vultr/openclaw

Fork 0

mirror of https://github.com/openclaw/openclaw.git synced 2026-03-13 19:10:39 +00:00

Files

joshavant c0a3801086 Docs: document secrets refs runtime and migration

2026-02-26 14:47:22 +00:00

4.6 KiB

Raw Blame History

summary, read_when, title

summary

read_when

title

Where OpenClaw loads environment variables and the precedence order

You need to know which env vars are loaded, and in what order

You are debugging missing API keys in the Gateway

You are documenting provider auth or deployment environments

Environment Variables

Environment variables

OpenClaw pulls environment variables from multiple sources. The rule is never override existing values.

Precedence (highest → lowest)

Process environment (what the Gateway process already has from the parent shell/daemon).
.env in the current working directory (dotenv default; does not override).
Global .env at ~/.openclaw/.env (aka $OPENCLAW_STATE_DIR/.env; does not override).
Config env block in ~/.openclaw/openclaw.json (applied only if missing).
Optional login-shell import (env.shellEnv.enabled or OPENCLAW_LOAD_SHELL_ENV=1), applied only for missing expected keys.

If the config file is missing entirely, step 4 is skipped; shell import still runs if enabled.

Config `env` block

Two equivalent ways to set inline env vars (both are non-overriding):

{
  env: {
    OPENROUTER_API_KEY: "sk-or-...",
    vars: {
      GROQ_API_KEY: "gsk-...",
    },
  },
}

Shell env import

env.shellEnv runs your login shell and imports only missing expected keys:

{
  env: {
    shellEnv: {
      enabled: true,
      timeoutMs: 15000,
    },
  },
}

Env var equivalents:

OPENCLAW_LOAD_SHELL_ENV=1
OPENCLAW_SHELL_ENV_TIMEOUT_MS=15000

Env var substitution in config

You can reference env vars directly in config string values using ${VAR_NAME} syntax:

{
  models: {
    providers: {
      "vercel-gateway": {
        apiKey: "${VERCEL_GATEWAY_API_KEY}",
      },
    },
  },
}

See Configuration: Env var substitution for full details.

Secret refs vs `${ENV}` strings

OpenClaw supports two env-driven patterns:

${VAR} string substitution in config values.
SecretRef objects ({ source: "env", id: "VAR" }) for fields that support secrets references.

Both resolve from process env at activation time. SecretRef details are documented in Secrets Management.

Variable	Purpose
`OPENCLAW_HOME`	Override the home directory used for all internal path resolution (`~/.openclaw/`, agent dirs, sessions, credentials). Useful when running OpenClaw as a dedicated service user.
`OPENCLAW_STATE_DIR`	Override the state directory (default `~/.openclaw`).
`OPENCLAW_CONFIG_PATH`	Override the config file path (default `~/.openclaw/openclaw.json`).

Logging

Variable	Purpose
`OPENCLAW_LOG_LEVEL`	Override log level for both file and console (e.g. `debug`, `trace`). Takes precedence over `logging.level` and `logging.consoleLevel` in config. Invalid values are ignored with a warning.

`OPENCLAW_HOME`

When set, OPENCLAW_HOME replaces the system home directory ($HOME / os.homedir()) for all internal path resolution. This enables full filesystem isolation for headless service accounts.

Precedence: OPENCLAW_HOME > $HOME > USERPROFILE > os.homedir()

Example (macOS LaunchDaemon):

<key>EnvironmentVariables</key>
<dict>
  <key>OPENCLAW_HOME</key>
  <string>/Users/kira</string>
</dict>

OPENCLAW_HOME can also be set to a tilde path (e.g. ~/svc), which gets expanded using $HOME before use.

4.6 KiB Raw Blame History

Environment variables

Precedence (highest → lowest)

Config env block

Shell env import

Env var substitution in config

Secret refs vs ${ENV} strings

Path-related env vars

Logging

OPENCLAW_HOME

Related

4.6 KiB

Raw Blame History

Config `env` block

Secret refs vs `${ENV}` strings

`OPENCLAW_HOME`