OpenClaw
OpenClaw is a separate self-hostable agent gateway. Unlike the other adapters, OpenClaw runs as its own service — Agentslan talks to it over a WebSocket gateway protocol rather than spawning a local CLI. Use this adapter when you want OpenClaw to do the actual model calls and Agentslan to orchestrate dispatch, idempotency keys, and session routing.
The adapter type inside Agentslan is openclaw_gateway and the menu label
is OpenClaw (gateway).
Run an OpenClaw gateway
Section titled “Run an OpenClaw gateway”Stand up an OpenClaw instance reachable from the machine running Agentslan. The gateway URL must use the WebSocket scheme:
ws://…for plaintext (local development only)wss://…for production deployments
Refer to OpenClaw’s own documentation for installation. For local smoke
testing, the typical flow is an OpenClaw Docker container reachable on
ws://127.0.0.1:18789 (or similar), with the gateway token from
~/.openclaw/openclaw.json on the host.
Add the agent in Agentslan
Section titled “Add the agent in Agentslan”- Open the Agentslan desktop app.
- Go to Agents → Add agent.
- Pick OpenClaw (gateway).
- Set the gateway URL (
ws://orwss://) and supply a token through one of the auth modes below. - Save.
After saving, dispatch a small test issue to confirm the device-pairing
handshake completes (see “Device auth” below). The first run on a fresh
gateway sometimes returns pairing required; approve the device in
OpenClaw and retry.
Auth modes
Section titled “Auth modes”You can supply gateway credentials in any of:
authTokenortokenin the adapter config- A header
headers.x-openclaw-token - A header
headers.x-openclaw-auth(legacy) passwordfor shared-password mode
When a token is present and an authorization header is missing, the
adapter automatically derives Authorization: Bearer <token>.
Device auth
Section titled “Device auth”By default the adapter signs each connect payload with a device key. This
is the recommended onboarding path for production:
| Field | Behavior |
|---|---|
disableDeviceAuth: true | Skip device signing entirely. Not recommended outside of local development. |
devicePrivateKeyPem | Pin a stable Ed25519 signing key. The device pairs once and re-uses the same identity. |
| (neither set) | The adapter generates an ephemeral Ed25519 keypair per run. Pairing must succeed each time. |
autoPairOnFirstConnect (default true) | On the first pairing required response, the adapter calls device.pair.list + device.pair.approve over shared auth and retries the run once. |
For production, persist devicePrivateKeyPem and leave disableDeviceAuth
unset. For ephemeral throwaway gateways, leaving everything unset is fine.
Session routing
Section titled “Session routing”OpenClaw supports the same per-issue / fixed / per-run session strategies as the HTTP OpenClaw mode. Set:
sessionKeyStrategy:issue(per issue),fixed(a single session), orrun(new session per run)sessionKey(only when strategy isfixed): the session ID to use
The resolved session key is sent to OpenClaw as agent.sessionKey.
Payload mapping
Section titled “Payload mapping”Each agent invocation builds a request with:
message— the wake text plus any optionalpayloadTemplate.message/payloadTemplate.textprefixidempotencyKey— the AgentslanrunIdsessionKey— resolved from your session strategy- (optional) every field in
payloadTemplateis merged in - (optional)
agentIdfrom config, when set and not already present in the template
Timeouts
Section titled “Timeouts”| Field | Controls |
|---|---|
timeoutSec | Adapter-level request budget. |
waitTimeoutMs | Upper bound on agent.wait.timeoutMs. If agent.wait returns timeout, the adapter surfaces openclaw_gateway_wait_timeout. |
Structured gateway events are written with stable prefixes the Agentslan UI and CLI parsers consume:
[openclaw-gateway] …— lifecycle and system events[openclaw-gateway:event] run=<id> stream=<stream> data=<json>—event agentframes