Guides
CLI-Einrichtungsreferenz
This page is the full reference for openclaw onboard.
For the short guide, see Onboarding (CLI).
What the wizard does
Local mode (default) walks you through:
- Model and auth setup (OpenAI Code subscription OAuth, Anthropic Claude CLI or API key, plus MiniMax, GLM, Ollama, Moonshot, StepFun, and AI Gateway options)
- Workspace location and bootstrap files
- Gateway settings (port, bind, auth, tailscale)
- Channels and providers (Telegram, WhatsApp, Discord, Google Chat, Mattermost, Signal, iMessage, and other bundled channel plugins)
- Daemon install (LaunchAgent, systemd user unit, or native Windows Scheduled Task with Startup-folder fallback)
- Health check
- Skills setup
Remote mode configures this machine to connect to a gateway elsewhere. It does not install or modify anything on the remote host.
Local flow details
Existing config detection
- If
~/.openclaw/openclaw.jsonexists, choose Keep, Modify, or Reset. - Re-running the wizard does not wipe anything unless you explicitly choose Reset (or pass
--reset). - CLI
--resetdefaults toconfig+creds+sessions; use--reset-scope fullto also remove workspace. - If config is invalid or contains legacy keys, the wizard stops and asks you to run
openclaw doctorbefore continuing. - Reset uses
trashand offers scopes:- Config only
- Config + credentials + sessions
- Full reset (also removes workspace)
Model and auth
- Full option matrix is in Auth and model options.
Workspace
- Default
~/.openclaw/workspace(configurable). - Seeds workspace files needed for first-run bootstrap ritual.
- Workspace layout: Agent workspace.
Gateway
- Prompts for port, bind, auth mode, and tailscale exposure.
- Recommended: keep token auth enabled even for loopback so local WS clients must authenticate.
- In token mode, interactive setup offers:
- Generate/store plaintext token (default)
- Use SecretRef (opt-in)
- In password mode, interactive setup also supports plaintext or SecretRef storage.
- Non-interactive token SecretRef path:
--gateway-token-ref-env <ENV_VAR>.- Requires a non-empty env var in the onboarding process environment.
- Cannot be combined with
--gateway-token.
- Disable auth only if you fully trust every local process.
- Non-loopback binds still require auth.
Channels
- WhatsApp: optional QR login
- Telegram: bot token
- Discord: bot token
- Google Chat: service account JSON + webhook audience
- Mattermost: bot token + base URL
- Signal: optional
signal-cliinstall + account config - iMessage:
imsgCLI path + Messages DB access; use an SSH wrapper when the Gateway runs off-Mac - DM security: default is pairing. First DM sends a code; approve via
openclaw pairing approve <channel> <code>or use allowlists.
Daemon install
- macOS: LaunchAgent
- Requires logged-in user session; for headless, use a custom LaunchDaemon (not shipped).
- Linux and Windows via WSL2: systemd user unit
- Wizard attempts
loginctl enable-linger <user>so gateway stays up after logout. - May prompt for sudo (writes
/var/lib/systemd/linger); it tries without sudo first.
- Wizard attempts
- Native Windows: Scheduled Task first
- If task creation is denied, OpenClaw falls back to a per-user Startup-folder login item and starts the gateway immediately.
- Scheduled Tasks remain preferred because they provide better supervisor status.
- Runtime selection: Node (recommended; required for WhatsApp and Telegram). Bun is not recommended.
Health check
- Starts gateway (if needed) and runs
openclaw health. openclaw status --deepadds the live gateway health probe to status output, including channel probes when supported.
Skills
- Reads available skills and checks requirements.
- Lets you choose node manager: npm, pnpm, or bun.
- Installs optional dependencies for trusted bundled skills when the required installer is available.
- Skips unavailable Homebrew, uv, and Go installers, then groups the affected
skills with manual setup guidance. Run
openclaw doctorafter installing the missing prerequisites.
Finish
- Summary and next steps, including iOS, Android, and macOS app options.
Remote mode details
Remote mode configures this machine to connect to a gateway elsewhere.
What you set:
- Remote gateway URL (
ws://...) - Token if remote gateway auth is required (recommended)
Auth and model options
Anthropic API key
Uses ANTHROPIC_API_KEY if present or prompts for a key, then saves it for daemon use.
OpenAI Code subscription (OAuth)
Browser flow; paste code#state.
Sets agents.defaults.model to openai/gpt-5.5 through the Codex runtime when model is unset or already OpenAI-family.
OpenAI Code subscription (device pairing)
Browser pairing flow with a short-lived device code.
Sets agents.defaults.model to openai/gpt-5.5 through the Codex runtime when model is unset or already OpenAI-family.
OpenAI API key
Uses OPENAI_API_KEY if present or prompts for a key, then stores the credential in auth profiles.
Sets agents.defaults.model to openai/gpt-5.5 when model is unset, openai/*, or legacy Codex model refs.
xAI (Grok) OAuth
Browser sign-in for eligible SuperGrok or X Premium accounts. This is the
recommended xAI path for most users. OpenClaw stores the resulting auth
profile for Grok models, Grok web_search, x_search, and code_execution.
xAI (Grok) device code
Remote-friendly browser sign-in with a short code instead of a localhost callback. Use this from SSH, Docker, or VPS hosts.
xAI (Grok) API key
Prompts for XAI_API_KEY and configures xAI as a model provider. Use this
when you want an xAI Console API key instead of subscription OAuth.
OpenCode
Prompts for OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY) and lets you choose the Zen or Go catalog.
Setup URL: opencode.ai/auth.
API key (generic)
Stores the key for you.
Vercel AI Gateway
Prompts for AI_GATEWAY_API_KEY.
More detail: Vercel AI Gateway.
Cloudflare AI Gateway
Prompts for account ID, gateway ID, and CLOUDFLARE_AI_GATEWAY_API_KEY.
More detail: Cloudflare AI Gateway.
MiniMax
Config is auto-written. Hosted default is MiniMax-M3; API-key setup uses
minimax/..., and OAuth setup uses minimax-portal/....
More detail: MiniMax.
StepFun
Config is auto-written for StepFun standard or Step Plan on China or global endpoints.
Standard currently includes step-3.5-flash, and Step Plan also includes step-3.5-flash-2603.
More detail: StepFun.
Synthetic (Anthropic-compatible)
Prompts for SYNTHETIC_API_KEY.
More detail: Synthetic.
Ollama (Cloud and local open models)
Prompts for Cloud + Local, Cloud only, or Local only first.
Cloud only uses OLLAMA_API_KEY with https://ollama.com.
The host-backed modes prompt for base URL (default http://127.0.0.1:11434), discover available models, and suggest defaults.
Cloud + Local also checks whether that Ollama host is signed in for cloud access.
More detail: Ollama.
Moonshot and Kimi Coding
Moonshot (Kimi K2) and Kimi Coding configs are auto-written. More detail: Moonshot AI (Kimi + Kimi Coding).
Custom provider
Works with OpenAI-compatible and Anthropic-compatible endpoints.
Interactive onboarding supports the same API key storage choices as other provider API key flows:
- Paste API key now (plaintext)
- Use secret reference (env ref or configured provider ref, with preflight validation)
Non-interactive flags:
--auth-choice custom-api-key--custom-base-url--custom-model-id--custom-api-key(optional; falls back toCUSTOM_API_KEY)--custom-provider-id(optional)--custom-compatibility <openai|openai-responses|anthropic>(optional; defaultopenai)--custom-image-input/--custom-text-input(optional; override inferred model input capability)
Skip
Leaves auth unconfigured.
Model behavior:
- Pick default model from detected options, or enter provider and model manually.
- Custom-provider onboarding infers image support for common model IDs and asks only when the model name is unknown.
- When onboarding starts from a provider auth choice, the model picker prefers
that provider automatically. For Volcengine and BytePlus, the same preference
also matches their coding-plan variants (
volcengine-plan/*,byteplus-plan/*). - If that preferred-provider filter would be empty, the picker falls back to the full catalog instead of showing no models.
- Wizard runs a model check and warns if the configured model is unknown or missing auth.
Credential and profile paths:
- Auth profiles (API keys + OAuth):
~/.openclaw/agents/<agentId>/agent/auth-profiles.json - Legacy OAuth import:
~/.openclaw/credentials/oauth.json
Credential storage mode:
- Das standardmäßige Onboarding-Verhalten speichert API-Schlüssel als Klartextwerte in Auth-Profilen.
--secret-input-mode refaktiviert den Referenzmodus anstelle der Speicherung von Klartextschlüsseln. In der interaktiven Einrichtung können Sie eine der folgenden Optionen wählen:- Umgebungsvariablen-Ref (zum Beispiel
keyRef: { source: "env", provider: "default", id: "OPENAI_API_KEY" }) - konfigurierte Provider-Ref (
fileoderexec) mit Provider-Alias + ID
- Umgebungsvariablen-Ref (zum Beispiel
- Der interaktive Referenzmodus führt vor dem Speichern eine schnelle Preflight-Validierung aus.
- Env-Refs: validiert Variablenname + nicht leeren Wert in der aktuellen Onboarding-Umgebung.
- Provider-Refs: validiert die Provider-Konfiguration und löst die angeforderte ID auf.
- Wenn der Preflight fehlschlägt, zeigt das Onboarding den Fehler an und lässt Sie es erneut versuchen.
- Im nicht interaktiven Modus ist
--secret-input-mode refausschließlich env-gestützt.- Setzen Sie die Provider-Umgebungsvariable in der Prozessumgebung des Onboardings.
- Inline-Schlüsselflags (zum Beispiel
--openai-api-key) erfordern, dass diese Umgebungsvariable gesetzt ist; andernfalls schlägt das Onboarding schnell fehl. - Für benutzerdefinierte Provider speichert der nicht interaktive
ref-Modusmodels.providers.<id>.apiKeyals{ source: "env", provider: "default", id: "CUSTOM_API_KEY" }. - In diesem Fall mit benutzerdefiniertem Provider erfordert
--custom-api-key, dassCUSTOM_API_KEYgesetzt ist; andernfalls schlägt das Onboarding schnell fehl.
- Gateway-Auth-Anmeldedaten unterstützen in der interaktiven Einrichtung die Auswahl zwischen Klartext und SecretRef:
- Token-Modus: Klartext-Token generieren/speichern (Standard) oder SecretRef verwenden.
- Passwortmodus: Klartext oder SecretRef.
- Nicht interaktiver Token-SecretRef-Pfad:
--gateway-token-ref-env <ENV_VAR>. - Vorhandene Klartext-Setups funktionieren unverändert weiter.
Ausgaben und Interna
Typische Felder in ~/.openclaw/openclaw.json:
agents.defaults.workspaceagents.defaults.skipBootstrap, wenn--skip-bootstrapübergeben wirdagents.defaults.model/models.providers(wenn Minimax ausgewählt wurde)tools.profile(lokales Onboarding verwendet standardmäßig"coding", wenn nicht gesetzt; vorhandene explizite Werte bleiben erhalten)gateway.*(Modus, Bind-Adresse, Auth, tailscale)session.dmScope(lokales Onboarding setzt dies standardmäßig aufper-channel-peer, wenn nicht gesetzt; vorhandene explizite Werte bleiben erhalten)channels.telegram.botToken,channels.discord.token,channels.matrix.*,channels.signal.*,channels.imessage.*- Kanal-Zulassungslisten (Slack, Discord, Matrix, Microsoft Teams), wenn Sie sich während der Eingabeaufforderungen dafür entscheiden (Namen werden nach Möglichkeit zu IDs aufgelöst)
skills.install.nodeManager- Das Flag
setup --node-managerakzeptiertnpm,pnpmoderbun. - Die manuelle Konfiguration kann später weiterhin
skills.install.nodeManager: "yarn"setzen.
- Das Flag
wizard.lastRunAtwizard.lastRunVersionwizard.lastRunCommitwizard.lastRunCommandwizard.lastRunModewizard.securityAcknowledgedAt
openclaw agents add schreibt agents.list[] und optionale bindings.
WhatsApp-Anmeldedaten werden unter ~/.openclaw/credentials/whatsapp/<accountId>/ abgelegt.
Sitzungen werden unter ~/.openclaw/agents/<agentId>/sessions/ gespeichert.
Gateway-Assistent-RPC:
wizard.startwizard.nextwizard.cancelwizard.status
Clients (macOS-App und Control UI) können Schritte rendern, ohne die Onboarding-Logik neu zu implementieren.
Verhalten der Signal-Einrichtung:
- Lädt das passende Release-Asset herunter
- Speichert es unter
~/.openclaw/tools/signal-cli/<version>/ - Schreibt
channels.signal.cliPathin die Konfiguration - JVM-Builds erfordern Java 21
- Native Builds werden verwendet, wenn verfügbar
- Windows verwendet WSL2 und folgt dem Linux-signal-cli-Ablauf innerhalb von WSL
Zugehörige Dokumentation
- Onboarding-Hub: Onboarding (CLI)
- Automatisierung und Skripte: CLI-Automatisierung
- Befehlsreferenz:
openclaw onboard