OpenClaw Gateway — Practical Guide (Polished Draft)
1. What Is the Gateway? (One-Minute Primer)
If you searched for “openclaw gateway” or “openclaw gateway start,” you probably installed OpenClaw but are not sure what the Gateway does. In short: the Gateway is OpenClaw’s control plane. It receives messages from chat platforms (Telegram, LINE, Discord, and others), routes them to AI agents, and manages connections and authentication.
MIT Technology Review described AI agents in early 2025 as systems that can autonomously carry out multi-step tasks. OpenClaw’s Gateway is the infrastructure that makes that autonomy usable: without it, agents cannot reliably receive instructions, connect to external services, or run in a stable way. The orchestration layer—in OpenClaw, that is the Gateway—is what turns a standalone model into something that behaves like an agent.
Think of it as a switchboard: every inbound message goes through the Gateway first; it decides which agent handles the work, which model to use, and which security rules apply.
2. Gateway CLI — Quick Reference
These commands cover the vast majority of day-to-day Gateway management (per OpenClaw docs).
2.1 Status
2.2 Start / stop / service
Note: There are no separate gateway start / gateway stop subcommands. To run interactively, use openclaw gateway. For a service, use openclaw gateway install --force. To stop the service, use OS tools (e.g. systemctl stop openclaw-gateway on Linux, or launchctl unload on macOS as appropriate).
2.3 Diagnostics & security
2.4 Configuration
3. Port Configuration (Most Common Startup Issues)
3.1 Default: 18789
The Gateway’s default WebSocket port is 18789. After install, the Control UI is usually at http://127.0.0.1:18789.
3.2 Change the port
CLI (recommended)
Edit config — typically ~/.openclaw/openclaw.json (JSON5):
Temporary override (no persistent config change)
3.3 EADDRINUSE (port already in use)
Or pick another port via openclaw config set gateway.port … and restart.
4. Token & Authentication
Treat Gateway tokens like full-privilege operator credentials. Prefer strong auth, least exposure, and secrets via environment variables—not plaintext in config when avoidable.
4.1 Generate / set / verify
4.2 Auth modes (typical)
Example (token via env):
4.3 Environment files (priority)
Common pattern: ~/.openclaw/.env
Typical precedence: parent process env → .env in cwd → ~/.openclaw/.env.
5. Local vs Remote (Source of Many “Start Blocked” Errors)
5.1 Local (default)
Gateway accepts localhost traffic; common for dev/single machine:
5.2 Remote
Allows other devices on the network to connect. Usually requires auth before non-loopback bind—follow official docs for your version:
Warning: 0.0.0.0 increases reachability; combine with firewall rules, VPN (e.g. Tailscale), or reverse proxy patterns as recommended.
5.3 SSH tunnel (often the safest remote-access pattern)
Gateway can stay on loopback; you access it locally via the tunnel.
6. Common Errors → Likely Fix
Standard triage order: openclaw gateway status → openclaw logs --follow → openclaw doctor.
7. Example openclaw.json (Gateway-focused)
Adjust remote when this machine is a client to another Gateway.
8. Linux: systemd (typical)
9. Security Checklist (Before You Expose Anything)
FAQ (Short)
- Default port? 18789 — UI often at
http://127.0.0.1:18789. - “Gateway start blocked”? Align
gateway.mode/ auth / bind with what remote access requires; see official error text for your build. - Phone control safely? Prefer SSH tunnel or VPN; avoid raw public exposure.
- Forgot token?
openclaw config get gateway.auth.tokenor regenerate withopenclaw doctor --generate-gateway-token. - Multiple machines? Generally one Gateway per host/process design; avoid port conflicts and duplicate services.
OpenClaw Gateway CLI WebSocket Localhost Security Token Troubleshooting Linux Self-hosted AI
