#Rotated API Key but claw wont use

Rotated API key for gemini (env and in openclaw.json) and now agent continues to return "key expired" errors. restarted gateway among other things. any advice on how to get it to use the new key? It must be using a cached version of the old key.

OpenClaw doesn’t really “cache” API keys — when you rotate a Gemini key and it still says “key expired”, it’s almost always because the running Gateway is still reading the old value from a different source (service env / different config file / different profile).

Here’s the fastest way to confirm where it’s coming from:

1. Version first (helps spot known gotchas)

openclaw --version

2. Check you’re editing the same config the service is running

openclaw gateway status

Look for Config (cli) vs Config (service). If they differ, the service is running a different state dir/profile/config (super common with --profile / OPENCLAW_STATE_DIR mismatch). Fix from the profile you want the service to use:

openclaw gateway install --force

openclaw gateway restart

Docs: https://docs.openclaw.ai/help/faq#why-does-openclaw-gateway-status-show-config-cli-and-config-service-different

3. Probe the Google provider auth live

openclaw models status --probe-provider google

(or openclaw models status --probe)

4. Double-check env precedence (this bites people)
   Env precedence is process env > local .env > ~/.openclaw/.env > config env block and OpenClaw never overrides existing values. So if the service still has an old GEMINI_API_KEY in its process env, changing openclaw.json won’t replace it.
   Docs: https://docs.openclaw.ai/environment

Practical fix: put the new key in ~/.openclaw/.env on the gateway host (and make sure you don’t have the old key still set in the service environment), then:

openclaw gateway restart

If you paste the outputs of:

• openclaw --version
• openclaw gateway status
• openclaw models status --probe-provider google

…I can tell you exactly which of the above cases you’re hitting.

Openclaw version:
2026.2.3-1

openclaw gateway status:
Service: LaunchAgent (not loaded)
File logs: /tmp/openclaw/openclaw-2026-02-08.log
Command: /opt/homebrew/Cellar/node@22/22.22.0/bin/node /opt/homebrew/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/Library/LaunchAgents/ai.openclaw.gateway.plist
Service env: OPENCLAW_GATEWAY_PORT=18789

Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json

Gateway: bind=loopback (127.0.0.1), port=18789 (service args)
Probe target: ws://127.0.0.1:18789
Dashboard: http://127.0.0.1:18789/
Probe note: Loopback-only gateway; only local clients can connect.

Runtime: unknown (Bad request.
Could not find service "ai.openclaw.gateway" in domain for user gui: 502)
RPC probe: failed
RPC target: ws://127.0.0.1:18789
gateway closed (1006 abnormal closure (no close frame)): no close reason
Gateway target: ws://127.0.0.1:18789
Source: cli --url
Config: /Users/aisandbox/.openclaw/openclaw.json

Service unit not found.
Service not installed. Run: openclaw gateway install
File logs: /tmp/openclaw/openclaw-2026-02-08.log
Troubles: run openclaw status
Troubleshooting: https://docs.openclaw.ai/troubleshooting

openclaw models status (at the bottom i see the old key):
Config : ~/.openclaw/openclaw.json
Agent dir : ~/.openclaw/agents/main/agent
Default : google/gemini-2.5-flash
Fallbacks (0) : -
Image model : -
Image fallbacks (0): -
Aliases (1) : gemini -> google/gemini-2.5-flash
Configured models (1): google/gemini-2.5-flash

Auth overview
Auth store : ~/.openclaw/agents/main/agent/auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (0): -

• google effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=1 (oauth=0, token=0, api_key=1) | google:default=AIzaSyD0...FXZea85E

OAuth/token status

• none

That output explains it: OpenClaw is not reading Gemini from env/openclaw.json right now — it’s pulling it from the auth profile store:

~/.openclaw/agents/main/agent/auth-profiles.json → google:default=AIzaSyD0...

So even if you rotate GEMINI_API_KEY elsewhere, the agent will keep using the old key saved in auth-profiles until you update/replace that profile.

Fix (recommended): overwrite the stored Google key

Run this on the gateway host:

openclaw models auth paste-token --provider google --profile-id google:default

Paste the new Gemini API key, then verify:

openclaw models status --probe-provider google

Then restart the Gateway that’s actually running

Your gateway status shows the macOS LaunchAgent is not installed/loaded (“Service unit not found”), so gateway restart won’t restart anything daemonized.

Either:

• if you want it as a service:

  openclaw gateway install
  openclaw gateway start
  

• or if you run it manually, stop that terminal process and re-run openclaw gateway run.

Once the auth profile shows the new key, the “key expired” errors should stop.

(Extra note: env/config env:{...} never overrides an already-present value, and auth-profiles are a separate source entirely — docs on env precedence: https://docs.openclaw.ai/environment)

the agent is responding but im now seeing errors in terminal (gateway):
v reason=token_missing
07:34:45 [ws] closed before connect conn=25163ccf-b720-450a-a9a5-26be664ade50 remote=127.0.0.1 fwd=n/a origin=http://127.0.0.1:18789 host=127.0.0.1:18789 ua=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 code=1008 reason=unauthorized: gateway token missing (open a tokenized dashboard URL or paste token in Control UI settings)
07:35:01 [ws] unauthorized conn=b36af96f-d869-4a39-a6cd-7d271098fc53 remote=127.0.0.1 client=openclaw-control-ui webchat vdev reason=token_missing
07:35:01 [ws] closed before connect conn=b36af96f-d869-4a39-a6cd-7d271098fc53 remote=127.0.0.1 fwd=n/a origin=http://127.0.0.1:18789 host=127.0.0.1:18789 ua=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 code=1008 reason=unauthorized: gateway token missing (open a tokenized dashboard URL or paste token in Control UI settings)
07:35:17 [ws] unauthorized conn=f89e9ce7-2e13-4d08-8fd3-4f6fba8618a3 remote=127.0.0.1 client=openclaw-control-ui webchat vdev reason=token_missing
07:35:17 [ws] closed before connect conn=f89e9ce7-2e13-4d08-8fd3-4f6fba8618a3 remote=127.0.0.1 fwd=n/a origin=http://127.0.0.1:18789 host=127.0.0.1:18789 ua=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 code=1008 reason=unauthorized: gateway token missing (open a tokenized dashboard URL or paste token in Control UI settings)
07:35:33 [ws] unauthorized conn=471a6d0e-cf85-46b3-919f-f41b34995cef remote=127.0.0.1 client=openclaw-control-ui webchat vdev reason=token_missing

Those log lines are just the Control UI / WebChat tab trying to open a WS connection without the gateway token:

reason=token_missing … code=1008 … unauthorized: gateway token missing

So the Gateway is fine; the browser tab is unauthorized.

Fix (pick one)

Option A (fastest): open a tokenized dashboard URL

openclaw dashboard

That prints (and usually opens) a URL like http://127.0.0.1:18789/?token=.... Open that exact link once; the UI stores the token after.

Option B: paste the token in the Control UI settings

• Open http://127.0.0.1:18789/
• Go to Control UI settings

• Paste the same value as gateway.auth.token (or OPENCLAW_GATEWAY_TOKEN)

Option C: if you don’t have a token configured

openclaw doctor --generate-gateway-token

then run openclaw dashboard again.

Docs (this exact error): https://docs.openclaw.ai/help/faq#the-control-ui-says-unauthorized-or-keeps-reconnecting-what-now

If you don’t care about the dashboard

Just close the Control UI/WebChat tab — the spam stops, and your chat-based agent can keep working.

if i had my gateway token in a git repo accidentally (set to private), should i create a new one and if so, how?

Yes — treat the gateway token like a password. Even in a private repo, rotating it is the right move (especially if anyone else ever had access, or if it might get shared/forked later).

Rotate / generate a new gateway token

On the gateway host, run:

openclaw doctor --generate-gateway-token
openclaw gateway restart

Then re-open the dashboard with the new token:

openclaw dashboard

That gives you a http://127.0.0.1:18789/?token=... link you can open once (the Control UI stores it), or you can paste the token into Control UI settings manually.

Docs: https://docs.openclaw.ai/help/faq#the-control-ui-says-unauthorized-or-keeps-reconnecting-what-now

Cleanup the repo

• Remove the token from the file and commit the removal.
• If it was committed in history, consider rewriting history (or at least assume it’s exposed to anyone with repo access).

If you paste your gateway.auth block (redact the token) I can tell you exactly where it lives and what to update.

its the exact same token as before

openclaw doctor --generate-gateway-token will generate one if you don’t have one — it generally won’t rotate/overwrite an existing gateway.auth.token, so you can absolutely end up with “the same token as before”.

To rotate it, set a new value explicitly:

1) Generate a new token + write it into config

NEW_TOKEN="$(python3 -c 'import secrets; print(secrets.token_urlsafe(32))')"
openclaw config set gateway.auth.token "$NEW_TOKEN"
openclaw config get gateway.auth.token

2) Make sure nothing is overriding it via env

Env wins over config. Check + clear if needed:

echo "$OPENCLAW_GATEWAY_TOKEN"

launchctl getenv OPENCLAW_GATEWAY_TOKEN

launchctl unsetenv OPENCLAW_GATEWAY_TOKEN

(That launchctl setenv ... override is a known cause of “why didn’t my token change”.)

3) Restart whichever gateway you’re actually running

Earlier your status showed the LaunchAgent wasn’t installed/loaded, so:

• If you run it in a terminal: stop that process and start it again.
• If you want the service:

  openclaw gateway install
  openclaw gateway start
  

4) Re-auth the dashboard/UI

Open a fresh tokenized link (or paste it in settings):

openclaw dashboard

After this, the old token is dead (good). Then you’ll want to remove it from the repo and assume it’s leaked in git history if it was ever committed.

Is there best practices if one wants to backup ~/.openclaw on git? Could all the keys, tokens, and app passwords be stored in the .env file only (or the auth-profiles.json if that takes precedence) and just ignore those on future commits ?

Best practice: don’t put ~/.openclaw in git at all. The docs are pretty explicit:

“Put your agent workspace in a private git repo… Do not commit anything under ~/.openclaw (credentials, sessions, tokens).”
Source: https://docs.openclaw.ai/help/faq#whats-the-recommended-backup-strategy

What to put in git (recommended)

1. Your agent workspace (this is the “mind”):

• AGENTS.md, SOUL.md, USER.md, MEMORY.md / memory/*.md, skills in your workspace, etc.
• Default is ~/.openclaw/workspace unless you changed agents.defaults.workspace.

This is the part you want versioned and shareable (in a private repo).

2. Optionally: a sanitized openclaw.json

• Keep config in git without secrets
• Use env var substitution like ${GEMINI_API_KEY} in config and keep the actual key out-of-repo.

Where secrets should live