openclaw.json env settings? | Friends of the Crustacean 🦞🤝 | Page 1

somber rose Mar 9, 2026, 12:50 PM

#

Gateway aborted: config is invalid.
agents.list.7: Unrecognized key: "env"
Fix the config and retry, or run "openclaw doctor" to repair.

Trying to put env variables in the openclaw.json Whats the correct way to do this?

marble surgeBOT Mar 9, 2026, 12:51 PM

#

agents.list[].env isn’t a valid config key — OpenClaw config is strictly schema-validated, so unknown keys (like env inside an agent) will abort the Gateway startup.

If you want to set env vars via ~/.openclaw/openclaw.json, the supported way is the top-level env block (global, not per-agent):

// ~/.openclaw/openclaw.json
{
  env: {
    OPENROUTER_API_KEY: "sk-or-...",
    vars: {
      GROQ_API_KEY: "gsk-...",
    },
  },
}

A couple important notes:

#

This env block is non-overriding (it only fills missing env vars; it won’t overwrite what your process/service already has).
Other supported options are .env files (cwd or ~/.openclaw/.env) or setting env vars in your service manager (launchd/systemd/etc). See: https://docs.openclaw.ai/help/environment

If your goal is specifically “API keys for model/providers”, it’s usually better to keep secrets out of config strings and use SecretRefs / env-substitution instead (docs cover both): https://docs.openclaw.ai/gateway/configuration#env-var-substitution-in-config

To fix your immediate crash: remove the env key from agents.list.7, then put it at the top-level env (or move it to .env).

somber rose Mar 9, 2026, 1:38 PM

#

Unable to verify gateway token drift: gateway.auth.token SecretRef is configured but unavailable in this command path.

marble surgeBOT Mar 9, 2026, 1:39 PM

#

That new line:

Unable to verify gateway token drift: gateway.auth.token SecretRef is configured but unavailable in this command path.

…is not another config-schema error. It’s a read-only CLI diagnostic that happens when:

you’ve set gateway.auth.token as a SecretRef (env/file/exec), and
the command you’re running (often openclaw doctor / openclaw status / other read-only flows) can’t resolve that SecretRef in this context (especially if the Gateway isn’t running yet).

From the Secrets docs: some commands “degrade instead of aborting” and will print messages like “configured but unavailable in this command path” when they can’t access the active secrets snapshot.
Docs: https://docs.openclaw.ai/gateway/secrets (see Command-path resolution)

What to do:

If you’re currently fixing the invalid config (agents.list.7 env): you can ignore this token-drift warning for now and just get the Gateway booting again.
Once the Gateway is running, these commands can usually read the active in-memory secrets snapshot and the warning goes away.
If you need the CLI to be able to resolve the token even when the Gateway is down, use an env-based token (OPENCLAW_GATEWAY_TOKEN) or a file-based secret provider instead of an exec-only path.

#openclaw.json env settings?