#installing openclaw

explain the process, im using docker ubuntu and want the highest secutiry (No netowrk and no file access) while still running locally in docker. i have already installed plenty but have been getting error after error

With “no network + no file access” there are hard limits, so first quick clarification (because it changes the whole setup):

1. By “no network” do you mean no outbound Internet, or literally --network none (no ports, no UI access from your host)?
2. By “no file access” do you mean no host bind mounts, or “the agent must never read/write any files at all”?

The key concept: there are two “Docker” modes in OpenClaw

A) Containerized Gateway (everything runs in Docker)
This is optional, but the Gateway still needs:

• some networking (at least host↔container for the Control UI)
• some writable state (sessions/config), even if it’s only tmpfs inside the container

Docs: https://docs.openclaw.ai/install/docker

B) Tool Sandboxing (recommended for max security)
Run the Gateway normally, but run tools in Docker with:

• network: "none" (default)
• workspaceAccess: "none" (default)

• plus a strict tool denylist (no read/write/edit/exec, no web_fetch/web_search/browser)

This achieves what people usually mean by “no network and no file access” (for the agent’s actions), while still letting the Gateway talk to a model + serve the UI.

Docs: https://docs.openclaw.ai/gateway/sandboxing and https://docs.openclaw.ai/gateway/security

“Highest security” baseline (practical)

• Keep the Gateway only reachable locally (or tailnet), and require a token.
• Sandbox tools + deny risky tools.

Example config shape (drop into ~/.openclaw/openclaw.json on the gateway host):

{
gateway: {
bind: "loopback",

auth: { mode: "token", token: "put-a-long-random-token-here" },
},

agents: {
defaults: {
sandbox: {
mode: "all", // or "non-main" to keep main session unsandboxed
scope: "session",
workspaceAccess: "none",
docker: { network: "none", readOnlyRoot: true, capDrop: ["ALL"] },
},
},
},

tools: {

deny: ["read", "write", "edit", "apply_patch", "exec", "process", "web_fetch", "web_search", "browser"],
},
}

If you truly mean --network none for the whole container

Then you generally cannot use the browser Control UI from your host (no port publishing), and you also can’t use any cloud model provider. The only workable path is a fully self-contained container that runs its own local model server inside the same container (localhost-only). That’s doable, but it’s a different, more complex build.

To stop the “error after error” loop: paste these

From wherever OpenClaw is running (host or inside the container), paste:

openclaw --version

openclaw status
openclaw gateway status
openclaw doctor
openclaw logs --follow

If you’re using compose, also paste:

docker compose ps
docker compose logs --tail=200 openclaw-gateway

And tell me which of the two Docker modes you’re attempting (containerized gateway vs tool sandboxing).

ok i am at the openclaw onboarding, how do i make sure to install it correctly, ie

nvm

when trying to access openclaw by the url provided by finishing the setup proccess in ubuntu i get these errors

"0c3ffe9e11fe 08c04a5cefca "docker-entrypoint.s…" 14 minutes ago Up 12 minutes 127.0.0.1:18789-18790->18789-18790/tcp openclaw-openclaw-gateway-1
thor@DESKTOP-2HNAR5T:~/openclaw$ docker exec -it 0c3ffe9e11fe /bin/bash
node@0c3ffe9e11fe:/app$ openclaw gateway pairing
bash: openclaw: command not found
node@0c3ffe9e11fe:/app$ openclaw gateway status
bash: openclaw: command not found
node@0c3ffe9e11fe:/app$ npx openclaw gateway pairing
error: too many arguments for 'gateway'. Expected 0 arguments but got 1.
npm notice
npm notice New major version of npm available! 10.9.4 -> 11.10.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.10.0
npm notice To update run: npm install -g npm@11.10.0
npm notice
node@0c3ffe9e11fe:/app$ npm install -g np@11.10.0
npm error code ETARGET
npm error notarget No matching version found for np@11.10.0.
npm error notarget In most cases you or one of your dependencies are requesting
npm error notarget a package version that doesn't exist.
npm error A complete log of this run can be found in: /home/node/.npm/_logs/2026-02-18T06_31_15_691Z-debug-0.log
node@0c3ffe9e11fe:/app$
"

To sanity-check that onboarding “installed correctly”, you want to end up in a state where:

1. the Gateway is running and healthy
2. you can open the Control UI and authenticate (token)
3. doctor + security audit come back clean (or show actionable fixes)

0) First: what exact onboarding are you in?

On Linux/Docker the “official” onboarding is the CLI wizard:

openclaw onboard

If you’re doing the Docker Compose setup from the repo, the doc-backed flow is:

• ./docker-setup.sh (recommended), or
• manual: docker compose run --rm openclaw-cli onboard

Docs:

• https://docs.openclaw.ai/start/wizard
• https://docs.openclaw.ai/install/docker

If you tell me which one you’re running + paste the exact error text, I can be specific.

1) Minimal “did it work?” checklist (Docker)

After the wizard completes, verify:

Gateway container up:

docker compose ps

Open the dashboard link (prints the URL/token flow):

docker compose run --rm openclaw-cli dashboard --no-open

Then open the printed http://127.0.0.1:18789/ URL in your browser and paste the token.

If the UI says pairing required / unauthorized, approve the browser device:

docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestId>

2) “Make sure it’s correct” repair pass (highly recommended)

Run these after onboarding (don’t paste tokens/API keys in chat):

docker compose run --rm openclaw-cli doctor

docker compose run --rm openclaw-cli security audit

Docs:

• https://docs.openclaw.ai/gateway/doctor
• https://docs.openclaw.ai/gateway/security

3) About “highest security (no network, no file access)”

Two important constraints:

• OpenClaw must write some state (config, sessions/logs, credentials). You can avoid host filesystem access by using named volumes, but “zero file access at all” isn’t compatible with normal operation.
• “No network at all” only works if your model is local and reachable without egress. If you use any cloud model (or Discord/Telegram/etc), the gateway needs network.

If what you mean is “the agent tools shouldn’t be able to touch host files or the internet”, then you’re aiming for tool sandboxing + strict tool allow/deny (and sandbox network defaults to none). Start here:

• https://docs.openclaw.ai/gateway/sandboxing

4) What I need from you (so we stop the error loop)

Reply with:

1. openclaw --version (inside the container you can do: docker compose run --rm openclaw-cli openclaw --version)
2. which command you ran (openclaw onboard vs ./docker-setup.sh vs compose manual)
3. the exact onboarding step you’re on + the full error text (redact any secrets)

The stuff you’re seeing is normal for the gateway container:

• openclaw: command not found → the running openclaw-gateway image is a minimal runtime and typically does not have the openclaw CLI on $PATH.
• npx openclaw ... → pulls some random version of the CLI (often not matching your gateway) so the command shape doesn’t match (that’s why you got the weird gateway “too many arguments” error).
• openclaw gateway pairing isn’t a thing anyway — pairing is openclaw pairing ... (DM pairing) or openclaw devices ... (device/node pairing).

Use the CLI container (the intended Docker flow)

From your repo folder (where docker-compose.yml lives), run CLI commands like this:

docker compose run --rm openclaw-cli gateway status
docker compose run --rm openclaw-cli gateway health
docker compose run --rm openclaw-cli dashboard --no-open

Pairing commands (if you actually need them):

docker compose run --rm openclaw-cli pairing list discord
docker compose run --rm openclaw-cli pairing approve discord <CODE>
# or for device/node pairing:
docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestId>

About the URL / browser error

You didn’t paste the browser error yet (401/unauthorized? “disconnected 1008 pairing required”? connection refused?).

Can you paste exactly what the browser shows when you open http://127.0.0.1:18789/?

Also run this and paste the output:

docker compose logs --tail 200 openclaw-gateway

That’ll tell us immediately whether it’s:

• not listening/bound wrong inside the container, or
• listening fine but you just need to paste the gateway token into the Control UI (common: “unauthorized/1008”).

when trying to open the dashboard link and approve my browser device i get an error "openclaw cli failed: error: gateway closed (1006 abnormal closeure( no close frame (no close reason))
gateway target ws://127.0.0.1:18789
source:local loopback
config; /Home/node/.openclaw/openclaw.json
Bind: loopback
at Object.onClose (file:///app/dist/call-BKq8Zjbe.js:266:10)
at WebSocket.<anonymous> (file:///app/dist/client-JcifYliF.js:1524:23)
at WebSocket.emit (node:events:519:28)
at WebSocket.emitClose (/app/node_modules/.pnpm/ws@8.19.0/node_modules/ws/lib/websocket.js:263:12)
at emitErrorAndClose (/app/node_modules/.pnpm/ws@8.19.0/node_modules/ws/lib/websocket.js:1047:13)
at ClientRequest.<anonymous> (/app/node_modules/.pnpm/ws@8.19.0/node_modules/ws/lib/websocket.js:886:5)
at ClientRequest.emit (node:events:519:28)
at emitErrorEvent (node:_http_client:107:11)
at Socket.socketErrorListener (node:_http_client:574:5)
at Socket.emit (node:events:519:28)"

That 1006 abnormal closure is almost always “the CLI can’t actually reach the Gateway WS”, and your error text basically confirms why:

• CLI is trying to talk to ws://127.0.0.1:18789
• but in Docker, 127.0.0.1 inside the openclaw-cli container is NOT the gateway container
• and your Gateway is configured to Bind: loopback, which also prevents other containers from reaching it even via the service name.

Fix (Docker Compose)

From the repo folder (where your docker-compose.yml is), run:

# 1) Make the gateway listen on the container network (required for docker)
docker compose run --rm openclaw-cli config set gateway.bind "lan"

# 2) Restart the gateway container
docker compose restart openclaw-gateway

Now verify the gateway is reachable from the CLI container using the service name:

docker compose run --rm openclaw-cli gateway health \
  --url ws://openclaw-gateway:18789 \
  --token "$OPENCLAW_GATEWAY_TOKEN"

Approve the browser device (pairing)

docker compose run --rm openclaw-cli devices list \
  --url ws://openclaw-gateway:18789 \
  --token "$OPENCLAW_GATEWAY_TOKEN"

docker compose run --rm openclaw-cli devices approve <requestId> \
  --url ws://openclaw-gateway:18789 \

  --token "$OPENCLAW_GATEWAY_TOKEN"

Then open the UI

Open this on your host (WSL/Ubuntu machine):

• http://127.0.0.1:18789/

If it asks for auth, use the same token (from .env → OPENCLAW_GATEWAY_TOKEN). Don’t paste it here.

Two “don’t do this” notes

• Don’t run npx openclaw ... in the container (it’ll grab a random version and make things worse).
• Don’t try to update npm to fix this — it’s just a Docker networking/bind issue.

If any of the commands above still 1006, paste:

docker compose logs --tail 200 openclaw-gateway

(redact tokens) and I’ll tell you what it’s choking on.

the cli gateway health command comes back with an error, :thor@DESKTOP-2HNAR5T:~/openclaw$ docker compose run --rm openclaw-cli gateway health
--url ws://openclaw-gateway:18789
--token #token=18038e393deeb5d541b1671fdceac2d01e954828cd86d6b8
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
Container openclaw-openclaw-cli-run-5c2bf5ed85ab Creating
Container openclaw-openclaw-cli-run-5c2bf5ed85ab Created

🦞 OpenClaw 2026.2.16 (unknown) — Say "stop" and I'll stop—say "ship" and we'll both learn a lesson.

error: option '--token <token>' argument missing

thor@DESKTOP-2HNAR5T:~/openclaw$ docker compose run --rm openclaw-cli gateway health
--url ws://openclaw-gateway:18789 \
--token #token=18038e393deeb5d541b1671fdceac2d01e954828cd86d6b8
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
Container openclaw-openclaw-cli-run-3b08cbecd43c Creating
Container openclaw-openclaw-cli-run-3b08cbecd43c Created

🦞 OpenClaw 2026.2.16 (unknown) — I run on caffeine, JSON5, and the audacity of "it worked on my machine."

error: too many arguments for 'health'. Expected 0 arguments but got 1.

--token: command not found
thor@DESKTOP-2HNAR5T:~/openclaw$"

@daring badger <t:1771400672:f>

I see the timestamp ping, but I’m not sure what you want me to do with it.

• If you’re just saying “I’ll be back at that time” → cool, reply when you’re ready.
• If you want help now, paste the output of:

  docker compose run --rm openclaw-cli config get gateway.bind
  docker compose logs --tail 200 openclaw-gateway
  

• If you want a reminder posted in this thread at that time, say “remind me to ___ at <time>” (and confirm your timezone).

here are the results of doing that "openclaw-gateway-1 | 2026-02-18T07:35:47.392Z [ws] closed before connect conn=be656f2f-4d00-4d36-bd46-4d431e40edb5 remote=172.18.0.1 fwd=n/a origin=http://127.0.0.1:18789 host=127.0.0.1:18789 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 OPR/127.0.0.0 code=1008 reason=pairing required
openclaw-gateway-1 | 2026-02-18T07:35:56.830Z [ws] closed before connect conn=6722a607-2627-4fe9-b706-2ffbb91908f8 remote=172.18.0.1 fwd=n/a origin=http://127.0.0.1:18789 host=127.0.0.1:18789 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 OPR/127.0.0.0 code=1008 reason=pairing required
openclaw-gateway-1 | 2026-02-18T07:36:03.364Z [ws] closed before connect conn=cabaf720-438d-412a-9a40-2d755922a104 remote=172.18.0.1 fwd=n/a origin=http://127.0.0.1:18789 host=127.0.0.1:18789 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 OPR/127.0.0.0 code=1008 reason=pairing required"

Those logs are the smoking gun:

code=1008 reason=pairing required

That’s device pairing for the Control UI, not a “token wrong” problem. In Docker the browser shows up to the gateway as remote=172.18.0.1 (docker bridge), so it’s not treated as a “local auto-approved” device → you must approve it once.

Fix: approve the browser device

1. Make the dashboard tab try to connect (leave it open at http://127.0.0.1:18789/).

2. Get your gateway token (don’t paste it here):

docker compose run --rm openclaw-cli config get gateway.auth.token

3. List pending device requests (run this right after the UI attempts to connect):

docker compose run --rm openclaw-cli devices list \
  --url ws://openclaw-gateway:18789 \
  --token "<PASTE_TOKEN_HERE>"

4. Approve the requestId you see:

docker compose run --rm openclaw-cli devices approve <requestId> \
  --url ws://openclaw-gateway:18789 \
  --token "<PASTE_TOKEN_HERE>"

5. Refresh the dashboard page.

If devices list shows nothing

It only appears after the browser has tried to connect. Refresh the page, hit “connect” again (if there’s a button), then re-run devices list.

Also make sure the UI has the token

In the Control UI there’s a settings/auth area with a Gateway Token field—paste the same token there.

If you paste the output of devices list (redacting any tokens), I can tell you exactly which requestId to approve / what’s missing.

idont thin it worked, herre is the output from those command s

Paste the outputs (you can redact tokens/secrets) — right now I can’t tell which part failed (no pending device request vs approve failed vs CLI talking to wrong URL).

Run exactly these, in this order, and paste the full output:

# 1) Keep the dashboard tab open (so it actually generates a pending device request)
#    http://127.0.0.1:18789/

# 2) Confirm what bind mode the gateway is using
docker compose run --rm openclaw-cli config get gateway.bind

# 3) Get the gateway token (DON'T paste the token; just confirm it returns something non-empty)
docker compose run --rm openclaw-cli config get gateway.auth.token

# 4) Check gateway is reachable from the CLI container (use the service name!)
#    For this one, paste output but replace the token with <REDACTED>

docker compose run --rm openclaw-cli gateway health \
  --url ws://openclaw-gateway:18789 \
  --token "<REDACTED>"

# 5) List device pairing requests (this is the key one)
docker compose run --rm openclaw-cli devices list \
  --url ws://openclaw-gateway:18789 \
  --token "<REDACTED>"

# 6) (optional) last 80 lines of gateway logs
docker compose logs --tail 80 openclaw-gateway

Also tell me what the dashboard shows exactly:

• does it let you paste a token in “Gateway Token” and click Connect?
• or does it immediately say “pairing required” / keeps reconnecting?

Once I see devices list, I can tell you the exact devices approve <requestId> command you need (or why the request isn’t being created).

You’ve got two separate issues in that paste:

1) Your devices approve <requestId> command didn’t run at all

You literally typed the placeholder "<requestId>", so bash treated <requestId> as input redirection:

bash: requestId: No such file or directory

You need to replace it with the real request id you get from devices list (and no < >).

2) Why devices list is failing: the CLI container itself is “unpaired”

This line is the key:

gateway closed (1008): pairing required

That means the Gateway is requiring device pairing for that client connection too. So the openclaw-cli container can’t list/approve devices yet because it isn’t paired.

Bootstrap fix: run the device approval from inside the gateway container (local auto-approved)

The gateway container can connect to ws://127.0.0.1:18789 “locally”, which is auto-approved.

Do this:

1. Keep the dashboard tab open at http://127.0.0.1:18789/ so it keeps generating the pending request.

2. In your host terminal:

# Get pending device requests using a LOCAL connection from inside the gateway container
docker compose exec openclaw-gateway node dist/index.js devices list \
  --url ws://127.0.0.1:18789 \
  --token 18038e393deeb5d541b1671fdceac2d01e954828cd86d6b8

3. You should now see one or more pending requests. Approve the relevant one(s):

docker compose exec openclaw-gateway node dist/index.js devices approve REQUEST_ID_HERE \
  --url ws://127.0.0.1:18789 \
  --token 18038e393deeb5d541b1671fdceac2d01e954828cd86d6b8

Then refresh the dashboard page.

Important security note (please do this next)

You pasted your gateway token in a public thread. Treat it as compromised and rotate it after you’re unblocked. (I won’t ask you to paste the new one.)

If you want, I’ll give you the clean “rotate token + restart + reconnect UI” steps for Docker Compose once you confirm the dashboard connects.

THIS IS THE RESULTS FROME THOSE COMMANDS "node@0c3ffe9e11fe:/$ thor@DESKTOPdocker compose run --rm openclaw-cli config get gateway.bindnfig get gateway.bind
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
Container openclaw-openclaw-cli-run-e9449f3683f9 Creating
Container openclaw-openclaw-cli-run-e9449f3683f9 Created

🦞 OpenClaw 2026.2.16 (unknown) — Your terminal just grew claws—type something and let the bot pinch the busywork.

lan
thor@DESKTOP-2HNAR5T:~/openclaw$
thor@DESKTOP-2HNAR5T:~/openclaw$
thor@DESKTOP-2HNAR5T:~/openclaw$ docker compose run --rm openclaw-cli config get gateway.auth.token
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
Container openclaw-openclaw-cli-run-00b429fe603a Creating
Container openclaw-openclaw-cli-run-00b429fe603a Created

🦞 OpenClaw 2026.2.16 (unknown) — Because the right answer is usually a script.

18038e393deeb5d541b1671fdceac2d01e954828cd86d6b8
thor@DESKTOP-2HNAR5T:~/openclaw$ docker compose run --rm openclaw-cli gateway health
--url ws://openclaw-gateway:18789
--token "<REDACTED>"
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string.
WARN[0000] The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string.
Container openclaw-openclaw-cli-run-23db86289e75 Creating
Container openclaw-openclaw-cli-run-23db86289e75 Created

🦞 OpenClaw 2026.2.16 (unknown) — Shell yeah—I'm here to pinch the toil and leave you the glory.

│
◇
Error: gateway url override requires explicit credentials
Fix: pass --token or --password (or gatewayToken in tools).
Config: /home/node/.openclaw/openclaw.json

thor@DESKTOP-2HNAR5T:~/openclaw$ Docker compose run --rm openclaw-cli devices list
--url ws://openclaw-gateway:18789
--token "<REDACTED>"

The command 'Docker' could not be found in this WSL 2 distro.
We recommend to activate the WSL integration in Docker Desktop settings.

For details about using Docker Desktop with WSL 2, visit:

https://docs.docker.com/go/wsl2/
"
AND THE 127.0.0.1:18789/chat url leads to a website that says openclaw gateway dashboard and has a chat in the middle that has 2 lines, 1. disconnected from gateway, and 2. disconnected 1008 pairing required

Your gateway is fine — the important bits in your output are:

• gateway.bind is lan ✅ (good for Docker)
• the dashboard shows disconnected (1008): pairing required ✅ (this means device pairing is blocking the browser)
• your gateway health failed because you literally passed --token "<REDACTED>" (OpenClaw needs the real token when you override --url)

Also: Docker compose ... failed because you typed capital D (Docker). It must be docker.

The actual fix: approve the pending browser device

Because your browser connects via Docker bridge (172.18…), it’s treated as “remote” and must be approved once.

Keep the dashboard tab open at http://127.0.0.1:18789/ (so the pending request exists), then run:

# list pending device requests (run this on your host)
docker compose exec openclaw-gateway node dist/index.js devices list \

  --url ws://127.0.0.1:18789 \
  --token 18038e393deeb5d541b1671fdceac2d01e954828cd86d6b8

You’ll get a requestId. Approve it (replace REQUEST_ID with the real one; no < >):

docker compose exec openclaw-gateway node dist/index.js devices approve REQUEST_ID \
  --url ws://127.0.0.1:18789 \
  --token 18038e393deeb5d541b1671fdceac2d01e954828cd86d6b8

Then refresh the dashboard page.

If devices list shows nothing

Refresh the dashboard (so it tries again), wait until you see “pairing required” again, then rerun devices list.

Very important

You pasted your gateway token publicly in the thread. Assume it’s compromised and rotate it after you’re unblocked (I’ll give you the exact rotate steps once the dashboard connects).

ok crazy lol how can i quickly create a new token

Generate a fresh one and write it into gateway.auth.token, then restart the gateway.

On your Docker setup (from the repo dir with docker-compose.yml):

# 1) generate a new token (64 hex chars)
NEW_TOKEN="$(openssl rand -hex 32)"

# 2) write it into the config inside the CLI container
docker compose run --rm openclaw-cli config set gateway.auth.token "$NEW_TOKEN"

# 3) restart the gateway so it picks up the new token
docker compose restart openclaw-gateway

Then:

• refresh http://127.0.0.1:18789/

• in the Control UI settings, paste the new token (don’t post it in Discord)

Also: since you already pasted the old token publicly, delete that Discord message if you can, and consider checking/revoking any unknown paired devices later:

docker compose exec openclaw-gateway node dist/index.js devices list --url ws://127.0.0.1:18789 --token "$NEW_TOKEN"

how do i write it into gateway.auth.token

nvm what should i do to fix the previous error after that,

Use the config helper:

# generate a new token
NEW_TOKEN="$(openssl rand -hex 32)"

# write it into ~/.openclaw/openclaw.json (inside the docker setup)
docker compose run --rm openclaw-cli config set gateway.auth.token "$NEW_TOKEN"

# restart gateway so it picks it up
docker compose restart openclaw-gateway

Verify it’s set (don’t paste the value back into Discord):

docker compose run --rm openclaw-cli config get gateway.auth.token

Then refresh http://127.0.0.1:18789/ and paste the new token in the Control UI settings.

The “previous error” you were stuck on was:

disconnected (1008): pairing required

Rotating gateway.auth.token is good hygiene (since you pasted it), but it doesn’t by itself fix pairing. You still need to approve the browser device once.

Do this sequence

1) Restart after token change

If you changed the token:

docker compose restart openclaw-gateway

2) Open the dashboard and enter the NEW token

Open: http://127.0.0.1:18789/

In the Control UI settings, paste the new token and hit Connect.
You’ll likely still see “pairing required” until you approve the device.

3) Approve the pending browser device (this fixes 1008)

Keep the dashboard tab open (so it keeps trying), then run from the gateway container:

# list pending requests
docker compose exec openclaw-gateway node dist/index.js devices list \
  --url ws://127.0.0.1:18789 \
  --token "<YOUR_NEW_TOKEN>"

You should see a requestId. Approve it (replace REQUEST_ID with the real one):

docker compose exec openclaw-gateway node dist/index.js devices approve REQUEST_ID \
  --url ws://127.0.0.1:18789 \
  --token "<YOUR_NEW_TOKEN>"

Then refresh the dashboard page.

If devices list shows nothing: refresh the dashboard page again (so it attempts to connect) and re-run devices list.

Optional cleanup (recommended since the old token leaked)

After you’re connected, list paired devices and revoke anything you don’t recognize:

docker compose exec openclaw-gateway node dist/index.js devices list \
  --url ws://127.0.0.1:18789 \
  --token "<YOUR_NEW_TOKEN>"

If you paste the devices list output (redact tokens, but keep IDs/requestIds), I’ll tell you exactly which line is your browser and what to approve/revoke.

OK NOW THAT ITS PAIRED HOW DO I ADD IT TO DISCORD SERVER?

To get your OpenClaw bot into your Discord server, you need 3 things: (1) a Discord bot app + invite link, (2) put the bot token into OpenClaw, (3) allowlist your server in OpenClaw config.

Also: Discord requires outbound internet from the gateway container. If you truly want “no network”, Discord can’t work.

1) Create + invite the Discord bot

In Discord Developer Portal:

1. Applications → New Application
2. Bot → Add Bot
3. Enable Privileged Gateway Intents:
   • Message Content Intent
   • Server Members Intent (recommended)

Invite it to your server:

• OAuth2 → URL Generator
• Scopes: bot + applications.commands
• Permissions: at least View Channels, Send Messages, Read Message History (and whatever else you want)

2) Add the bot token to OpenClaw (Docker)

On your host (repo folder with docker-compose.yml):

docker compose run --rm openclaw-cli channels add --channel discord --token "PASTE_BOT_TOKEN_HERE"
docker compose restart openclaw-gateway

(Do not paste the bot token into Discord.)

3) Allowlist your server (otherwise it may ignore guild messages)

Copy your Server ID (enable Discord Developer Mode → right click server → Copy ID), then:

docker compose run --rm openclaw-cli config set channels.discord.groupPolicy "allowlist"
docker compose run --rm openclaw-cli config set channels.discord.guilds '{"YOUR_GUILD_ID": {"requireMention": true}}' --json

docker compose restart openclaw-gateway

Now go into a channel in that server and mention the bot to trigger it.

Quick check

docker compose run --rm openclaw-cli channels status --probe

If you tell me whether you want it to respond in all channels or only one specific channel, I’ll give you the tighter guilds.<id>.channels config snippet.

can you explain more throughly how i do this? i cant figure out how to gateway intents

“Gateway Intents” are a Discord setting (nothing to do with the OpenClaw gateway). You enable them in the Discord Developer Portal for your bot.

Here’s the exact click-path:

A) Enable the Gateway Intents (Discord Developer Portal)

1. Open: https://discord.com/developers/applications
2. Click your Application (the bot you created)
3. In the left sidebar, click Bot
4. Scroll down until you see Privileged Gateway Intents
5. Turn on these toggles:
   • MESSAGE CONTENT INTENT (this is the big one; without it, the bot won’t see message text in most servers)
   • SERVER MEMBERS INTENT (recommended; helps with user lookups/allowlists)
   • (Presence intent is optional; you usually don’t need it)
6. There’s no “submit” button, but Discord usually shows a little “Saved” state / it applies immediately.

After you change intents, you should restart OpenClaw (or at least restart the gateway container) so Discord reconnects with the new intents.

Docs (OpenClaw): https://docs.openclaw.ai/channels/discord

B) Invite the bot to your server (also in the Portal)

1. Left sidebar → OAuth2 → URL Generator
2. Under SCOPES, check:
   • bot
   • applications.commands
3. Under BOT PERMISSIONS, check at least:
   • View Channels
   • Send Messages
   • Read Message History
   • (optional but common) Embed Links, Attach Files
4. Copy the Generated URL at the bottom, open it, and pick your server.

C) Common “it still doesn’t respond” gotchas

• The bot is in the server, but OpenClaw is set to requireMention: true → you must mention it.
• You enabled intents but didn’t restart the gateway.

• The bot role doesn’t have permission to read/post in that specific channel.

If you paste a screenshot of the Bot page in the Developer Portal (showing the Privileged Gateway Intents section), I can tell you if you’re on the right screen.

i did all that, but still no response. and http://127.0.0.1:18789/chat?session=main shows "disconnected (1008): unauthorized: device token mismatch (rotate/reissue device token)

Main Session

|

Disconnected from gateway.
disconnected (1008): unauthorized: device token mismatch (rotate/reissue device token"

That UI error is Control UI auth, and it usually happens right after you rotated the gateway token or wiped browser storage:

unauthorized: device token mismatch (rotate/reissue device token)

Meaning: your browser still has an old device token saved, but the Gateway’s device record/token no longer matches.

Fix it fast (recommended): clear site data + re-pair

1. In your browser, clear site data for http://127.0.0.1:18789:

• Chrome/Edge/Opera: click the site icon (left of URL) → Site settings → Clear data
  (or DevTools → Application → Storage → Clear site data)

2. Reload http://127.0.0.1:18789/
   You should be back to: disconnected (1008): pairing required

3. Approve it again (from the gateway container, since that’s “local”):

# list pending pairing requests
docker compose exec openclaw-gateway node dist/index.js devices list \
  --url ws://127.0.0.1:18789 \
  --token "$(docker compose run --rm openclaw-cli config get gateway.auth.token | tail -n 1)"

# approve the requestId you see (replace REQUEST_ID)
docker compose exec openclaw-gateway node dist/index.js devices approve REQUEST_ID \
  --url ws://127.0.0.1:18789 \
  --token "$(docker compose run --rm openclaw-cli config get gateway.auth.token | tail -n 1)"

Then refresh the page.

About “still no response” on Discord

Two quick checks:

1. Are you expecting it to respond in this OpenClaw community server?
   You can’t add your bot here unless you’re a server admin. It will only respond in servers where you invited it.

2. Verify OpenClaw’s Discord channel is connected:

docker compose run --rm openclaw-cli channels status --probe

If Discord isn’t “connected”, paste the discord-related lines from:

docker compose logs --tail 200 openclaw-gateway

(please don’t paste tokens).

If Discord is connected but it ignores messages, it’s almost always:

• you didn’t allowlist your guild in channels.discord.guilds, or
• requireMention: true and you didn’t mention the bot.

Tell me: are you testing via DM to the bot or in a server channel (and do you see the bot “online” in the member list)?

it loks liek i got another error, here it is "[openclaw] CLI failed: Error: gateway url override requires explicit credentials
Fix: pass --token *** --password *** gatewayToken in tools).
Config: /home/node/.openclaw/openclaw.json
at ensureExplicitGatewayAuth (file:///app/dist/call-BKq8Zjbe.js:138:8)
at callGateway (file:///app/dist/call-BKq8Zjbe.js:186:2)
at file:///app/dist/devices-cli-CsQMlaWR.js:26:22
at withProgress (file:///app/dist/progress-IwAiG9Oc.js:117:16)
at callGatewayCli (file:///app/dist/devices-cli-CsQMlaWR.js:22:56)
at Command.<anonymous> (file:///app/dist/devices-cli-CsQMlaWR.js:50:45)
at Command.listener [as _actionHandler] (/app/node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js:568:17)
at /app/node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js:1604:14
at /app/node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js:1485:33
at async Command.parseAsync (/app/node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js:1122:5)"

thank you by the wya you doing gods work

Appreciate it — glad we’re getting you unstuck.

Two quick next steps so you’re fully “stable”:

1. Delete the earlier Discord message where the gateway token was pasted (treat it like a password).
2. Once your Control UI reconnects, run:

docker compose run --rm openclaw-cli channels status --probe

and if Discord still doesn’t reply, paste the Discord section of that output (no tokens) and I’ll tell you exactly what config/allowlist is blocking it.

That error is expected behavior:

When you pass --url ..., OpenClaw refuses to fall back to credentials from config/env, because it assumes you might be pointing at the wrong gateway and it doesn’t want to accidentally send secrets. So you must pass --token or --password explicitly on the same command.

Fix (Docker Compose)

Run this on your host (in the repo folder with docker-compose.yml):

TOKEN="$(docker compose run --rm openclaw-cli config get gateway.auth.token | tail -n 1)"

docker compose run --rm openclaw-cli devices list \
  --url ws://openclaw-gateway:18789 \
  --token "$TOKEN"

(That tail -n 1 is just to grab the token line without all the banner text.)

If you want to approve a request:

REQ="PASTE_REQUEST_ID_HERE"

docker compose run --rm openclaw-cli devices approve "$REQ" \
  --url ws://openclaw-gateway:18789 \
  --token "$TOKEN"

Common gotcha

If you did --token "<REDACTED>" (literally), it will fail — you need the real token in your terminal, just don’t paste it back into Discord.

If you paste the output of devices list (with any tokens redacted), I’ll tell you which requestId to approve.

says Config path not found: (REDACTED) and [openclaw] CLI failed: Error: gateway url override requires explicit credentials
Fix: pass --token *** --password *** gatewayToken in tools).
Config: /home/node/.openclaw/openclaw.json
at ensureExplicitGatewayAuth (file:///app/dist/call-BKq8Zjbe.js:138:8)
at callGateway (file:///app/dist/call-BKq8Zjbe.js:186:2)
at file:///app/dist/devices-cli-CsQMlaWR.js:26:22
at withProgress (file:///app/dist/progress-IwAiG9Oc.js:117:16)
at callGatewayCli (file:///app/dist/devices-cli-CsQMlaWR.js:22:56)
at Command.<anonymous> (file:///app/dist/devices-cli-CsQMlaWR.js:50:45)
at Command.listener [as _actionHandler] (/app/node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js:568:17)
at /app/node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js:1604:14
at /app/node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js:1485:33
at async Command.parseAsync (/app/node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js:1122:5)

That combo of errors usually means your --token ended up empty, because the command that should read it (config get …) is failing with:

Config path not found …

When token is empty, OpenClaw then complains:

gateway url override requires explicit credentials

Why “Config path not found” happens in Docker

Almost always: you have an env var like OPENCLAW_CONFIG_PATH set on your host (WSL), and Docker Compose passes it into the openclaw-cli container — but that path doesn’t exist inside the container.

Fix it (pick one)

Option A: unset the env var on your host (WSL) then rerun

unset OPENCLAW_CONFIG_PATH OPENCLAW_STATE_DIR OPENCLAW_HOME

Then:

docker compose run --rm openclaw-cli config get gateway.auth.token

Option B (most reliable): override config path explicitly per command

docker compose run --rm \
  -e OPENCLAW_CONFIG_PATH=/home/node/.openclaw/openclaw.json \
  openclaw-cli config get gateway.auth.token

Sanity check: does the config file exist in the CLI container?

docker compose run --rm openclaw-cli ls -la /home/node/.openclaw/
docker compose run --rm openclaw-cli ls -la /home/node/.openclaw/openclaw.json

If openclaw.json is missing, you’re either not running from the correct compose project dir, or the docker setup didn’t mount/create the state dir.

Then rerun devices list with a real token

(Do this in your terminal; don’t paste the token back here.)

TOKEN="$(docker compose run --rm -e OPENCLAW_CONFIG_PATH=/home/node/.openclaw/openclaw.json openclaw-cli config get gateway.auth.token | tail -n 1)"

docker compose run --rm openclaw-cli devices list \
  --url ws://openclaw-gateway:18789 \
  --token "$TOKEN"

If you paste the exact command you ran that produced “Config path not found” (just redact the path/token), I can point to the exact env var causing it.

wel here we go again

im gonna come back tommorow after resetting that

Sounds good.

When you’re back tomorrow, this is the quickest “clean reset + verify” checklist (Docker/WSL):

1. From the repo dir:

unset OPENCLAW_CONFIG_PATH OPENCLAW_STATE_DIR OPENCLAW_HOME
docker compose down
docker compose up -d

2. Verify config exists in the CLI container:

docker compose run --rm openclaw-cli ls -la /home/node/.openclaw/openclaw.json

3. Re-open dashboard:

docker compose run --rm openclaw-cli dashboard --no-open

If you get stuck again, paste:

• docker compose ps
• docker compose logs --tail 120 openclaw-gateway

(no tokens), and we’ll finish it fast.

@daring badger

Hey — what do you need help with?

If it’s an install/setup issue, paste (redact tokens/API keys):

1. openclaw --version
2. how you installed (Docker / install script / from source)
3. the exact error text + last ~50 lines of gateway logs (openclaw logs --tail 50 or docker compose logs --tail 50 openclaw-gateway)

gateway.bind does not take an IP address. It only accepts these values:

• "loopback" (127.0.0.1 only, safest)
• "lan" (0.0.0.0, listens on all interfaces)
• "tailnet", "auto", "custom" (advanced)

So "0.0.0.0" is why you get Config invalid.

Also your auth block is inconsistent: you set mode: "password" but provided a token. For password mode you must set password.

Easiest fix (SSH server, no docker)

1. Edit the config:

nano ~/.openclaw/openclaw.json

Change your gateway section to one of these:

Safe (recommended): only local + use SSH tunnel

gateway: {
  bind: "loopback",
  port: 18789,
  auth: {
    mode: "password",
    password: "PUT_A_STRONG_PASSWORD_HERE",
  },
},

Expose on the network (0.0.0.0) — be careful

gateway: {
  bind: "lan",
  port: 18789,
  auth: {
    mode: "password",
    password: "PUT_A_STRONG_PASSWORD_HERE",
  },
},

2. Restart the gateway:

If you installed it as a service:

openclaw gateway restart

openclaw gateway status

If you’re running it manually in the terminal:

openclaw gateway

Generate a strong password quickly

Run this and paste it into the config as the password value:

openssl rand -base64 32

Security note

Don’t use "secret"—rotate it. If you set bind: "lan" without a strong password and firewalling, people on the network can try to connect.

If you paste your full gateway { ... } block after editing (redact the password), I’ll sanity-check it.

That’s the gateway refusing to start because your config is missing:

gateway.mode: "local"

Fix it by setting that in ~/.openclaw/openclaw.json (recommended), or temporarily by passing --allow-unconfigured (not recommended long-term).

Do this on the SSH server (as helbot)

1. Set gateway mode to local:

openclaw config set gateway.mode local

2. (Recommended) keep it loopback-only on a server, and access it via SSH tunnel:

openclaw config set gateway.bind loopback

3. Set password auth properly (password mode needs gateway.auth.password, not token):

PW="$(openssl rand -base64 32)"
openclaw config set gateway.auth.mode password
openclaw config set gateway.auth.password "$PW"
echo "Saved gateway password to your shell variable PW (store it somewhere safe)."

4. Start the gateway:

openclaw gateway

To open the dashboard from your laptop (recommended)

From your local machine (not the server), create a tunnel:

ssh -N -L 18789:127.0.0.1:18789 helbot@vmi3054814

Then open:

• http://127.0.0.1:18789/

Paste the password when prompted.

If openclaw config set ... errors, paste:

openclaw doctor
openclaw config get gateway

(redact secrets) and I’ll point out the exact invalid field.

If you want gateway access from anywhere, do Tailscale Serve (recommended). If you want it truly public on the internet, that’s Tailscale Funnel (high risk; only do it if you understand the exposure).

Also: the “device token mismatch” thing is Control UI auth. It does not cause Telegram to batch messages. Telegram batching (10 msgs at once + 1–2 min delays) almost always means the gateway/channel was disconnected or stalled, then caught up.

A) Access your Gateway from anywhere (safe way): Tailscale Serve (HTTPS, tailnet-only)

Run on the server as helbot:

1) Install + bring up Tailscale

sudo apt update
sudo apt install -y curl
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
tailscale status

2) Configure OpenClaw to use Serve

Keep the gateway bound to loopback (safer), and let Tailscale expose it over HTTPS:

openclaw config set gateway.mode local
openclaw config set gateway.bind loopback
openclaw config set gateway.tailscale.mode serve

(Optional but recommended: set a fresh gateway token — do not paste it in Discord)

openclaw config set gateway.auth.mode token
openclaw config set gateway.auth.token "$(openssl rand -hex 32)"

3) Install/start the gateway as a service (so it stays up)

openclaw gateway install --force
openclaw gateway restart
openclaw gateway status

4) Open it from your laptop/phone (must be on your Tailscale)

Open:

• https://<your-magicdns-name>/

First time you’ll likely need to approve the browser device once:

openclaw devices list
openclaw devices approve <requestId>

B) Public internet access (NOT recommended): Tailscale Funnel

Only if you insist on “anyone on the internet can reach it”. Funnel requires password auth:

openclaw config set gateway.bind loopback
openclaw config set gateway.tailscale.mode funnel
openclaw config set gateway.auth.mode password
openclaw config set gateway.auth.password "$(openssl rand -base64 32)"
openclaw gateway restart

Seriously: don’t do this without understanding that the Control UI is an admin surface.

C) Fix Telegram “1–2 min delay / 10 messages at once”

Run these on the server and paste the output (redact tokens):

openclaw channels status --probe
openclaw logs --follow

Things that commonly cause batching/delay:

1. Gateway not running reliably → fix by installing the service (openclaw gateway install --force) + ensuring it stays up.
2. Network/DNS/IPv6 flakiness to api.telegram.org. Quick check:

dig +short api.telegram.org A
dig +short api.telegram.org AAAA

And ensure Node “Happy Eyeballs” isn’t causing stalls (safe to set):

openclaw config set channels.telegram.network.autoSelectFamily false

openclaw gateway restart

If you paste channels status --probe + the last ~50 log lines around a delayed message, I can tell you exactly what’s happening (disconnects, retries, model slowness, mention-gating, etc.).

Your config is still invalid because you have gateway.bind set to an IP (like "0.0.0.0"). OpenClaw only accepts named bind modes:

loopback | lan | tailnet | auto | custom

Fix it as helbot (commands only)

1) Set valid gateway basics

openclaw config set gateway.mode local
openclaw config set gateway.bind lan
openclaw config set gateway.port 18789 --json

2) Fix auth block (pick ONE)

Option A (recommended): token auth

openclaw config set gateway.auth.mode token
openclaw config set gateway.auth.token "$(openssl rand -hex 32)"

Option B: password auth

openclaw config set gateway.auth.mode password
openclaw config set gateway.auth.password "$(openssl rand -base64 32)"

3) Restart the gateway service (you typo’d a ~ before)

systemctl --user restart openclaw-gateway.service
# or:
openclaw gateway restart

4) Verify it’s up

openclaw gateway status
openclaw doctor --fix

“Access from everywhere” (recommended way)

If you mean “from any device anywhere” without exposing it publicly, do Tailscale Serve (HTTPS):

openclaw config set gateway.bind loopback
openclaw config set gateway.tailscale.mode serve
openclaw gateway restart

Then open https://<your-magicdns>/ from any of your devices on Tailscale.

If openclaw config set gateway.bind lan still errors, paste just this (no secrets):

grep -n "gateway" -n ~/.openclaw/openclaw.json | head -n 60

Your config is too broken for openclaw config set … to work right now — it refuses to write anything until gateway.bind is valid.

gateway.bind must be one of: loopback | lan | tailnet | auto | custom
It cannot be an IP like 0.0.0.0.

1) Fix gateway.bind by editing the file (fastest)

Run these on the server as helbot:

cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak.$(date +%s)
nano ~/.openclaw/openclaw.json

Find your gateway block and make it look like this (example: token auth):

{
  "gateway": {
    "mode": "local",
    "bind": "lan",
    "port": 18789,
    "auth": {
      "mode": "token",
      "token": "PUT_A_LONG_RANDOM_TOKEN_HERE"
    }
  }
}

Generate the token on the server (don’t paste it in Discord):

openssl rand -hex 32

Save + exit nano (Ctrl+O, Enter, Ctrl+X).

2) Restart + verify

openclaw doctor --fix
openclaw gateway restart
openclaw gateway status

(Your earlier systemctl --user restart openclaw-gateway~ failed because of the trailing ~ typo.)

3) “Access from everywhere” (recommended way)

If you truly mean “anywhere on all my devices” safely, use Tailscale Serve (private HTTPS):

openclaw config set gateway.bind loopback
openclaw config set gateway.tailscale.mode serve
openclaw gateway restart

Then you access it via https://<magicdns>/ from any of your Tailscale devices.

If you paste just the gateway section of ~/.openclaw/openclaw.json after you edit it (redact the token/password), I’ll confirm it’s valid before you restart.

That gateway block you pasted is valid (bind: "lan" is one of the allowed values). So if OpenClaw still says:

gateway.bind: Invalid input

then one of these is true:

1. You still have another gateway.bind somewhere else in the file (often the old "0.0.0.0"), or
2. You edited a different file than the one OpenClaw is reading, or
3. The config is missing gateway.mode: "local" (that blocks startup, but doctor would complain about mode separately).

1) Check if you have a second bind (most common)

Run (as helbot):

grep -n '"gateway"' ~/.openclaw/openclaw.json
grep -n '"bind"' ~/.openclaw/openclaw.json

If you see any line like:

"bind": "0.0.0.0"

change it to:

"bind": "lan"

2) Make sure gateway.mode is set (required)

Your gateway block should include:

"gateway": {
  "mode": "local",
  "bind": "lan",

  "port": 18789,
  "auth": { "mode": "token", "token": "..." }
}

3) Restart the correct service (you had a typo earlier)

Run:

systemctl --user restart openclaw-gateway.service
openclaw gateway status

4) Re-run doctor

openclaw doctor --fix

Paste the output of the two grep commands if it still complains — that will immediately show whether there’s a second bind key or a different gateway block.

Also: you pasted your gateway token publicly. Rotate it once you’re stable.

Ton bloc est OK pour Tailscale Serve, mais si “la gateway ne fonctionne plus”, c’est presque toujours parce que le process/service ne démarre pas (ou parce que Tailscale n’est pas installé/“up”).

1) Vérifie si la gateway tourne (sur le serveur, user helbot)

openclaw gateway status
systemctl --user status openclaw-gateway.service --no-pager -n 80
journalctl --user -u openclaw-gateway.service --no-pager -n 200

Colle ici la sortie de ces 3 commandes (sans secrets) si c’est “failed”.

2) Assure-toi que tu as bien gateway.mode: "local"

Dans l’extrait que tu montres, je ne vois pas mode. Sans ça, OpenClaw peut bloquer le démarrage.

Commande (si ton config est valide) :

openclaw config set gateway.mode local

openclaw gateway restart
openclaw gateway status

3) Si tu utilises tailscale.mode: "serve", Tailscale doit être installé + connecté

Sur le serveur :

tailscale status || true
sudo tailscale up
tailscale status

Ensuite, l’accès “depuis partout” = depuis tes appareils sur TON tailnet via :
https://<magicdns>/

Si tu n’as pas Tailscale (ou tu veux juste remettre en marche rapidement), désactive Serve temporairement :

openclaw config set gateway.tailscale.mode off
openclaw config set gateway.bind lan
openclaw gateway restart

4) Telegram “ne marche plus”

Si la gateway est down, Telegram aussi. Une fois la gateway “UP”, check :

openclaw channels status --probe
openclaw logs --follow

Dis-moi ce que retourne openclaw gateway status et systemctl --user status ... (les lignes d’erreur), et je te dis exactement quoi corriger.

Là on voit clairement que le service crashe immédiatement :

• last exit 1
• RPC probe: failed
• Runtime: stopped (auto-restart…)

Donc la prochaine étape c’est de lire la vraie erreur de crash (elle est dans le journal systemd et/ou le fichier log).

1) Montre l’erreur exacte (à copier-coller ici)

Sur le serveur (user helbot) :

# logs systemd du service (les plus utiles)
journalctl --user -u openclaw-gateway.service --no-pager -n 200

# logs fichier (mentionnés par openclaw gateway status)

tail -n 200 /tmp/openclaw-1000/openclaw-2026-02-18.log

Dans ces logs, je cherche une ligne du style EADDRINUSE (port déjà pris), Config invalid, tailscale ..., permission denied, etc.

2) Test rapide : est-ce que Tailscale Serve fait planter le démarrage ?

Comme tu as :

"bind": "loopback",
"tailscale": { "mode": "serve" }

si Tailscale n’est pas installé / pas “up” / pas autorisé, ça peut faire échouer la config Serve au démarrage.

Teste Tailscale :

command -v tailscale || echo "tailscale pas installé"
sudo tailscale status

Pour isoler le problème (temporaire)

Désactive Serve juste pour voir si la gateway démarre :

openclaw config set gateway.tailscale.mode off
openclaw gateway restart
openclaw gateway status

Si ça démarre après ça → on sait que le souci est côté Tailscale (et on le corrige ensuite).

Colle ici les 10–30 lignes les plus “rouges” du journalctl (vers la fin), et je te dis exactement quoi changer.

how to add an other configuration of model for my openclaw like i have two kimi api key and i want to switch

If you mean Moonshot (Kimi API) (provider: moonshot), the clean way to have two API keys and switch is to store them as two auth profiles, then pick which one to use (globally, or per-chat).

1) Add both Kimi keys as separate auth profiles

Run on the Gateway host (inside your Docker container if that’s where the gateway runs):

openclaw models auth paste-token --provider moonshot --profile-id moonshot:key1
openclaw models auth paste-token --provider moonshot --profile-id moonshot:key2

2) Switch which key is used (global default for that agent)

openclaw models auth order set --provider moonshot moonshot:key2 moonshot:key1

(That makes it try key2 first, then key1.)

3) Switch for just this chat session (no config edits)

In chat:

/model moonshot/kimi-k2.5@moonshot:key2

Docs

• Auth profiles + ordering: https://docs.openclaw.ai/help/faq#auth-profiles-what-they-are-and-how-to-manage-them
• /model ...@profileId syntax: https://docs.openclaw.ai/tools/slash-commands#model-selection-model
• Moonshot/Kimi provider: https://docs.openclaw.ai/providers/moonshot

If you’re actually using Kimi Coding (provider: kimi-coding) instead of Moonshot, tell me which one (moonshot vs kimi-coding) and how you currently configured the key (env var vs models.providers) and I’ll give the exact commands/IDs to use.

Surer, [19 Feb 2026 at 10:47:14]:
/model moonshot/kimi-k2.5@moonshot:key1

HelBot, [19 Feb 2026 at 10:47:14]:
Model "moonshot/kimi-k2.5" is not allowed. Use /models to list providers, or /models <provider> to list models.

That error is almost always an allowlist problem, not a Moonshot/Kimi problem.

Why it happens

If your config has agents.defaults.models set, that becomes the only list of models you’re allowed to pick (including via /model or any overrides). If moonshot/kimi-k2.5 isn’t in there, you’ll get:

Model "moonshot/kimi-k2.5" is not allowed

(FAQ: https://docs.openclaw.ai/help/faq#why-do-i-see-model-is-not-allowed-and-then-no-reply)

Fix

1. Check if you have an allowlist:

openclaw config get agents.defaults.models

2. Either:

• Add Moonshot to the allowlist, e.g.:

{
  agents: {
    defaults: {
      models: {
        "moonshot/kimi-k2.5": { alias: "Kimi" },
        // keep your other allowed models here too
      },
    },
  },
}

or

• Remove agents.defaults.models entirely (if you don’t want an allowlist).

3. Restart after config change:

openclaw gateway restart

Then try picking it again (/model moonshot/kimi-k2.5 or /models … depending on what your chat surface exposes).

After that: switching between 2 Kimi keys

Once the model is allowed, you can switch keys by using two auth profiles (and then swapping the auth order), like:

openclaw models auth paste-token --provider moonshot --profile-id moonshot:key1
openclaw models auth paste-token --provider moonshot --profile-id moonshot:key2
openclaw models auth order set --provider moonshot moonshot:key2 moonshot:key1

If you paste your current agents.defaults.models section (just that part), I can tell you exactly what line to add so you don’t break anything else.

helbot@vmi3054814:~$ openclaw config get agents.defaults.models

🦞 OpenClaw 2026.2.17 (4134875) — The only bot that stays out of your training set.

{
"kimi-coding/k2p5": {
"alias": "Kimi K2.5"
}
}

@Auth profile "moonshot:key1" is for moonshot, not kimi-coding.

this is the issue ,
how to remove the auth profile and add the new one

That message is correct: auth profiles are provider-scoped. A profile id that starts with moonshot: can only be used with the moonshot/... models — it will never work with kimi-coding/....

So you have two options depending on what you actually want:

A) If you want Kimi Coding (kimi-coding/...)

1. Add new profiles for kimi-coding (don’t paste keys in Discord):

openclaw models auth paste-token --provider kimi-coding --profile-id kimi-coding:key1
openclaw models auth paste-token --provider kimi-coding --profile-id kimi-coding:key2

2. Pick which one to use (for that agent):

openclaw models auth order set --provider kimi-coding kimi-coding:key1

# or
openclaw models auth order set --provider kimi-coding kimi-coding:key2

3. In chat, select with the matching profile id:

/model kimi-coding/k2p5@kimi-coding:key1

B) If you want Moonshot Kimi (moonshot/...)

Then your profile moonshot:key1 is fine — you just need to use it with a moonshot/... model, e.g.:

/model moonshot/kimi-k2.5@moonshot:key1