Documentation Index
Fetch the complete documentation index at: https://cryptoclawdocs.termix.ai/llms.txt
Use this file to discover all available pages before exploring further.
OAuth
OpenClaw supports “subscription auth” via OAuth for providers that offer it (notably OpenAI Codex (ChatGPT OAuth)). For Anthropic subscriptions, use the setup-token flow. Anthropic subscription use outside Claude Code has been restricted for some users in the past, so treat it as a user-choice risk and verify current Anthropic policy yourself. OpenAI Codex OAuth is explicitly supported for use in external tools like OpenClaw. This page explains: For Anthropic in production, API key auth is the safer recommended path over subscription setup-token auth.- how the OAuth token exchange works (PKCE)
- where tokens are stored (and why)
- how to handle multiple accounts (profiles + per-session overrides)
The token sink (why it exists)
OAuth providers commonly mint a new refresh token during login/refresh flows. Some providers (or OAuth clients) can invalidate older refresh tokens when a new one is issued for the same user/app. Practical symptom:- you log in via OpenClaw and via Claude Code / Codex CLI → one of them randomly gets “logged out” later
auth-profiles.json as a token sink:
- the runtime reads credentials from one place
- we can keep multiple profiles and route them deterministically
Storage (where tokens live)
Secrets are stored per-agent:- Auth profiles (OAuth + API keys + optional value-level refs):
~/.openclaw/agents/<agentId>/agent/auth-profiles.json - Legacy compatibility file:
~/.openclaw/agents/<agentId>/agent/auth.json(staticapi_keyentries are scrubbed when discovered)
~/.openclaw/credentials/oauth.json(imported intoauth-profiles.jsonon first use)
$OPENCLAW_STATE_DIR (state dir override). Full reference: /gateway/configuration
For static secret refs and runtime snapshot activation behavior, see Secrets Management.
Anthropic setup-token (subscription auth)
Runclaude setup-token on any machine, then paste it into OpenClaw:
OAuth exchange (how login works)
OpenClaw’s interactive login flows are implemented in@mariozechner/pi-ai and wired into the wizards/commands.
Anthropic setup-token
Flow shape:- run
claude setup-token - paste the token into OpenClaw
- store as a token auth profile (no refresh)
openclaw onboard → auth choice setup-token (Anthropic).
OpenAI Codex (ChatGPT OAuth)
OpenAI Codex OAuth is explicitly supported for use outside the Codex CLI, including OpenClaw workflows. Flow shape (PKCE):- generate PKCE verifier/challenge + random
state - open
https://auth.openai.com/oauth/authorize?... - try to capture callback on
http://127.0.0.1:1455/auth/callback - if callback can’t bind (or you’re remote/headless), paste the redirect URL/code
- exchange at
https://auth.openai.com/oauth/token - extract
accountIdfrom the access token and store{ access, refresh, expires, accountId }
openclaw onboard → auth choice openai-codex.
Refresh + expiry
Profiles store anexpires timestamp.
At runtime:
- if
expiresis in the future → use the stored access token - if expired → refresh (under a file lock) and overwrite the stored credentials
Multiple accounts (profiles) + routing
Two patterns:1) Preferred: separate agents
If you want “personal” and “work” to never interact, use isolated agents (separate sessions + credentials + workspace):2) Advanced: multiple profiles in one agent
auth-profiles.json supports multiple profile IDs for the same provider.
Pick which profile is used:
- globally via config ordering (
auth.order) - per-session via
/model ...@<profileId>
/model Opus@anthropic:work
openclaw channels list --json(showsauth[])
- /concepts/model-failover (rotation + cooldown rules)
- /tools/slash-commands (command surface)