Skip to content
OpenClaw Docs

Gateway Runbook

Gateway runbook

Section titled “Gateway runbook”

Use this page for day-1 startup and day-2 operations of the Gateway service.

Deep troubleshooting

Symptom-first diagnostics with exact command ladders and log signatures.

Configuration

Task-oriented setup guide + full configuration reference.

Secrets management

SecretRef contract, runtime snapshot behavior, and migrate/reload operations.

Secrets plan contract

Exact secrets apply target/path rules and ref-only auth-profile behavior.

5-minute local startup

Section titled “5-minute local startup”

  1. Start the Gateway

    Terminal window
    openclaw gateway --port 18789
    # debug/trace mirrored to stdio
    openclaw gateway --port 18789 --verbose
    # force-kill listener on selected port, then start
    openclaw gateway --force

  2. Verify service health

    Terminal window
    openclaw gateway status
    openclaw status
    openclaw logs --follow

    Healthy baseline: Runtime: running and RPC probe: ok.

  3. Validate channel readiness

    Terminal window
    openclaw channels status --probe

    With a reachable gateway this runs live per-account channel probes and optional audits. If the gateway is unreachable, the CLI falls back to config-only channel summaries instead of live probe output.

Runtime model

Section titled “Runtime model”
  • One always-on process for routing, control plane, and channel connections.
  • Single multiplexed port for:
    • WebSocket control/RPC
    • HTTP APIs, OpenAI compatible (/v1/models, /v1/embeddings, /v1/chat/completions, /v1/responses, /tools/invoke)
    • Control UI and hooks
  • Default bind mode: loopback.
  • Auth is required by default. Shared-secret setups use gateway.auth.token / gateway.auth.password (or OPENCLAW_GATEWAY_TOKEN / OPENCLAW_GATEWAY_PASSWORD), and non-loopback reverse-proxy setups can use gateway.auth.mode: "trusted-proxy".

OpenAI-compatible endpoints

Section titled “OpenAI-compatible endpoints”

OpenClaw’s highest-leverage compatibility surface is now:

  • GET /v1/models
  • GET /v1/models/{id}
  • POST /v1/embeddings
  • POST /v1/chat/completions
  • POST /v1/responses

Why this set matters:

  • Most Open WebUI, LobeChat, and LibreChat integrations probe /v1/models first.
  • Many RAG and memory pipelines expect /v1/embeddings.
  • Agent-native clients increasingly prefer /v1/responses.

Planning note:

  • /v1/models is agent-first: it returns openclaw, openclaw/default, and openclaw/<agentId>.
  • openclaw/default is the stable alias that always maps to the configured default agent.
  • Use x-openclaw-model when you want a backend provider/model override; otherwise the selected agent’s normal model and embedding setup stays in control.

All of these run on the main Gateway port and use the same trusted operator auth boundary as the rest of the Gateway HTTP API.

Port and bind precedence

Section titled “Port and bind precedence”
SettingResolution order
Gateway port--portOPENCLAW_GATEWAY_PORTgateway.port18789
Bind modeCLI/override → gateway.bindloopback

Hot reload modes

Section titled “Hot reload modes”
gateway.reload.modeBehavior
offNo config reload
hotApply only hot-safe changes
restartRestart on reload-required changes
hybrid (default)Hot-apply when safe, restart when required

Operator command set

Section titled “Operator command set”
Terminal window
openclaw gateway status
openclaw gateway status --deep   # adds a system-level service scan
openclaw gateway status --json
openclaw gateway install
openclaw gateway restart
openclaw gateway stop
openclaw secrets reload
openclaw logs --follow
openclaw doctor

gateway status --deep is for extra service discovery (LaunchDaemons/systemd system units/schtasks), not a deeper RPC health probe.

Multiple gateways (same host)

Section titled “Multiple gateways (same host)”

Most installs should run one gateway per machine. A single gateway can host multiple agents and channels.

You only need multiple gateways when you intentionally want isolation or a rescue bot.

Useful checks:

Terminal window
openclaw gateway status --deep
openclaw gateway probe

What to expect:

  • gateway status --deep can report Other gateway-like services detected (best effort) and print cleanup hints when stale launchd/systemd/schtasks installs are still around.
  • gateway probe can warn about multiple reachable gateways when more than one target answers.
  • If that is intentional, isolate ports, config/state, and workspace roots per gateway.

Detailed setup: /gateway/multiple-gateways.

Remote access

Section titled “Remote access”

Preferred: Tailscale/VPN. Fallback: SSH tunnel.

Terminal window
ssh -N -L 18789:127.0.0.1:18789 user@host

Then connect clients locally to ws://127.0.0.1:18789.

See: Remote Gateway, Authentication, Tailscale.

Supervision and service lifecycle

Section titled “Supervision and service lifecycle”

Use supervised runs for production-like reliability.

Terminal window
openclaw gateway install
openclaw gateway status
openclaw gateway restart
openclaw gateway stop

LaunchAgent labels are ai.openclaw.gateway (default) or `ai.openclaw.

(named profile).openclaw doctor` audits and repairs service config drift.

Multiple gateways on one host

Section titled “Multiple gateways on one host”

Most setups should run one Gateway. Use multiple only for strict isolation/redundancy (for example a rescue profile).

Checklist per instance:

  • Unique gateway.port
  • Unique OPENCLAW_CONFIG_PATH
  • Unique OPENCLAW_STATE_DIR
  • Unique agents.defaults.workspace

Example:

Terminal window
OPENCLAW_CONFIG_PATH=~/.openclaw/a.json OPENCLAW_STATE_DIR=~/.openclaw-a openclaw gateway --port 19001
OPENCLAW_CONFIG_PATH=~/.openclaw/b.json OPENCLAW_STATE_DIR=~/.openclaw-b openclaw gateway --port 19002

See: Multiple gateways.

Dev profile quick path

Section titled “Dev profile quick path”
Terminal window
openclaw --dev setup
openclaw --dev gateway --allow-unconfigured
openclaw --dev status

Defaults include isolated state/config and base gateway port 19001.

Protocol quick reference (operator view)

Section titled “Protocol quick reference (operator view)”
  • First client frame must be connect.
  • Gateway returns hello-ok snapshot (presence, health, stateVersion, uptimeMs, limits/policy).
  • hello-ok.features.methods / events are a conservative discovery list, not a generated dump of every callable helper route.
  • Requests: req(method, params)res(ok/payload|error).
  • Common events include connect.challenge, agent, chat, session.message, session.tool, sessions.changed, presence, tick, health, heartbeat, pairing/approval lifecycle events, and shutdown.

Agent runs are two-stage:

  1. Immediate accepted ack (status:"accepted")
  2. Final completion response (status:"ok"|"error"), with streamed agent events in between.

See full protocol docs: Gateway Protocol.

Operational checks

Section titled “Operational checks”

Liveness

Section titled “Liveness”
  • Open WS and send connect.
  • Expect hello-ok response with snapshot.

Readiness

Section titled “Readiness”
Terminal window
openclaw gateway status
openclaw channels status --probe
openclaw health

Gap recovery

Section titled “Gap recovery”

Events are not replayed. On sequence gaps, refresh state (health, system-presence) before continuing.

Common failure signatures

Section titled “Common failure signatures”
SignatureLikely issue
refusing to bind gateway ... without authNon-loopback bind without a valid gateway auth path
another gateway instance is already listening / EADDRINUSEPort conflict
Gateway start blocked: set gateway.mode=localConfig set to remote mode, or local-mode stamp is missing from a damaged config
unauthorized during connectAuth mismatch between client and gateway

For full diagnosis ladders, use Gateway Troubleshooting.

Safety guarantees

Section titled “Safety guarantees”
  • Gateway protocol clients fail fast when Gateway is unavailable (no implicit direct-channel fallback).
  • Invalid/non-connect first frames are rejected and closed.
  • Graceful shutdown emits shutdown event before socket close.

Related: