaintext token values into supervisor service environment metadata. - If token auth requires a token and the configured token SecretRef is unresolved, daemon install is blocked with actionable guidance.
- If both
gateway.auth.tokenandgateway.auth.passwordare configured andgateway.auth.modeis unset, daemon install is blocked until mode is set explicitly.
Health check
- Starts the Gateway (if needed) and runs
openclaw health. - Tip:
openclaw status --deepadds the live gateway health probe to status output, including channel probes when supported (requires a reachable gateway).
Skills (recommended)
- Reads the available skills and checks requirements.
- Lets you choose a node manager: npm / pnpm / bun.
- Auto-installs optional dependencies for trusted bundled skills (some use Homebrew on macOS).
- Skips skills whose Homebrew, uv, or Go installer prerequisite is unavailable, groups them with manual setup guidance, and points you at
openclaw doctoronce the prerequisite is installed.
If no GUI is detected, onboarding prints SSH port-forward instructions for the Control UI instead of opening a browser.
If the Control UI assets are missing, onboarding attempts to build them; fallback is
pnpm ui:build (auto-installs UI deps).Non-interactive mode
Use--non-interactive --accept-risk to automate or script onboarding (the
flag is the required risk acknowledgement; onboarding exits with an error
without it):
--json for a machine-readable summary.
Gateway token SecretRef in non-interactive mode:
--gateway-token and --gateway-token-ref-env are mutually exclusive.
--json does not imply non-interactive mode. Use --non-interactive --accept-risk (and --workspace) for scripts.Add agent (non-interactive)
main is a reserved agent id and cannot be used for openclaw agents add.
Gateway wizard RPC
The Gateway exposes the onboarding flow over RPC (wizard.start, wizard.next, wizard.cancel, wizard.status).
Clients (macOS app, Control UI) can render steps without re-implementing onboarding logic.
Signal setup (signal-cli)
Onboarding detects whethersignal-cli is on PATH and, if missing, offers to install it:
- Linux x86-64: downloads the official native GraalVM build from the
signal-cliGitHub releases and stores it under~/.openclaw/tools/signal-cli/<version>/. - macOS and other architectures: installs via Homebrew instead.
- Native Windows: not supported yet; run onboarding inside WSL2 to get the Linux install path.
- Writes
channels.signal.cliPathto your config either way.
What the wizard writes
Typical fields in~/.openclaw/openclaw.json:
agents.defaults.workspaceagents.defaults.skipBootstrapwhen--skip-bootstrapis passedagents.defaults.model/models.providers(if Minimax chosen)tools.profile(local onboarding defaults to"coding"when unset; existing explicit values are preserved)gateway.*(mode, bind, auth, tailscale)session.dmScope(local onboarding defaults this to"per-channel-peer"when unset; existing explicit values are preserved. Details: CLI Setup Reference)channels.telegram.botToken,channels.discord.token,channels.matrix.*,channels.signal.*,channels.imessage.*- Channel DM allowlists when you opt in during the channel prompts. Discord, Matrix, Microsoft Teams, and Slack resolve names to IDs when possible; other channels take IDs directly (for example numeric Telegram sender IDs or WhatsApp phone numbers).
skills.install.nodeManagersetup --node-manageracceptsnpm,pnpm, orbun.- Manual config can still use
yarnby settingskills.install.nodeManagerdirectly.
wizard.lastRunAtwizard.lastRunVersionwizard.lastRunCommitwizard.lastRunCommandwizard.lastRunModewizard.securityAcknowledgedAt
openclaw agents add writes agents.list[] and optional bindings.
WhatsApp credentials go under ~/.openclaw/credentials/whatsapp/<accountId>/.
Sessions are stored under ~/.openclaw/agents/<agentId>/sessions/.
Some channels are delivered as plugins. When you pick one during setup, onboarding
will prompt to install it (npm or a local path) before it can be configured.
Related docs
- Onboarding overview: Onboarding (CLI)
- CLI setup reference: CLI setup reference
- macOS app onboarding: Onboarding
- Config reference: Gateway configuration
- Providers: WhatsApp, Telegram, Discord, Google Chat, Signal, iMessage
- Skills: Skills, Skills config