issue | Friends of the Crustacean 🦞🤝 | Page 1

fallen frost Apr 20, 2026, 5:11 PM

#

miya@Miyas-Mac-mini ~ % ~/.openclaw
zsh: permission denied: /Users/miya/.openclaw
miya@Miyas-Mac-mini ~ % ls ~/.openclaw
agents secrets.json
miya@Miyas-Mac-mini ~ %

have secrets.json

◇ How do you want to provide the gateway token?
│ Use SecretRef
│
◇ Where is this gateway token stored?
│ Configured secret provider
│
◇ No providers configured ───────────────────────────────────────────────────────────────╮
│ │
│ No file/exec secret providers are configured yet. Add one under secrets.providers, or │
│ select Environment variable. │
│ │
├─────────────────────────────────────────────────────────────────────────────────────────╯
│
◇ Where is this gateway token stored?
│ Configured secret provider
│
◇ No providers configured ───────────────────────────────────────────────────────────────╮
│ │
│ No file/exec secret providers are configured yet. Add one under secrets.providers, or │
│ select Environment variable. │
│ │
├─────────────────────────────────────────────────────────────────────────────────────────╯
│
◆ Where is this gateway token stored?
│ ○ Environment variable
│ ● Configured secret provider (Use a configured file or exec secret provider)
└

jovial isleBOT Apr 20, 2026, 5:11 PM

#

eternal prairieBOT Apr 20, 2026, 5:11 PM

#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

autumn reefBOT Apr 20, 2026, 5:14 PM

#

Let me verify the actual docs path and the secret-provider behavior so I don’t guess.

#

That permission denied part is just because ~/.openclaw is a directory, not a command. ls ~/.openclaw was the right check.

The real issue is this part: having ~/.openclaw/secrets.json does not automatically create a secret provider.

“Configured secret provider” means you already have something under secrets.providers in config.

First, can you paste:

openclaw --version

Then you have 2 good options:

1. Fastest, just get unstuck: choose Environment variable in onboarding.

2. If you want to use ~/.openclaw/secrets.json: configure a file provider first, then rerun onboarding:

#

openclaw config set secrets.providers.filemain \
  --provider-source file \
  --provider-path ~/.openclaw/secrets.json \
  --provider-mode json

Then choose Configured secret provider.

If it later asks for the secret id, for a JSON file it must be an absolute JSON pointer, for example:

file contents:

{ "gateway": { "auth": { "token": "abc123" } } }

ref id:

#

  /gateway/auth/token

Docs:

If you paste openclaw --version and a redacted sample of your secrets.json shape, I can give you the exact next command.

fallen frost Apr 20, 2026, 5:19 PM

#

create a .env and token

autumn reefBOT Apr 20, 2026, 5:20 PM

#

Yep, easiest is to skip the file provider for now and use an env var.

Also paste this first so we know the version:

openclaw --version

Then in the same terminal run:

export OPENCLAW_GATEWAY_TOKEN="$(openssl rand -hex 32)"
openclaw onboard

In the wizard, pick:

#

Use SecretRef
Environment variable
env var name: OPENCLAW_GATEWAY_TOKEN

If you really want a .env file, create it in the directory where you launch OpenClaw from:

printf 'OPENCLAW_GATEWAY_TOKEN=%s\n' "$(openssl rand -hex 32)" > .env

Then rerun openclaw onboard.

Important:

Do not paste the token here
On macOS, .env can be a little confusing with services, so for onboarding the export ... route is usually the cleanest

Docs:

#

If you want, paste the next prompt after choosing Environment variable and I’ll walk you through the rest.

fallen frost Apr 20, 2026, 5:25 PM

#

ok did with .env now how do it= move it

autumn reefBOT Apr 20, 2026, 5:26 PM

#

You probably don’t need to move it 👍

If you created .env while you were in ~, that file is ~/.env, and the simplest next step is:

cd ~
openclaw onboard

Then choose:

Use SecretRef
Environment variable
OPENCLAW_GATEWAY_TOKEN

A couple important bits:

#

Do not move it into ~/.openclaw
OpenClaw does not treat ~/.openclaw as the special place for .env

If the wizard still does not see the env var, load it into your shell first:

set -a
source ~/.env
set +a
openclaw onboard

If you meant “move the .env to another folder”, the command is:

mv ~/.env /path/to/other/folder/.env

#

But for finishing onboarding, I’d leave it where it is for now.

If you want, paste the next screen/prompt you see and I’ll guide you step by step.

fallen frost Apr 20, 2026, 7:01 PM

#

switch from .env to secrects

autumn reefBOT Apr 20, 2026, 7:02 PM

#

Yep, you can switch, but there’s one gotcha: if OPENCLAW_GATEWAY_TOKEN is still set, the env var keeps winning over the SecretRef.

1) Put the token in `~/.openclaw/secrets.json`

Example shape:

{
  "gateway": {
    "auth": {
      "token": "YOUR_TOKEN_HERE"
    }
  }
}

2) Configure the file secret provider

#

openclaw config set secrets.providers.filemain \
  --provider-source file \
  --provider-path ~/.openclaw/secrets.json \
  --provider-mode json

3) Point gateway auth at that secret

openclaw config set gateway.auth.mode token

openclaw config set gateway.auth.token \
  --ref-provider filemain \
  --ref-source file \
  --ref-id /gateway/auth/token

#

4) Remove the `.env` override

On macOS:

sed -i '' '/^OPENCLAW_GATEWAY_TOKEN=/d' ~/.env
unset OPENCLAW_GATEWAY_TOKEN

5) Restart / rerun

If onboarding is already done:

openclaw gateway restart

If you’re still in the wizard, rerun openclaw onboard and choose Configured secret provider.

#issue

1) Put the token in ~/.openclaw/secrets.json

2) Configure the file secret provider

3) Point gateway auth at that secret

4) Remove the .env override

5) Restart / rerun

1) Put the token in `~/.openclaw/secrets.json`

4) Remove the `.env` override