Skip to main content

CLI Onboarding Reference

This page is the full reference for openclaw onboard. For the short guide, see Onboarding Wizard (CLI).

What the wizard does

Local mode (default) walks you through:
  • Model and auth setup (OpenAI Code subscription OAuth, Anthropic API key or setup token, plus MiniMax, GLM, Moonshot, and AI Gateway options)
  • Workspace location and bootstrap files
  • Gateway settings (port, bind, auth, tailscale)
  • Channels and providers (Telegram, WhatsApp, Discord, Google Chat, Mattermost plugin, Signal)
  • Daemon install (LaunchAgent or systemd user unit)
  • Health check
  • Skills setup
Remote mode configures this machine to connect to a gateway elsewhere. It does not install or modify anything on the remote host.

Local flow details

1

Existing config detection

  • If ~/.openclaw/openclaw.json exists, choose Keep, Modify, or Reset.
  • Re-running the wizard does not wipe anything unless you explicitly choose Reset (or pass --reset).
  • If config is invalid or contains legacy keys, the wizard stops and asks you to run openclaw doctor before continuing.
  • Reset uses trash and offers scopes:
    • Config only
    • Config + credentials + sessions
    • Full reset (also removes workspace)
2

Model and auth

3

Workspace

  • Default ~/.openclaw/workspace (configurable).
  • Seeds workspace files needed for first-run bootstrap ritual.
  • Workspace layout: Agent workspace.
4

Gateway

  • Prompts for port, bind, auth mode, and tailscale exposure.
  • Recommended: keep token auth enabled even for loopback so local WS clients must authenticate.
  • Disable auth only if you fully trust every local process.
  • Non-loopback binds still require auth.
5

Channels

  • WhatsApp: optional QR login
  • Telegram: bot token
  • Discord: bot token
  • Google Chat: service account JSON + webhook audience
  • Mattermost plugin: bot token + base URL
  • Signal: optional signal-cli install + account config
  • BlueBubbles: recommended for iMessage; server URL + password + webhook
  • iMessage: legacy imsg CLI path + DB access
  • DM security: default is pairing. First DM sends a code; approve via openclaw pairing approve <channel> <code> or use allowlists.
6

Daemon install

  • macOS: LaunchAgent
    • Requires logged-in user session; for headless, use a custom LaunchDaemon (not shipped).
  • Linux and Windows via WSL2: systemd user unit
    • Wizard attempts loginctl enable-linger <user> so gateway stays up after logout.
    • May prompt for sudo (writes /var/lib/systemd/linger); it tries without sudo first.
  • Runtime selection: Node (recommended; required for WhatsApp and Telegram). Bun is not recommended.
7

Health check

  • Starts gateway (if needed) and runs openclaw health.
  • openclaw status --deep adds gateway health probes to status output.
8

Skills

  • Reads available skills and checks requirements.
  • Lets you choose node manager: npm or pnpm (bun not recommended).
  • Installs optional dependencies (some use Homebrew on macOS).
9

Finish

  • Summary and next steps, including iOS, Android, and macOS app options.
If no GUI is detected, the wizard prints SSH port-forward instructions for the Control UI instead of opening a browser. If Control UI assets are missing, the wizard attempts to build them; fallback is pnpm ui:build (auto-installs UI deps).

Remote mode details

Remote mode configures this machine to connect to a gateway elsewhere.
Remote mode does not install or modify anything on the remote host.
What you set:
  • Remote gateway URL (ws://...)
  • Token if remote gateway auth is required (recommended)
  • If gateway is loopback-only, use SSH tunneling or a tailnet.
  • Discovery hints:
    • macOS: Bonjour (dns-sd)
    • Linux: Avahi (avahi-browse)

Auth and model options

  • macOS: checks Keychain item “Claude Code-credentials”
  • Linux and Windows: reuses ~/.claude/.credentials.json if present
On macOS, choose “Always Allow” so launchd starts do not block.
Run claude setup-token on any machine, then paste the token. You can name it; blank uses default.
If ~/.codex/auth.json exists, the wizard can reuse it.
Browser flow; paste code#state.Sets agents.defaults.model to openai-codex/gpt-5.3-codex when model is unset or openai/*.
Uses OPENAI_API_KEY if present or prompts for a key, then saves it to ~/.openclaw/.env so launchd can read it.Sets agents.defaults.model to openai/gpt-5.1-codex when model is unset, openai/*, or openai-codex/*.
Prompts for OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY). Setup URL: opencode.ai/auth.
Stores the key for you.
Prompts for AI_GATEWAY_API_KEY. More detail: Vercel AI Gateway.
Prompts for account ID, gateway ID, and CLOUDFLARE_AI_GATEWAY_API_KEY. More detail: Cloudflare AI Gateway.
Config is auto-written. More detail: MiniMax.
Prompts for SYNTHETIC_API_KEY. More detail: Synthetic.
Moonshot (Kimi K2) and Kimi Coding configs are auto-written. More detail: Moonshot AI (Kimi + Kimi Coding).
Model behavior:
  • Pick default model from detected options, or enter provider and model manually.
  • Wizard runs a model check and warns if the configured model is unknown or missing auth.
Credential and profile paths:
  • OAuth credentials: ~/.openclaw/credentials/oauth.json
  • Auth profiles (API keys + OAuth): ~/.openclaw/agents/<agentId>/agent/auth-profiles.json
Headless and server tip: complete OAuth on a machine with a browser, then copy ~/.openclaw/credentials/oauth.json (or $OPENCLAW_STATE_DIR/credentials/oauth.json) to the gateway host.

Outputs and internals

Typical fields in ~/.openclaw/openclaw.json:
  • agents.defaults.workspace
  • agents.defaults.model / models.providers (if Minimax chosen)
  • gateway.* (mode, bind, auth, tailscale)
  • channels.telegram.botToken, channels.discord.token, channels.signal.*, channels.imessage.*
  • Channel allowlists (Slack, Discord, Matrix, Microsoft Teams) when you opt in during prompts (names resolve to IDs when possible)
  • skills.install.nodeManager
  • wizard.lastRunAt
  • wizard.lastRunVersion
  • wizard.lastRunCommit
  • wizard.lastRunCommand
  • wizard.lastRunMode
openclaw agents add writes agents.list[] and optional bindings. WhatsApp credentials go under ~/.openclaw/credentials/whatsapp/<accountId>/. Sessions are stored under ~/.openclaw/agents/<agentId>/sessions/.
Some channels are delivered as plugins. When selected during onboarding, the wizard prompts to install the plugin (npm or local path) before channel configuration.
Gateway wizard RPC:
  • wizard.start
  • wizard.next
  • wizard.cancel
  • wizard.status
Clients (macOS app and Control UI) can render steps without re-implementing onboarding logic. Signal setup behavior:
  • Downloads the appropriate release asset
  • Stores it under ~/.openclaw/tools/signal-cli/<version>/
  • Writes channels.signal.cliPath in config
  • JVM builds require Java 21
  • Native builds are used when available
  • Windows uses WSL2 and follows Linux signal-cli flow inside WSL