2026-01-16 06:57:16 +00:00
---
2026-03-26 06:30:32 +07:00
summary: "CLI reference for `openclaw config` (get/set/unset/file/schema/validate)"
2026-01-16 06:57:16 +00:00
read_when:
- You want to read or edit config non-interactively
2026-01-31 16:04:03 -05:00
title: "config"
2026-01-16 06:57:16 +00:00
---
2026-01-30 03:15:10 +01:00
# `openclaw config`
2026-01-16 06:57:16 +00:00
2026-03-26 06:30:32 +07:00
Config helpers for non-interactive edits in `openclaw.json` : get/set/unset/file/schema/validate
2026-03-17 18:15:49 -05:00
values by path and print the active config file. Run without a subcommand to
open the configure wizard (same as `openclaw configure` ).
2026-01-16 06:57:16 +00:00
2026-04-04 08:48:15 +01:00
Root options:
- `--section <section>` : repeatable guided-setup section filter when you run `openclaw config` without a subcommand
Supported guided sections:
- `workspace`
- `model`
- `web`
- `gateway`
- `daemon`
- `channels`
- `plugins`
- `skills`
- `health`
2026-01-16 06:57:16 +00:00
## Examples
``` bash
2026-03-02 12:33:20 +08:00
openclaw config file
2026-04-04 08:48:15 +01:00
openclaw config --section model
openclaw config --section gateway --section daemon
2026-03-26 06:30:32 +07:00
openclaw config schema
2026-01-30 03:15:10 +01:00
openclaw config get browser.executablePath
openclaw config set browser.executablePath "/usr/bin/google-chrome"
openclaw config set agents.defaults.heartbeat.every "2h"
openclaw config set agents.list[ 0] .tools.exec.node "node-id-or-name"
2026-03-17 18:15:49 -05:00
openclaw config set channels.discord.token --ref-provider default --ref-source env --ref-id DISCORD_BOT_TOKEN
openclaw config set secrets.providers.vaultfile --provider-source file --provider-path /etc/openclaw/secrets.json --provider-mode json
2026-03-17 23:59:17 -05:00
openclaw config unset plugins.entries.brave.config.webSearch.apiKey
2026-03-17 18:15:49 -05:00
openclaw config set channels.discord.token --ref-provider default --ref-source env --ref-id DISCORD_BOT_TOKEN --dry-run
2026-03-02 13:45:51 +08:00
openclaw config validate
openclaw config validate --json
2026-01-16 06:57:16 +00:00
```
2026-03-26 06:30:32 +07:00
### `config schema`
2026-04-04 20:14:25 +01:00
Print the generated JSON schema for `openclaw.json` to stdout as JSON.
What it includes:
- The current root config schema, plus a root `$schema` string field for editor tooling
2026-04-04 21:26:51 +01:00
- Field `title` and `description` docs metadata used by the Control UI
- Nested object, wildcard (`*` ), and array-item (`[]` ) nodes inherit the same `title` / `description` metadata when matching field documentation exists
2026-04-04 21:43:09 +01:00
- `anyOf` / `oneOf` / `allOf` branches inherit the same docs metadata too when matching field documentation exists
2026-04-04 20:14:25 +01:00
- Best-effort live plugin + channel schema metadata when runtime manifests can be loaded
- A clean fallback schema even when the current config is invalid
2026-03-26 06:30:32 +07:00
2026-04-04 20:35:01 +01:00
Related runtime RPC:
- `config.schema.lookup` returns one normalized config path with a shallow
schema node (`title` , `description` , `type` , `enum` , `const` , common bounds),
matched UI hint metadata, and immediate child summaries. Use it for
path-scoped drill-down in Control UI or custom clients.
2026-03-26 06:30:32 +07:00
``` bash
openclaw config schema
```
Pipe it into a file when you want to inspect or validate it with other tools:
``` bash
openclaw config schema > openclaw.schema.json
```
### Paths
2026-01-16 06:57:16 +00:00
Paths use dot or bracket notation:
``` bash
2026-01-30 03:15:10 +01:00
openclaw config get agents.defaults.workspace
openclaw config get agents.list[ 0] .id
2026-01-16 06:57:16 +00:00
```
2026-01-18 08:15:12 +00:00
Use the agent list index to target a specific agent:
``` bash
2026-01-30 03:15:10 +01:00
openclaw config get agents.list
openclaw config set agents.list[ 1] .tools.exec.node "node-id-or-name"
2026-01-18 08:15:12 +00:00
```
2026-01-16 06:57:16 +00:00
## Values
Values are parsed as JSON5 when possible; otherwise they are treated as strings.
2026-02-20 05:09:17 +04:00
Use `--strict-json` to require JSON5 parsing. `--json` remains supported as a legacy alias.
2026-01-16 06:57:16 +00:00
``` bash
2026-01-30 03:15:10 +01:00
openclaw config set agents.defaults.heartbeat.every "0m"
2026-02-20 05:09:17 +04:00
openclaw config set gateway.port 19001 --strict-json
openclaw config set channels.whatsapp.groups '["*"]' --strict-json
2026-01-16 06:57:16 +00:00
```
2026-04-04 08:48:15 +01:00
`config get <path> --json` prints the raw value as JSON instead of terminal-formatted text.
2026-03-17 18:15:49 -05:00
## `config set` modes
`openclaw config set` supports four assignment styles:
1. Value mode: `openclaw config set <path> <value>`
2. SecretRef builder mode:
``` bash
openclaw config set channels.discord.token \
--ref-provider default \
--ref-source env \
--ref-id DISCORD_BOT_TOKEN
```
3. Provider builder mode (`secrets.providers.<alias>` path only):
``` bash
openclaw config set secrets.providers.vault \
--provider-source exec \
--provider-command /usr/local/bin/openclaw-vault \
--provider-arg read \
--provider-arg openai/api-key \
--provider-timeout-ms 5000
```
4. Batch mode (`--batch-json` or `--batch-file` ):
``` bash
openclaw config set --batch-json '[
{
"path": "secrets.providers.default",
"provider": { "source": "env" }
},
{
"path": "channels.discord.token",
"ref": { "source": "env", "provider": "default", "id": "DISCORD_BOT_TOKEN" }
}
]'
```
``` bash
openclaw config set --batch-file ./config-set.batch.json --dry-run
```
2026-03-31 02:37:31 -05:00
Policy note:
- SecretRef assignments are rejected on unsupported runtime-mutable surfaces (for example `hooks.token` , `commands.ownerDisplaySecret` , Discord thread-binding webhook tokens, and WhatsApp creds JSON). See [SecretRef Credential Surface ](/reference/secretref-credential-surface ).
2026-03-17 18:15:49 -05:00
Batch parsing always uses the batch payload (`--batch-json` /`--batch-file` ) as the source of truth.
`--strict-json` / `--json` do not change batch parsing behavior.
JSON path/value mode remains supported for both SecretRefs and providers:
``` bash
openclaw config set channels.discord.token \
'{"source":"env","provider":"default","id":"DISCORD_BOT_TOKEN"}' \
--strict-json
openclaw config set secrets.providers.vaultfile \
'{"source":"file","path":"/etc/openclaw/secrets.json","mode":"json"}' \
--strict-json
```
## Provider Builder Flags
Provider builder targets must use `secrets.providers.<alias>` as the path.
Common flags:
- `--provider-source <env|file|exec>`
- `--provider-timeout-ms <ms>` (`file` , `exec` )
Env provider (`--provider-source env` ):
- `--provider-allowlist <ENV_VAR>` (repeatable)
File provider (`--provider-source file` ):
- `--provider-path <path>` (required)
- `--provider-mode <singleValue|json>`
- `--provider-max-bytes <bytes>`
Exec provider (`--provider-source exec` ):
- `--provider-command <path>` (required)
- `--provider-arg <arg>` (repeatable)
- `--provider-no-output-timeout-ms <ms>`
- `--provider-max-output-bytes <bytes>`
- `--provider-json-only`
- `--provider-env <KEY=VALUE>` (repeatable)
- `--provider-pass-env <ENV_VAR>` (repeatable)
- `--provider-trusted-dir <path>` (repeatable)
- `--provider-allow-insecure-path`
- `--provider-allow-symlink-command`
Hardened exec provider example:
``` bash
openclaw config set secrets.providers.vault \
--provider-source exec \
--provider-command /usr/local/bin/openclaw-vault \
--provider-arg read \
--provider-arg openai/api-key \
--provider-json-only \
--provider-pass-env VAULT_TOKEN \
--provider-trusted-dir /usr/local/bin \
--provider-timeout-ms 5000
```
## Dry run
Use `--dry-run` to validate changes without writing `openclaw.json` .
``` bash
openclaw config set channels.discord.token \
--ref-provider default \
--ref-source env \
--ref-id DISCORD_BOT_TOKEN \
--dry-run
openclaw config set channels.discord.token \
--ref-provider default \
--ref-source env \
--ref-id DISCORD_BOT_TOKEN \
--dry-run \
--json
2026-03-17 20:20:11 -05:00
openclaw config set channels.discord.token \
--ref-provider vault \
--ref-source exec \
--ref-id discord/token \
--dry-run \
--allow-exec
2026-03-17 18:15:49 -05:00
```
Dry-run behavior:
2026-03-17 20:20:11 -05:00
- Builder mode: runs SecretRef resolvability checks for changed refs/providers.
- JSON mode (`--strict-json` , `--json` , or batch mode): runs schema validation plus SecretRef resolvability checks.
2026-03-31 02:37:31 -05:00
- Policy validation also runs for known unsupported SecretRef target surfaces.
- Policy checks evaluate the full post-change config, so parent-object writes (for example setting `hooks` as an object) cannot bypass unsupported-surface validation.
2026-03-17 20:20:11 -05:00
- Exec SecretRef checks are skipped by default during dry-run to avoid command side effects.
- Use `--allow-exec` with `--dry-run` to opt in to exec SecretRef checks (this may execute provider commands).
- `--allow-exec` is dry-run only and errors if used without `--dry-run` .
2026-03-17 18:15:49 -05:00
`--dry-run --json` prints a machine-readable report:
- `ok` : whether dry-run passed
- `operations` : number of assignments evaluated
- `checks` : whether schema/resolvability checks ran
2026-03-17 20:20:11 -05:00
- `checks.resolvabilityComplete` : whether resolvability checks ran to completion (false when exec refs are skipped)
- `refsChecked` : number of refs actually resolved during dry-run
- `skippedExecRefs` : number of exec refs skipped because `--allow-exec` was not set
2026-03-17 18:15:49 -05:00
- `errors` : structured schema/resolvability failures when `ok=false`
### JSON Output Shape
``` json5
{
ok: boolean,
operations: number,
configPath: string,
inputModes: ["value" | "json" | "builder", ...],
checks: {
schema: boolean,
resolvability: boolean,
2026-03-17 20:20:11 -05:00
resolvabilityComplete: boolean,
2026-03-17 18:15:49 -05:00
},
refsChecked: number,
2026-03-17 20:20:11 -05:00
skippedExecRefs: number,
2026-03-17 18:15:49 -05:00
errors?: [
{
kind: "schema" | "resolvability",
message: string,
ref?: string, // present for resolvability errors
},
],
}
```
Success example:
``` json
{
"ok" : true ,
"operations" : 1 ,
"configPath" : "~/.openclaw/openclaw.json" ,
"inputModes" : [ "builder" ] ,
"checks" : {
"schema" : false ,
2026-03-17 20:20:11 -05:00
"resolvability" : true ,
"resolvabilityComplete" : true
2026-03-17 18:15:49 -05:00
} ,
2026-03-17 20:20:11 -05:00
"refsChecked" : 1 ,
"skippedExecRefs" : 0
2026-03-17 18:15:49 -05:00
}
```
Failure example:
``` json
{
"ok" : false ,
"operations" : 1 ,
"configPath" : "~/.openclaw/openclaw.json" ,
"inputModes" : [ "builder" ] ,
"checks" : {
"schema" : false ,
2026-03-17 20:20:11 -05:00
"resolvability" : true ,
"resolvabilityComplete" : true
2026-03-17 18:15:49 -05:00
} ,
"refsChecked" : 1 ,
2026-03-17 20:20:11 -05:00
"skippedExecRefs" : 0 ,
2026-03-17 18:15:49 -05:00
"errors" : [
{
"kind" : "resolvability" ,
"message" : "Error: Environment variable \"MISSING_TEST_SECRET\" is not set." ,
"ref" : "env:default:MISSING_TEST_SECRET"
}
]
}
```
If dry-run fails:
- `config schema validation failed` : your post-change config shape is invalid; fix path/value or provider/ref object shape.
2026-03-31 02:37:31 -05:00
- `Config policy validation failed: unsupported SecretRef usage` : move that credential back to plaintext/string input and keep SecretRefs on supported surfaces only.
2026-03-17 18:15:49 -05:00
- `SecretRef assignment(s) could not be resolved` : referenced provider/ref currently cannot resolve (missing env var, invalid file pointer, exec provider failure, or provider/source mismatch).
2026-03-17 20:20:11 -05:00
- `Dry run note: skipped <n> exec SecretRef resolvability check(s)` : dry-run skipped exec refs; rerun with `--allow-exec` if you need exec resolvability validation.
2026-03-17 18:15:49 -05:00
- For batch mode, fix failing entries and rerun `--dry-run` before writing.
2026-03-02 12:33:20 +08:00
## Subcommands
- `config file` : Print the active config file path (resolved from `OPENCLAW_CONFIG_PATH` or default location).
2026-01-16 06:57:16 +00:00
Restart the gateway after edits.
2026-03-02 13:45:51 +08:00
## Validate
Validate the current config against the active schema without starting the
gateway.
``` bash
openclaw config validate
openclaw config validate --json
```