CLI setup reference

This page is the full reference for openclaw onboard. For the short guide, see Onboarding (CLI).

What the wizard does

Local mode (default) walks you through:

• Model and auth setup (OpenAI Code subscription OAuth, Anthropic Claude CLI or API key, plus MiniMax, GLM, Ollama, Moonshot, StepFun, and AI Gateway options)
• Workspace location and bootstrap files
• Gateway settings (port, bind, auth, tailscale)
• Channels and providers (Telegram, WhatsApp, Discord, Google Chat, Mattermost, Signal, iMessage, and other bundled channel plugins)
• Daemon install (LaunchAgent, systemd user unit, or native Windows Scheduled Task with Startup-folder fallback)
• Health check
• Skills setup

Remote mode configures this machine to connect to a gateway elsewhere. It does not install or modify anything on the remote host.

Local flow details

1. Existing config detection

   • If ~/.openclaw/openclaw.json exists, choose Keep, Modify, or Reset.
   • Re-running the wizard does not wipe anything unless you explicitly choose Reset (or pass --reset).
   • CLI --reset defaults to config+creds+sessions; use --reset-scope full to also remove workspace.
   • If config is invalid or contains legacy keys, the wizard stops and asks you to run openclaw doctor before continuing.
   • Reset uses trash and offers scopes:
     • Config only
     • Config + credentials + sessions
     • Full reset (also removes workspace)

2. Model and auth

   • Full option matrix is in Auth and model options.

3. Workspace

   • Default ~/.openclaw/workspace (configurable).
   • Seeds workspace files needed for first-run bootstrap ritual.
   • Workspace layout: Agent workspace.

4. Gateway

   • Prompts for port, bind, auth mode, and tailscale exposure.
   • Recommended: keep token auth enabled even for loopback so local WS clients must authenticate.
   • In token mode, interactive setup offers:
     • Generate/store plaintext token (default)
     • Use SecretRef (opt-in)
   • In password mode, interactive setup also supports plaintext or SecretRef storage.
   • Non-interactive token SecretRef path: `—gateway-token-ref-env

   . - Requires a non-empty env var in the onboarding process environment. - Cannot be combined with —gateway-token`. - Disable auth only if you fully trust every local process. - Non-loopback binds still require auth.

5. Channels

   • WhatsApp: optional QR login
   • Telegram: bot token
   • Discord: bot token
   • Google Chat: service account JSON + webhook audience
   • Mattermost: bot token + base URL
   • Signal: optional signal-cli install + account config
   • iMessage: imsg CLI path + Messages DB access; use an SSH wrapper when the Gateway runs off-Mac
   • DM security: default is pairing. First DM sends a code; approve via `openclaw pairing approve

   ` or use allowlists.

Note

If no GUI is detected, the wizard prints SSH port-forward instructions for the Control UI instead of opening a browser. If Control UI assets are missing, the wizard attempts to build them; fallback is pnpm ui:build (auto-installs UI deps).

Remote mode details

Remote mode configures this machine to connect to a gateway elsewhere.

Info

Remote mode does not install or modify anything on the remote host.

What you set:

• Remote gateway URL (ws://...)
• Token if remote gateway auth is required (recommended)

Note

• If gateway is loopback-only, use SSH tunneling or a tailnet.
• Discovery hints:
  • macOS: Bonjour (dns-sd)
  • Linux: Avahi (avahi-browse)

Auth and model options

Anthropic API key

Uses ANTHROPIC_API_KEY if present or prompts for a key, then saves it for daemon use.

OpenAI Code subscription (OAuth)

Browser flow; paste code#state.

Sets agents.defaults.model to openai/gpt-5.5 through the Codex runtime when model is unset or already OpenAI-family.

OpenAI Code subscription (device pairing)

Browser pairing flow with a short-lived device code.

Sets agents.defaults.model to openai/gpt-5.5 through the Codex runtime when model is unset or already OpenAI-family.

OpenAI API key

Uses OPENAI_API_KEY if present or prompts for a key, then stores the credential in auth profiles.

Sets agents.defaults.model to openai/gpt-5.5 when model is unset, openai/*, or openai-codex/*.

xAI (Grok) OAuth

Browser sign-in for eligible SuperGrok or X Premium accounts. This is the recommended xAI path for most users. OpenClaw stores the resulting auth profile for Grok models, Grok web_search, x_search, and code_execution.

xAI (Grok) device code

Remote-friendly browser sign-in with a short code instead of a localhost callback. Use this from SSH, Docker, or VPS hosts.

xAI (Grok) API key

Prompts for XAI_API_KEY and configures xAI as a model provider. Use this when you want an xAI Console API key instead of subscription OAuth.

OpenCode

Prompts for OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY) and lets you choose the Zen or Go catalog. Setup URL: opencode.ai/auth.

API key (generic)

Stores the key for you.

Vercel AI Gateway

Prompts for AI_GATEWAY_API_KEY. More detail: Vercel AI Gateway.

Cloudflare AI Gateway

Prompts for account ID, gateway ID, and CLOUDFLARE_AI_GATEWAY_API_KEY. More detail: Cloudflare AI Gateway.

MiniMax

Config is auto-written. Hosted default is MiniMax-M2.7; API-key setup uses minimax/..., and OAuth setup uses minimax-portal/.... More detail: MiniMax.

StepFun

Config is auto-written for StepFun standard or Step Plan on China or global endpoints. Standard currently includes step-3.5-flash, and Step Plan also includes step-3.5-flash-2603. More detail: StepFun.

Synthetic (Anthropic-compatible)

Prompts for SYNTHETIC_API_KEY. More detail: Synthetic.

Ollama (Cloud and local open models)

Prompts for Cloud + Local, Cloud only, or Local only first. Cloud only uses OLLAMA_API_KEY with https://ollama.com. The host-backed modes prompt for base URL (default http://127.0.0.1:11434), discover available models, and suggest defaults. Cloud + Local also checks whether that Ollama host is signed in for cloud access. More detail: Ollama.

Moonshot and Kimi Coding

Moonshot (Kimi K2) and Kimi Coding configs are auto-written. More detail: Moonshot AI (Kimi + Kimi Coding).

Custom provider

Works with OpenAI-compatible and Anthropic-compatible endpoints.

Interactive onboarding supports the same API key storage choices as other provider API key flows:

• Paste API key now (plaintext)
• Use secret reference (env ref or configured provider ref, with preflight validation)

Non-interactive flags:

• --auth-choice custom-api-key
• --custom-base-url
• --custom-model-id
• --custom-api-key (optional; falls back to CUSTOM_API_KEY)
• --custom-provider-id (optional)
• `—custom-compatibility

(optional; defaultopenai) - —custom-image-input/—custom-text-input` (optional; override inferred model input capability)

Skip

Leaves auth unconfigured.

Model behavior:

• Pick default model from detected options, or enter provider and model manually.
• Custom-provider onboarding infers image support for common model IDs and asks only when the model name is unknown.
• When onboarding starts from a provider auth choice, the model picker prefers that provider automatically. For Volcengine and BytePlus, the same preference also matches their coding-plan variants (volcengine-plan/*, byteplus-plan/*).
• If that preferred-provider filter would be empty, the picker falls back to the full catalog instead of showing no models.
• Wizard runs a model check and warns if the configured model is unknown or missing auth.

Credential and profile paths:

• Auth profiles (API keys + OAuth): ~/.openclaw/agents/<agentId>/agent/auth-profiles.json
• Legacy OAuth import: ~/.openclaw/credentials/oauth.json

Credential storage mode:

• Default onboarding behavior persists API keys as plaintext values in auth profiles.
• --secret-input-mode ref enables reference mode instead of plaintext key storage. In interactive setup, you can choose either:
  • environment variable ref (for example keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" })
  • configured provider ref (file or exec) with provider alias + id
• Interactive reference mode runs a fast preflight validation before saving.
  • Env refs: validates variable name + non-empty value in the current onboarding environment.
  • Provider refs: validates provider config and resolves the requested id.
  • If preflight fails, onboarding shows the error and lets you retry.
• In non-interactive mode, --secret-input-mode ref is env-backed only.
  • Set the provider env var in the onboarding process environment.
  • Inline key flags (for example --openai-api-key) require that env var to be set; otherwise onboarding fails fast.
  • For custom providers, non-interactive ref mode stores models.providers.<id>.apiKey as { source: "env", provider: "default", id: "CUSTOM_API_KEY" }.
  • In that custom-provider case, --custom-api-key requires CUSTOM_API_KEY to be set; otherwise onboarding fails fast.
• Gateway auth credentials support plaintext and SecretRef choices in interactive setup:
  • Token mode: Generate/store plaintext token (default) or Use SecretRef.
  • Password mode: plaintext or SecretRef.
• Non-interactive token SecretRef path: --gateway-token-ref-env <ENV_VAR>.
• Existing plaintext setups continue to work unchanged.

Note

Headless and server tip: complete OAuth on a machine with a browser, then copy that agent’s auth-profiles.json (for example `~/.openclaw/agents/

/agent/auth-profiles.json, or the matching $OPENCLAW_STATE_DIR/…path) to the gateway host.credentials/oauth.json` is only a legacy import source.

Outputs and internals

Typical fields in ~/.openclaw/openclaw.json:

• agents.defaults.workspace
• agents.defaults.skipBootstrap when --skip-bootstrap is passed
• agents.defaults.model / models.providers (if Minimax chosen)
• tools.profile (local onboarding defaults to "coding" when unset; existing explicit values are preserved)
• gateway.* (mode, bind, auth, tailscale)
• session.dmScope (local onboarding defaults this to per-channel-peer when unset; existing explicit values are preserved)
• channels.telegram.botToken, channels.discord.token, channels.matrix.*, channels.signal.*, channels.imessage.*
• Channel allowlists (Slack, Discord, Matrix, Microsoft Teams) when you opt in during prompts (names resolve to IDs when possible)
• skills.install.nodeManager
  • The setup --node-manager flag accepts npm, pnpm, or bun.
  • Manual config can still set skills.install.nodeManager: "yarn" later.
• wizard.lastRunAt
• wizard.lastRunVersion
• wizard.lastRunCommit
• wizard.lastRunCommand
• wizard.lastRunMode

openclaw agents add writes agents.list[] and optional bindings.

WhatsApp credentials go under ~/.openclaw/credentials/whatsapp/<accountId>/. Sessions are stored under ~/.openclaw/agents/<agentId>/sessions/.

Note

Some channels are delivered as plugins. When selected during setup, the wizard prompts to install the plugin (npm or local path) before channel configuration.

Gateway wizard RPC:

• wizard.start
• wizard.next
• wizard.cancel
• wizard.status

Clients (macOS app and Control UI) can render steps without re-implementing onboarding logic.

Signal setup behavior:

• Downloads the appropriate release asset
• Stores it under ~/.openclaw/tools/signal-cli/<version>/
• Writes channels.signal.cliPath in config
• JVM builds require Java 21
• Native builds are used when available
• Windows uses WSL2 and follows Linux signal-cli flow inside WSL

Related docs

• Onboarding hub: Onboarding (CLI)
• Automation and scripts: CLI Automation
• Command reference: openclaw onboard