#Chat completions endpoint

1 messages · Page 1 of 1 (latest)

shadow bay
#

I’m trying to send a chat completion to the open claw endpoint. When I sent my request with my gateway token I get “jwt-auth-error:invalid token”. What am I doing wrong?
The gateway is set to local and loopback.
The chat completion is enabled
I restarted the gateway multiple times.
I also am using the teams plugin and it’s working fine right now.

velvet bluffBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> âś… Mark Solution

short thistleBOT
#

That error wording is the clue: jwt-auth-error: invalid token doesn’t sound like the OpenClaw /v1/chat/completions endpoint. The Gateway token is an opaque shared secret, not a JWT. If something is trying to JWT-validate it, you’re likely hitting the Teams webhook / proxy path rather than the Gateway OpenAI-compatible endpoint.

Try this shape:

curl -sS http://127.0.0.1:18789/v1/models \
  -H "Authorization: Bearer YOUR_GATEWAY_TOKEN"

Then:

curl -sS http://127.0.0.1:18789/v1/chat/completions \
  -H "Authorization: Bearer YOUR_GATEWAY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"model":"openclaw/default","messages":[{"role":"user","content":"hi"}]}'
#

Things to check:

  1. Run:
    openclaw --version
openclaw config get gateway.auth.mode
  2. If mode is token, use:
    openclaw config get gateway.auth.token
    If mode is password, use the password instead.
  3. Make sure your client base URL is:
    http://127.0.0.1:18789/v1
    not the Teams webhook URL like /api/messages.
#
  1. Ensure this config is enabled:
    gateway: {
  http: {
    endpoints: {
      chatCompletions: { enabled: true }
    }
  }
}

Docs: https://docs.openclaw.ai/gateway/openai-http-api

If that still fails, paste your openclaw --version, the exact URL path you’re calling, and the redacted curl/client config — don’t paste the token.

shadow bay
#

I’m trying to run this command externally through application gateway

short thistleBOT
#

Yep — then the failure is probably at the Application Gateway layer, not OpenClaw.

OpenClaw’s gateway token is not a JWT. It’s just an opaque shared secret used as:

Authorization: Bearer <gateway-token>

So if your Application Gateway / proxy is doing JWT validation on Authorization, it will reject the OpenClaw token before the request reaches OpenClaw, producing exactly that kind of jwt-auth-error: invalid token.

For the OpenAI-compatible endpoint you want one of these setups:

Option A — simple bearer token passthrough

  • App Gateway forwards to OpenClaw
  • Do not JWT-validate the Authorization header on this route
  • Preserve/pass through:
# 
  Authorization: Bearer <gateway-token>
  • Client base URL:
    https://your-domain/v1
  • Model:
    openclaw/default

Option B — identity-aware proxy

  • Use gateway.auth.mode: "trusted-proxy"
  • The proxy authenticates users itself and injects trusted identity headers
  • Don’t use the gateway token as a JWT
#

Also: if OpenClaw is set to gateway.bind: "loopback", the app gateway must be on the same host or connected through a tunnel/reverse proxy to 127.0.0.1:18789. If the app gateway is a separate machine/service, OpenClaw won’t be reachable via loopback unless you change the network design.

Please post:

openclaw --version
openclaw config get gateway.auth.mode
openclaw config get gateway.bind

Docs: https://docs.openclaw.ai/gateway/openai-http-api and https://docs.openclaw.ai/gateway/trusted-proxy-auth

shadow bay
#

Idk why the teams plugin would work but this won’t and I don’t have any application jwt setup for this

short thistleBOT
#

That actually makes sense: the Teams plugin works because Microsoft Teams sends a real Bot Framework JWT to the Teams webhook. OpenClaw’s Teams plugin validates that JWT internally.

But /v1/chat/completions is different: it expects the OpenClaw Gateway token, not a JWT.

So if you see:

jwt-auth-error: invalid token

you’re almost certainly not reaching the OpenClaw /v1/chat/completions handler. You’re probably hitting the Teams webhook path / Teams plugin listener / some proxy auth layer.

Quick split test from the gateway host:

curl -sS http://127.0.0.1:18789/v1/models \
# 
  -H "Authorization: Bearer YOUR_GATEWAY_TOKEN"

If that works, OpenClaw is fine and the issue is external routing.

Then test your external URL:

curl -v https://your-domain/v1/models \
  -H "Authorization: Bearer YOUR_GATEWAY_TOKEN"

Expected: JSON listing openclaw/default.

If it returns jwt-auth-error, check your Application Gateway path/backend routing. /v1/* needs to route to the main OpenClaw gateway port (18789 by default), not the Teams webhook endpoint (/api/messages or Teams plugin listener).