mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-09 20:13:59 +00:00
Source-grounded rewrite of 529 published docs pages with per-unit information-loss verification: 1,713 factual corrections cited to src/**, generated surfaces regenerated, frontmatter titles preserved for i18n, release notes pages untouched. All docs gates green. Closes #100141
38 KiB
38 KiB
summary, read_when, title, sidebarTitle
| summary | read_when | title | sidebarTitle | |||
|---|---|---|---|---|---|---|
| FAQ: quick-start and first-run setup — install, onboard, auth, subscriptions, initial failures |
|
FAQ: first-run setup | First-run FAQ |
Quick-start and first-run Q&A. For everyday operations, models, auth, sessions, and troubleshooting see the main FAQ.
Quick start and first-run setup
Use a local AI agent that can **see your machine**. Most "I'm stuck" cases are **local config or environment issues** a remote helper cannot inspect, so this beats asking in Discord.- **Claude Code**: [https://www.anthropic.com/claude-code/](https://www.anthropic.com/claude-code/)
- **OpenAI Codex**: [https://openai.com/codex/](https://openai.com/codex/)
Give the agent the full source checkout via the hackable (git) install so it can read
code + docs and reason about the exact version you run:
```bash
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git
```
Ask the agent to plan and supervise the fix step-by-step, then execute only the
necessary commands - smaller diffs are easier to audit.
Share these outputs when asking for help (in Discord or a GitHub issue):
| Command | Shows |
| --- | --- |
| `openclaw status` | Gateway/agent health + basic config snapshot |
| `openclaw status --all` | Full read-only diagnosis, pasteable |
| `openclaw models status` | Provider auth + model availability |
| `openclaw doctor` | Validates and repairs common config/state issues |
| `openclaw logs --follow` | Live log tail |
| `openclaw gateway status --deep` | Deep gateway/config/plugin health check |
| `openclaw health --verbose` | Detailed health report |
Found a real bug or fix? File an issue or send a PR:
[Issues](https://github.com/openclaw/openclaw/issues) /
[Pull requests](https://github.com/openclaw/openclaw/pulls).
Quick debug loop: [First 60 seconds if something is broken](/help/faq#first-60-seconds-if-something-is-broken).
Install docs: [Install](/install), [Installer flags](/install/installer), [Updating](/install/updating).
| Skip reason | Meaning |
| --- | --- |
| `quiet-hours` | Outside the configured active-hours window |
| `empty-heartbeat-file` | `HEARTBEAT.md` exists but only has blank, comment, header, fence, or empty-checklist scaffolding |
| `no-tasks-due` | Task mode is active but no task interval is due yet |
| `alerts-disabled` | All heartbeat visibility is off (`showOk`, `showAlerts`, and `useIndicator` all disabled) |
In task mode, due timestamps advance only after a real heartbeat run completes.
Skipped runs do not mark tasks as completed.
Docs: [Heartbeat](/gateway/heartbeat), [Automation](/automation).
```bash
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash
openclaw onboard --install-daemon
```
From source (contributors/dev):
```bash
git clone https://github.com/openclaw/openclaw.git
cd openclaw
pnpm install
pnpm build
pnpm ui:build
openclaw onboard
```
No global install yet? Run `pnpm openclaw onboard` instead. If Control UI assets are
missing, onboarding tries to build them itself, falling back to `pnpm ui:build`.
Onboarding opens your browser to a clean (non-tokenized) dashboard URL right after
setup and prints the link in the summary. Keep that tab open; if it did not launch,
copy/paste the printed URL on the same machine.
**Localhost (same machine):**
- Open `http://127.0.0.1:18789/`.
- If it asks for shared-secret auth, paste the configured token or password into Control UI settings.
- Token source: `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`).
- Password source: `gateway.auth.password` (or `OPENCLAW_GATEWAY_PASSWORD`).
- No shared secret configured yet? Run `openclaw doctor --generate-gateway-token` (or `openclaw doctor --fix --generate-gateway-token`).
**Not on localhost:**
- **Tailscale Serve** (recommended): keep bind loopback, run `openclaw gateway --tailscale serve`, open `https://<magicdns>/`. With `gateway.auth.allowTailscale: true`, identity headers satisfy Control UI/WebSocket auth (no pasted shared secret, assumes a trusted gateway host); HTTP APIs still need shared-secret auth unless you deliberately use private-ingress `none` or trusted-proxy HTTP auth.
Concurrent bad-auth Serve attempts from the same client are serialized before the failed-auth limiter records them, so a second bad retry can already show `retry later`.
- **Tailnet bind**: run `openclaw gateway --bind tailnet --token "<token>"` (or configure password auth), open `http://<tailscale-ip>:18789/`, paste the matching shared secret in dashboard settings.
- **Identity-aware reverse proxy**: keep the Gateway behind a trusted proxy, set `gateway.auth.mode: "trusted-proxy"`, open the proxy URL. Same-host loopback proxies need explicit `gateway.auth.trustedProxy.allowLoopback: true`.
- **SSH tunnel**: `ssh -N -L 18789:127.0.0.1:18789 user@gateway-host`, then open `http://127.0.0.1:18789/`. Shared-secret auth still applies over the tunnel; paste the configured token or password if prompted.
See [Dashboard](/web/dashboard) and [Web surfaces](/web) for bind modes and auth details.
They control different layers:
- `approvals.exec` - forwards approval prompts to chat destinations.
- `channels.<channel>.execApprovals` - makes that channel a native approval client for exec approvals.
The host exec policy is still the real approval gate; chat config only controls where
prompts appear and how people answer them.
You rarely need both:
- If the chat already supports commands and replies, same-chat `/approve` works through the shared path.
- When a supported native channel can infer approvers safely, OpenClaw auto-enables DM-first native approvals if `channels.<channel>.execApprovals.enabled` is unset or `"auto"`.
- When native approval cards/buttons are available, that UI is primary; only mention a manual `/approve` command if the tool result says chat approvals are unavailable.
- Use `approvals.exec` only when prompts must also reach other chats or explicit ops rooms.
- Use `channels.<channel>.execApprovals.target: "channel"` or `"both"` only when you want approval prompts posted back into the originating room/topic.
- Plugin approvals are separate: same-chat `/approve` by default, optional `approvals.plugin` forwarding, and only some native channels keep native handling for those too.
Short version: forwarding is for routing, native client config is for richer channel-specific UX.
See [Exec Approvals](/tools/exec-approvals).
Node **22.19+** is required (Node 24 recommended). `pnpm` is the repo package manager.
Bun is **not recommended** for the Gateway.
Yes, but check RAM first: Pi 5 and Pi 4 (2 GB+) are the sweet spot; Pi 3B+ (1 GB) works but is slow; Pi Zero 2 W (512 MB) is not recommended.
| Model | RAM | Fit |
| --- | --- | --- |
| Pi 5 | 4/8 GB | Best |
| Pi 4 | 4 GB | Good |
| Pi 4 | 2 GB | OK, add swap |
| Pi 4 | 1 GB | Tight |
| Pi 3B+ | 1 GB | Slow |
| Pi Zero 2 W | 512 MB | Not recommended |
Absolute minimum: 1 GB RAM, 1 core, 500 MB free disk, 64-bit OS. Since the Pi only runs
the Gateway (models call out to cloud APIs), even a modest Pi handles the load.
A small Pi/VPS can also host just the Gateway while you pair **nodes** on your
laptop/phone for local screen/camera/canvas or command execution. See [Nodes](/nodes).
Full setup walkthrough: [Raspberry Pi](/install/raspberry-pi).
- Use a **64-bit** OS; do not use 32-bit Raspberry Pi OS.
- Add swap on 2 GB or smaller boards.
- Prefer a **USB SSD** over an SD card for performance and longevity.
- Prefer the hackable (git) install so you can see logs and update fast.
- Start without channels/skills, add them one by one.
- Weird binary failures ("exec format error") are usually a missing ARM64 build for an optional skill tool.
Full guide: [Raspberry Pi](/install/raspberry-pi). Also see [Linux](/platforms/linux).
That screen depends on the Gateway being reachable and authenticated. The TUI also sends
"Wake up, my friend!" automatically on first hatch. If you see that line with **no reply**
and tokens stay at 0, the agent never ran.
1. Restart the Gateway:
```bash
openclaw gateway restart
```
2. Check status + auth:
```bash
openclaw status
openclaw models status
openclaw logs --follow
```
3. Still hanging? Run:
```bash
openclaw doctor
```
If the Gateway is remote, confirm the tunnel/Tailscale connection is up and the UI
points at the right Gateway. See [Remote access](/gateway/remote).
Yes. Copy the **state directory** and **workspace**, then run Doctor once:
1. Install OpenClaw on the new machine.
2. Copy `$OPENCLAW_STATE_DIR` (default: `~/.openclaw`) from the old machine.
3. Copy your workspace (default: `~/.openclaw/workspace`).
4. Run `openclaw doctor` and restart the Gateway service.
This preserves config, auth profiles, WhatsApp creds, sessions, and memory - it keeps
your bot exactly the same, as long as you copy **both** locations. In remote mode, the
gateway host owns the session store and workspace.
**Important:** if you only commit/push your workspace to GitHub, you back up
**memory + bootstrap files**, but not session history or auth. Those live under
`~/.openclaw/` (for example `~/.openclaw/agents/<agentId>/sessions/`).
Related: [Migrating](/install/migrating), [Where things live on disk](/help/faq#where-things-live-on-disk),
[Agent workspace](/concepts/agent-workspace), [Doctor](/gateway/doctor),
[Remote mode](/gateway/remote).
Check the GitHub changelog:
[https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md](https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md)
Newest entries are at the top. If the top section is **Unreleased**, the next dated
section is the latest shipped version. Entries group under **Highlights**, **Changes**,
and **Fixes** (plus docs/other sections when needed).
Some Comcast/Xfinity connections incorrectly block `docs.openclaw.ai` via Xfinity
Advanced Security. Disable it or allowlist `docs.openclaw.ai`, then retry. Help us
get it unblocked: [https://spa.xfinity.com/check_url_status](https://spa.xfinity.com/check_url_status).
Still blocked? Docs are mirrored on GitHub:
[https://github.com/openclaw/openclaw/tree/main/docs](https://github.com/openclaw/openclaw/tree/main/docs)
**Stable** and **beta** are **npm dist-tags**, not separate code lines:
- `latest` = stable
- `beta` = early build for testing (falls back to `latest` when beta is missing or older than the current stable release)
A stable release usually lands on **beta** first, then an explicit promotion step
moves that same version to `latest` without changing the version number. Maintainers
can also publish straight to `latest`. That is why beta and stable can point at the
**same version** after promotion.
See what changed: [CHANGELOG.md](https://github.com/openclaw/openclaw/blob/main/CHANGELOG.md).
For install one-liners and the difference between beta and dev, see the next accordion.
**Beta** is the npm dist-tag `beta` (may match `latest` after promotion).
**Dev** is the moving head of `main` (git); when published to npm it uses dist-tag `dev`.
One-liners (macOS/Linux):
```bash
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --beta
```
```bash
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git
```
Windows installer (PowerShell): `iwr -useb https://openclaw.ai/install.ps1 | iex`
More detail: [Development channels](/install/development-channels) and [Installer flags](/install/installer).
Two options:
1. **Dev channel (existing install):**
```bash
openclaw update --channel dev
```
This switches to a git checkout of `main`, rebases on upstream, builds, and installs
the CLI from that checkout.
2. **Hackable (git) install (fresh machine):**
```bash
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git
```
Prefer a manual clone:
```bash
git clone https://github.com/openclaw/openclaw.git
cd openclaw
pnpm install
pnpm build
```
Docs: [Update](/cli/update), [Development channels](/install/development-channels), [Install](/install).
Rough guide:
- **Install:** 2-5 minutes.
- **QuickStart onboarding:** a few minutes (loopback gateway, auto token, default workspace).
- **Advanced/full onboarding:** longer when provider sign-in, channel pairing, daemon install, network downloads, or skills need extra setup.
The wizard shows this timeline up front. Skip optional steps and return later with
`openclaw configure`.
Hanging? See [I am stuck](#quick-start-and-first-run-setup) above.
Re-run with `--verbose`:
```bash
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --verbose
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --beta --verbose
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git --verbose
```
`install.ps1` has no dedicated verbose switch; wrap it in `Set-PSDebug -Trace 1` /
`-Trace 0` instead. Full flag reference: [Installer flags](/install/installer).
Two common Windows issues:
**1) npm error spawn git / git not found**
- Install **Git for Windows**, make sure `git` is on PATH.
- Close and reopen PowerShell, then re-run the installer.
**2) openclaw is not recognized after install**
- Your npm global bin folder is not on PATH.
- Check it: `npm config get prefix`.
- Add that directory to your user PATH (no `\bin` suffix needed; on most systems it is `%AppData%\npm`).
- Close and reopen PowerShell.
Prefer a desktop app? Use **Windows Hub**. Terminal-only setup: the PowerShell
installer and WSL2 Gateway paths are both supported. Docs: [Windows](/platforms/windows).
Usually a console code page mismatch on native Windows shells.
Symptoms: `system.run`/`exec` output renders Chinese as mojibake; the same command
looks fine in another terminal profile.
Workaround in PowerShell:
```powershell
chcp 65001
[Console]::InputEncoding = [System.Text.UTF8Encoding]::new($false)
[Console]::OutputEncoding = [System.Text.UTF8Encoding]::new($false)
$OutputEncoding = [System.Text.UTF8Encoding]::new($false)
```
Then restart the Gateway and retry:
```powershell
openclaw gateway restart
```
Still reproducing this on latest OpenClaw? Track/report it: [Issue #30640](https://github.com/openclaw/openclaw/issues/30640).
Use the hackable (git) install so you have the full source and docs locally, then ask
your bot (or Claude/Codex) **from that folder** so it can read the repo and answer precisely.
```bash
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git
```
More detail: [Install](/install) and [Installer flags](/install/installer).
- Linux quick path + service install: [Linux](/platforms/linux).
- Full walkthrough: [Getting Started](/start/getting-started).
- Installer + updates: [Install & updates](/install/updating).
Any Linux VPS works. Install on the server, then reach the Gateway over SSH/Tailscale.
Guides: [exe.dev](/install/exe-dev), [Hetzner](/install/hetzner), [Fly.io](/install/fly).
Remote access: [Gateway remote](/gateway/remote).
Hosting hub with common providers:
- [VPS hosting](/vps) (all providers in one place)
- [Fly.io](/install/fly)
- [Hetzner](/install/hetzner)
- [exe.dev](/install/exe-dev)
In the cloud, the **Gateway runs on the server** and you access it from your laptop/phone
via the Control UI (or Tailscale/SSH). Your state + workspace live on the server, so
treat the host as the source of truth and back it up.
Pair **nodes** (Mac/iOS/Android/headless) to that cloud Gateway for local
screen/camera/canvas or command execution on your laptop while the Gateway stays in
the cloud.
Hub: [Platforms](/platforms). Remote access: [Gateway remote](/gateway/remote).
Nodes: [Nodes](/nodes), [Nodes CLI](/cli/nodes).
Possible, not recommended. The update flow can restart the Gateway (dropping the
active session), may need a clean git checkout, and can prompt for confirmation.
Safer to run updates from a shell as the operator.
```bash
openclaw update
openclaw update status
openclaw update --channel stable|extended-stable|beta|dev
openclaw update --tag <dist-tag|version>
openclaw update --no-restart
```
Automating from an agent:
```bash
openclaw update --yes --no-restart
openclaw gateway restart
```
Docs: [Update](/cli/update), [Updating](/install/updating).
`openclaw onboard` is the recommended setup path. In **local mode** it walks through:
1. **Model/Auth** - provider OAuth, API keys, or manual auth (including local options like LM Studio); pick a default model.
2. **Workspace** - location + bootstrap files.
3. **Gateway** - port, bind address, auth mode, Tailscale exposure.
4. **Channels** - built-in and official plugin chat channels: iMessage, Discord, Feishu, Google Chat, Mattermost, Microsoft Teams, QQ Bot, Signal, Slack, Telegram, WhatsApp, and more.
5. **Daemon** - LaunchAgent (macOS), systemd user unit (Linux/WSL2), or native Windows Scheduled Task.
6. **Health check** - starts the Gateway and verifies it is running.
7. **Skills** - installs recommended skills and optional dependencies.
It sets duration expectations up front and warns if your configured model is unknown
or missing auth. Full breakdown: [Onboarding (CLI)](/start/wizard).
No. Run OpenClaw with **API keys** (Anthropic/OpenAI/others) or **local-only models**
so your data stays on your device. Subscriptions (Claude Pro/Max, ChatGPT/Codex) are
optional ways to authenticate those providers.
For Anthropic: an **API key** gives standard pay-as-you-go billing; **Claude CLI**
reuses an existing Claude Code login on the same host. Anthropic currently treats
Claude CLI's non-interactive `claude -p` path as Agent SDK/programmatic usage that
still draws from your subscription's plan limits - check current Anthropic billing
docs before relying on subscription behavior. For long-lived gateway hosts and shared
automation, an Anthropic API key is the more predictable choice.
OpenAI Codex OAuth (ChatGPT/Codex subscription) is fully supported for agent models.
OpenClaw also supports hosted subscription-style options including **Qwen Cloud
Coding Plan**, **MiniMax Coding Plan**, and **Z.AI / GLM Coding Plan**.
Docs: [Anthropic](/providers/anthropic), [OpenAI](/providers/openai),
[Qwen Cloud](/providers/qwen), [MiniMax](/providers/minimax), [Z.AI (GLM)](/providers/zai),
[Local models](/gateway/local-models), [Models](/concepts/models).
Yes. OpenClaw supports Claude CLI reuse for Pro/Max/Team/Enterprise plans. Anthropic
currently treats the `claude -p` path OpenClaw uses as subscription-plan usage subject
to your plan's limits, not a separate free allowance - see
[Anthropic](/providers/anthropic) for the current billing detail and links to
Anthropic's own support articles. For the most predictable server-side setup, use an
Anthropic API key instead.
Yes, via Claude CLI reuse. Anthropic's billing treatment of `claude -p`/Agent SDK usage
has changed over time; see [Anthropic](/providers/anthropic) for the current state and
dated links to Anthropic's support articles before relying on specific billing
behavior.
Anthropic setup-token auth is also still a supported token path, but OpenClaw prefers
Claude CLI reuse and `claude -p` when available. For production or multi-user
workloads, an Anthropic API key remains the safer, more predictable choice. Other
subscription-style hosted options: [OpenAI](/providers/openai), [Qwen Cloud](/providers/qwen),
[MiniMax](/providers/minimax), [Z.AI (GLM)](/providers/zai).
Your **Anthropic quota/rate limit** is exhausted for the current window. On **Claude
CLI**, wait for the window to reset or upgrade your plan. On an **Anthropic API key**,
check usage/billing in the Anthropic Console and raise limits as needed.
If the message is specifically `Extra usage is required for long context requests`,
the request is trying to use Anthropic's 1M context window (a GA-capable 1M Claude 4.x
model, or legacy `params.context1m: true` config), and your current credential is not
eligible for long-context billing.
Set a **fallback model** so OpenClaw keeps replying while a provider is rate-limited.
See [Models](/cli/models), [OAuth](/concepts/oauth), and
[Anthropic 429 extra usage required for long context](/gateway/troubleshooting#anthropic-429-extra-usage-required-for-long-context).
Yes. OpenClaw has a bundled **Amazon Bedrock (Converse)** provider. With AWS env
markers present (`AWS_ACCESS_KEY_ID`, `AWS_PROFILE`, `AWS_BEARER_TOKEN_BEDROCK`),
OpenClaw auto-enables the implicit Bedrock provider for model discovery; otherwise
set `plugins.entries.amazon-bedrock.config.discovery.enabled: true` or add a manual
provider entry. See [Amazon Bedrock](/providers/bedrock) and [Model providers](/providers/models).
An OpenAI-compatible proxy in front of Bedrock is still a valid option if you prefer a managed key flow.
OpenClaw supports **OpenAI Codex** via OAuth (ChatGPT sign-in). Use `openai/gpt-5.5`
for the default setup: ChatGPT/Codex subscription auth plus native Codex app-server
execution. Legacy Codex-prefixed model refs are legacy config repaired by
`openclaw doctor --fix`. Direct OpenAI API-key access remains available for non-agent
OpenAI API surfaces and, through an ordered `openai` API-key profile, for agent models
too. See [Model providers](/concepts/model-providers) and [Onboarding (CLI)](/start/wizard).
`openai` is the current provider and auth-profile id for both OpenAI API keys and
ChatGPT/Codex OAuth - OpenAI Codex is folded into it. You may still see a legacy
`openai-codex` prefix in older config and migration warnings:
- `openai/gpt-5.5` = ChatGPT/Codex subscription auth with native Codex runtime for agent turns.
- Legacy `openai-codex/*` model refs = legacy route repaired by `openclaw doctor --fix`.
- `openai/gpt-5.5` plus an ordered `openai` API-key profile = API-key auth for an OpenAI agent model.
- Legacy `openai-codex` auth profile ids = legacy ids migrated by `openclaw doctor --fix`.
Want direct OpenAI Platform billing? Set `OPENAI_API_KEY`. Want ChatGPT/Codex
subscription auth? Run `openclaw models auth login --provider openai`. Keep the model
ref as `openai/gpt-5.5`; legacy Codex-prefixed refs are what `openclaw doctor --fix` rewrites.
Codex OAuth uses OpenAI-managed, plan-dependent quota windows that can differ from the
ChatGPT website/app experience, even on the same account.
`openclaw models status` shows the currently visible provider usage/quota windows, but
does not invent or normalize ChatGPT-web entitlements into direct API access. For the
direct OpenAI Platform billing/limit path, use `openai/*` with an API key.
Yes, fully. OpenAI explicitly allows subscription OAuth usage in external
tools/workflows like OpenClaw. Onboarding can run the OAuth flow for you.
See [OAuth](/concepts/oauth), [Model providers](/concepts/model-providers), and [Onboarding (CLI)](/start/wizard).
Gemini CLI uses a **plugin auth flow**, not a client id or secret in `openclaw.json`.
1. Install Gemini CLI locally so `gemini` is on `PATH`:
- Homebrew: `brew install gemini-cli`
- npm: `npm install -g @google/gemini-cli`
2. Enable the plugin: `openclaw plugins enable google`
3. Login: `openclaw models auth login --provider google-gemini-cli --set-default`
4. Default model after login: `google/gemini-3.1-pro-preview` (runtime `google-gemini-cli`)
5. Requests failing after login? Set `GOOGLE_CLOUD_PROJECT` or `GOOGLE_CLOUD_PROJECT_ID` on the gateway host and retry.
OAuth tokens are stored in auth profiles on the gateway host. Details: [Google](/providers/google), [Model providers](/concepts/model-providers).
Usually no. OpenClaw needs large context + strong safety; small cards truncate context
and skip provider-side safety filters. If you must, run the **largest** model build you
can locally (LM Studio) - see [Local models](/gateway/local-models). Smaller/quantized
models raise prompt-injection risk - see [Security](/gateway/security).
Pick region-pinned endpoints. OpenRouter exposes US-hosted options for MiniMax, Kimi,
and GLM; choose the US-hosted variant to keep data in-region. You can still list
Anthropic/OpenAI alongside these with `models.mode: "merge"` so fallbacks stay
available while respecting the regioned provider you select.
No. OpenClaw runs on macOS or Linux (Windows via WSL2). A Mac mini is a popular
always-on host choice, but a small VPS, home server, or Raspberry Pi-class box works too.
You only need a Mac **for macOS-only tools**. For iMessage, use [iMessage](/channels/imessage)
with `imsg` on any Mac signed into Messages - if the Gateway runs on Linux or elsewhere,
set `channels.imessage.cliPath` to an SSH wrapper that runs `imsg` on that Mac. For other
macOS-only tools, run the Gateway on a Mac or pair a macOS node.
Docs: [iMessage](/channels/imessage), [Nodes](/nodes), [Mac remote mode](/platforms/mac/remote).
You need **some macOS device** signed into Messages - not necessarily a Mac mini, any
Mac works. Use [iMessage](/channels/imessage) with `imsg`; the Gateway can run on that
Mac, or elsewhere with an SSH wrapper `cliPath`.
Common setups:
- Gateway on Linux/VPS, `channels.imessage.cliPath` set to an SSH wrapper that runs `imsg` on a Mac signed into Messages.
- Everything on one Mac for the simplest single-machine setup.
Docs: [iMessage](/channels/imessage), [Nodes](/nodes), [Mac remote mode](/platforms/mac/remote).
Yes. The **Mac mini can run the Gateway**, and your MacBook Pro connects as a **node**
(companion device). Nodes do not run the Gateway - they add capabilities like
screen/camera/canvas and `system.run` on that device.
Common pattern: Gateway on the always-on Mac mini; MacBook Pro runs the macOS app or a
node host and pairs to the Gateway. Check with `openclaw nodes status` / `openclaw nodes list`.
Docs: [Nodes](/nodes), [Nodes CLI](/cli/nodes).
Not recommended - Bun has runtime bugs, especially with WhatsApp and Telegram. Use
**Node** for stable gateways. If you still want to experiment, do it on a
non-production gateway without WhatsApp/Telegram.
`channels.telegram.allowFrom` is the **human sender's Telegram user ID** (numeric),
not the bot username. Setup asks for numeric user IDs only; `openclaw doctor --fix`
can try to resolve legacy `@username` entries.
Safer (no third-party bot): DM your bot, run `openclaw logs --follow`, read `from.id`.
Official Bot API: DM your bot, call `https://api.telegram.org/bot<bot_token>/getUpdates`, read `message.from.id`.
Third-party (less private): DM `@userinfobot` or `@getidsbot`.
See [Telegram access control](/channels/telegram#access-control-and-activation).
Yes, via **multi-agent routing**. Bind each sender's WhatsApp DM (`peer: { kind: "direct", id: "+15551234567" }`) to a different `agentId`, giving each person their own workspace and session store. Replies still come from the **same WhatsApp account**; DM access control (`channels.whatsapp.dmPolicy` / `channels.whatsapp.allowFrom`) is global per account. See [Multi-Agent Routing](/concepts/multi-agent) and [WhatsApp](/channels/whatsapp).
Yes. Use multi-agent routing: give each agent its own default model, then bind inbound
routes (provider account or specific peers) to each agent. Example config:
[Multi-Agent Routing](/concepts/multi-agent). See also [Models](/concepts/models) and
[Configuration](/gateway/configuration).
Yes, via Linuxbrew:
```bash
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.profile
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
brew install <formula>
```
Running OpenClaw via systemd: make sure the service PATH includes
`/home/linuxbrew/.linuxbrew/bin` (or your brew prefix) so `brew`-installed tools
resolve in non-login shells. Recent builds also prepend common user bin dirs on Linux
systemd services (for example `~/.local/bin`, `~/.npm-global/bin`,
`~/.local/share/pnpm`, `~/.bun/bin`) and honor `PNPM_HOME`, `NPM_CONFIG_PREFIX`,
`BUN_INSTALL`, `VOLTA_HOME`, `ASDF_DATA_DIR`, `NVM_DIR`, and `FNM_DIR` when set.
- **Hackable (git) install:** full source checkout, editable, best for contributors. You build locally and can patch code/docs.
- **npm install:** global CLI install, no repo, best for "just run it." Updates come from npm dist-tags.
Docs: [Getting started](/start/getting-started), [Updating](/install/updating).
Yes, with `openclaw update --channel ...` on an existing install. This does **not
delete your data** - only the OpenClaw code install changes. State (`~/.openclaw`) and
workspace (`~/.openclaw/workspace`) stay untouched.
npm to git:
```bash
openclaw update --channel dev
```
git to npm:
```bash
openclaw update --channel stable
```
Add `--dry-run` to preview the planned mode switch first. The updater runs Doctor
follow-ups, refreshes plugin sources for the target channel, and restarts the gateway
unless you pass `--no-restart`.
The installer can force either mode too:
```bash
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method git
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash -s -- --install-method npm
```
Backup tips: [Where things live on disk](/help/faq#where-things-live-on-disk).
Want 24/7 reliability? Use a **VPS**. Want the lowest friction and you are OK with
sleep/restarts? Run it locally.
**Laptop (local Gateway)**
- **Pros:** no server cost, direct access to local files, a live browser window.
- **Cons:** sleep/network drops disconnect it, OS updates/reboots interrupt it, must stay awake.
**VPS / cloud**
- **Pros:** always-on, stable network, no laptop sleep issues, easier to keep running.
- **Cons:** often headless (use screenshots), remote file access only, SSH needed for updates.
WhatsApp/Telegram/Slack/Mattermost/Discord all work fine from a VPS - the real
trade-off is headless browser vs a visible window. See [Browser](/tools/browser).
Default recommendation: VPS if you have had gateway disconnects before; local is great
when you are actively using the Mac and want local file access or visible-browser UI
automation.
Not required, but recommended for reliability and isolation.
- **Dedicated host (VPS/Mac mini/Raspberry Pi):** always-on, fewer sleep/reboot interruptions, cleaner permissions, easier to keep running.
- **Shared laptop/desktop:** fine for testing and active use, but expect pauses when the machine sleeps or updates.
Best of both worlds: keep the Gateway on a dedicated host and pair your laptop as a
**node** for local screen/camera/exec tools. See [Nodes](/nodes) and [Security](/gateway/security).
- **Absolute minimum:** 1 vCPU, 1 GB RAM, ~500 MB disk.
- **Recommended:** 1-2 vCPU, 2 GB+ RAM for headroom (logs, media, multiple channels). Node tools and browser automation can be resource hungry.
OS: **Ubuntu LTS** (or any modern Debian/Ubuntu) - the best-tested Linux install path.
Docs: [Linux](/platforms/linux), [VPS hosting](/vps).
Yes. Treat a VM like a VPS: it needs to be always on, reachable, and have enough RAM
for the Gateway and any channels you enable.
- **Absolute minimum:** 1 vCPU, 1 GB RAM.
- **Recommended:** 2 GB+ RAM for multiple channels, browser automation, or media tools.
- **OS:** Ubuntu LTS or another modern Debian/Ubuntu.
On Windows, use **Windows Hub** for desktop setup, or WSL2 for a Linux-style Gateway VM
with broad tooling compatibility. See [Windows](/platforms/windows), [VPS hosting](/vps).
Running macOS in a VM: see [macOS VM](/install/macos-vm).
Related
- FAQ - the main FAQ (models, sessions, gateway, security, more)
- Install overview
- Getting started
- Troubleshooting