Skip to content
OpenClaw Docs

config

openclaw config

Section titled “openclaw config”

Config helpers for non-interactive edits in openclaw.json: get/set/unset/file/schema/validate values by path and print the active config file. Run without a subcommand to open the configure wizard (same as openclaw configure).

Examples

Section titled “Examples”
Terminal window
openclaw config file
openclaw config schema
openclaw config get browser.executablePath
openclaw config set browser.executablePath "/usr/bin/google-chrome"
openclaw config set agents.defaults.heartbeat.every "2h"
openclaw config set agents.list[0].tools.exec.node "node-id-or-name"
openclaw config set channels.discord.token --ref-provider default --ref-source env --ref-id DISCORD_BOT_TOKEN
openclaw config set secrets.providers.vaultfile --provider-source file --provider-path /etc/openclaw/secrets.json --provider-mode json
openclaw config unset plugins.entries.brave.config.webSearch.apiKey
openclaw config set channels.discord.token --ref-provider default --ref-source env --ref-id DISCORD_BOT_TOKEN --dry-run
openclaw config validate
openclaw config validate --json

config schema

Section titled “config schema”

Print the generated JSON schema for openclaw.json to stdout as plain text.

Terminal window
openclaw config schema

Pipe it into a file when you want to inspect or validate it with other tools:

Terminal window
openclaw config schema > openclaw.schema.json

Paths

Section titled “Paths”

Paths use dot or bracket notation:

Terminal window
openclaw config get agents.defaults.workspace
openclaw config get agents.list[0].id

Use the agent list index to target a specific agent:

Terminal window
openclaw config get agents.list
openclaw config set agents.list[1].tools.exec.node "node-id-or-name"

Values

Section titled “Values”

Values are parsed as JSON5 when possible; otherwise they are treated as strings. Use --strict-json to require JSON5 parsing. --json remains supported as a legacy alias.

Terminal window
openclaw config set agents.defaults.heartbeat.every "0m"
openclaw config set gateway.port 19001 --strict-json
openclaw config set channels.whatsapp.groups '["*"]' --strict-json

config set modes

Section titled “config set modes”

openclaw config set supports four assignment styles:

  1. Value mode: openclaw config set <path> <value>
  2. SecretRef builder mode:
Terminal window
openclaw config set channels.discord.token \
  --ref-provider default \
  --ref-source env \
  --ref-id DISCORD_BOT_TOKEN
  1. Provider builder mode (secrets.providers.<alias> path only):
Terminal window
openclaw config set secrets.providers.vault \
  --provider-source exec \
  --provider-command /usr/local/bin/openclaw-vault \
  --provider-arg read \
  --provider-arg openai/api-key \
  --provider-timeout-ms 5000
  1. Batch mode (--batch-json or --batch-file):
Terminal window
openclaw config set --batch-json '[
  {
    "path": "secrets.providers.default",
    "provider": { "source": "env" }
  },
  {
    "path": "channels.discord.token",
    "ref": { "source": "env", "provider": "default", "id": "DISCORD_BOT_TOKEN" }
  }
]'
Terminal window
openclaw config set --batch-file ./config-set.batch.json --dry-run

Policy note:

  • SecretRef assignments are rejected on unsupported runtime-mutable surfaces (for example hooks.token, commands.ownerDisplaySecret, Discord thread-binding webhook tokens, and WhatsApp creds JSON). See SecretRef Credential Surface.

Batch parsing always uses the batch payload (--batch-json/--batch-file) as the source of truth. --strict-json / --json do not change batch parsing behavior.

JSON path/value mode remains supported for both SecretRefs and providers:

Terminal window
openclaw config set channels.discord.token \
  '{"source":"env","provider":"default","id":"DISCORD_BOT_TOKEN"}' \
  --strict-json


openclaw config set secrets.providers.vaultfile \
  '{"source":"file","path":"/etc/openclaw/secrets.json","mode":"json"}' \
  --strict-json

Provider Builder Flags

Section titled “Provider Builder Flags”

Provider builder targets must use secrets.providers.<alias> as the path.

Common flags:

  • --provider-source <env|file|exec>
  • --provider-timeout-ms <ms> (file, exec)

Env provider (--provider-source env):

  • --provider-allowlist <ENV_VAR> (repeatable)

File provider (--provider-source file):

  • --provider-path <path> (required)
  • --provider-mode <singleValue|json>
  • --provider-max-bytes <bytes>

Exec provider (--provider-source exec):

  • --provider-command <path> (required)
  • --provider-arg <arg> (repeatable)
  • --provider-no-output-timeout-ms <ms>
  • --provider-max-output-bytes <bytes>
  • --provider-json-only
  • --provider-env <KEY=VALUE> (repeatable)
  • --provider-pass-env <ENV_VAR> (repeatable)
  • --provider-trusted-dir <path> (repeatable)
  • --provider-allow-insecure-path
  • --provider-allow-symlink-command

Hardened exec provider example:

Terminal window
openclaw config set secrets.providers.vault \
  --provider-source exec \
  --provider-command /usr/local/bin/openclaw-vault \
  --provider-arg read \
  --provider-arg openai/api-key \
  --provider-json-only \
  --provider-pass-env VAULT_TOKEN \
  --provider-trusted-dir /usr/local/bin \
  --provider-timeout-ms 5000

Dry run

Section titled “Dry run”

Use --dry-run to validate changes without writing openclaw.json.

Terminal window
openclaw config set channels.discord.token \
  --ref-provider default \
  --ref-source env \
  --ref-id DISCORD_BOT_TOKEN \
  --dry-run


openclaw config set channels.discord.token \
  --ref-provider default \
  --ref-source env \
  --ref-id DISCORD_BOT_TOKEN \
  --dry-run \
  --json


openclaw config set channels.discord.token \
  --ref-provider vault \
  --ref-source exec \
  --ref-id discord/token \
  --dry-run \
  --allow-exec

Dry-run behavior:

  • Builder mode: runs SecretRef resolvability checks for changed refs/providers.
  • JSON mode (--strict-json, --json, or batch mode): runs schema validation plus SecretRef resolvability checks.
  • Policy validation also runs for known unsupported SecretRef target surfaces.
  • Policy checks evaluate the full post-change config, so parent-object writes (for example setting hooks as an object) cannot bypass unsupported-surface validation.
  • Exec SecretRef checks are skipped by default during dry-run to avoid command side effects.
  • Use --allow-exec with --dry-run to opt in to exec SecretRef checks (this may execute provider commands).
  • --allow-exec is dry-run only and errors if used without --dry-run.

--dry-run --json prints a machine-readable report:

  • ok: whether dry-run passed
  • operations: number of assignments evaluated
  • checks: whether schema/resolvability checks ran
  • checks.resolvabilityComplete: whether resolvability checks ran to completion (false when exec refs are skipped)
  • refsChecked: number of refs actually resolved during dry-run
  • skippedExecRefs: number of exec refs skipped because --allow-exec was not set
  • errors: structured schema/resolvability failures when ok=false

JSON Output Shape

Section titled “JSON Output Shape”
{
  ok: boolean,
  operations: number,
  configPath: string,
  inputModes: ["value" | "json" | "builder", ...],
  checks: {
    schema: boolean,
    resolvability: boolean,
    resolvabilityComplete: boolean,
  },
  refsChecked: number,
  skippedExecRefs: number,
  errors?: [
    {
      kind: "schema" | "resolvability",
      message: string,
      ref?: string, // present for resolvability errors
    },
  ],
}

Success example:

{
  "ok": true,
  "operations": 1,
  "configPath": "~/.openclaw/openclaw.json",
  "inputModes": ["builder"],
  "checks": {
    "schema": false,
    "resolvability": true,
    "resolvabilityComplete": true
  },
  "refsChecked": 1,
  "skippedExecRefs": 0
}

Failure example:

{
  "ok": false,
  "operations": 1,
  "configPath": "~/.openclaw/openclaw.json",
  "inputModes": ["builder"],
  "checks": {
    "schema": false,
    "resolvability": true,
    "resolvabilityComplete": true
  },
  "refsChecked": 1,
  "skippedExecRefs": 0,
  "errors": [
    {
      "kind": "resolvability",
      "message": "Error: Environment variable \"MISSING_TEST_SECRET\" is not set.",
      "ref": "env:default:MISSING_TEST_SECRET"
    }
  ]
}

If dry-run fails:

  • config schema validation failed: your post-change config shape is invalid; fix path/value or provider/ref object shape.
  • Config policy validation failed: unsupported SecretRef usage: move that credential back to plaintext/string input and keep SecretRefs on supported surfaces only.
  • SecretRef assignment(s) could not be resolved: referenced provider/ref currently cannot resolve (missing env var, invalid file pointer, exec provider failure, or provider/source mismatch).
  • Dry run note: skipped <n> exec SecretRef resolvability check(s): dry-run skipped exec refs; rerun with --allow-exec if you need exec resolvability validation.
  • For batch mode, fix failing entries and rerun --dry-run before writing.

Subcommands

Section titled “Subcommands”
  • config file: Print the active config file path (resolved from OPENCLAW_CONFIG_PATH or default location).

Restart the gateway after edits.

Validate

Section titled “Validate”

Validate the current config against the active schema without starting the gateway.

Terminal window
openclaw config validate
openclaw config validate --json