OpenClaw rollback config change guide: chat path, terminal rescue, and restore openclaw.json from backup. All three paths with exact steps.
Not sure what a term means? There is a Key Terms reference at the bottom of this article.
TL;DR
If your agent is still responding: paste the commands in the blockquotes below into your OpenClaw chat. Your agent will do the recovery work for you. If the gateway is unreachable: you need a terminal. SSH (a secure way to open a command window on a remote server from your own computer) into your server and run openclaw backup restore to replace your broken config with the last known good snapshot. If you have no backup: open ~/.openclaw/openclaw.json in a text editor, find the setting you changed, revert it, and restart. All three paths, including what to do when the gateway is down and you have no backup at all, are covered below with exact steps.
START HERE: which situation are you in?
Open your OpenClaw chat and try sending any message.
Your agent replies: go to Your agent is still responding. You can fix this from the chat window without touching a terminal.
Nothing comes back (timeout, error, blank): go to Gateway is unreachable. You will need terminal access.
Chat connects but you still cannot reach the agent from a browser or mobile: skip to The gateway is running but unreachable. The process is up but something is blocking the connection.
docker exec -it <container-name> /bin/bash to get a terminal inside the container.
Windows: WSL2 (Windows Subsystem for Linux 2) gives you a Linux terminal inside Windows. All paths in this article that start with ~/.openclaw/ refer to the WSL2 filesystem, not your Windows C: drive. Open the WSL2 terminal (not PowerShell or CMD) before running any commands. If you installed OpenClaw natively on Windows (not inside WSL2), your config is at %APPDATA%\openclaw\openclaw.json instead. Open it with notepad %APPDATA%\openclaw\openclaw.json in CMD.
macOS (Apple Silicon / Homebrew): If the openclaw command is not found, run eval "$(/opt/homebrew/bin/brew shellenv)" in your terminal to add Homebrew’s bin directory to your PATH for this session. To make it permanent, add that line to your ~/.zshrc.
Your agent is still responding
The agent can fix itself if you can still talk to it. This is the fastest path for an OpenClaw rollback config change: paste commands into your chat and the agent does the work. No terminal required. The steps below go from the fastest fix to the most thorough. Start at the top and stop as soon as things are working again.
Step 1: Find out what changed
Paste this into your OpenClaw chat:
Show me my full openclaw.json config. Format it clearly so I can read it. Then tell me: when did the config last change, what are the most recent values that differ from OpenClaw defaults, and are there any settings that look unusual or incorrectly set?
Your agent will show you the full config and flag anything that looks wrong. Common culprits: model name misspelled, gateway.bind or gateway.port changed to an unexpected value, API key accidentally changed, or a plugin entry malformed.
cat ~/.openclaw/openclaw.json to print the full config. If you have git set up, run git -C ~/.openclaw diff HEAD openclaw.json to see exactly what changed since the last commit.
Windows native (CMD): type %APPDATA%\openclaw\openclaw.json
Windows native (PowerShell): Get-Content "$env:APPDATA\openclaw\openclaw.json"
If your openclaw.json lives in a workspace subdirectory rather than ~/.openclaw/ directly, run find ~ -name "openclaw.json" -not -path "*/backups/*" 2>/dev/null to locate it.
Step 2: Revert a specific setting
If you know which setting broke things, paste this into the chat (fill in the brackets):
In my openclaw.json, revert [the setting name] back to [the correct value]. Then validate the config to confirm it is valid, and restart the gateway so the change takes effect. After restarting, tell me which model is now in use.
Example: “revert agents.defaults.model back to deepseek/deepseek-chat” or “revert gateway.port back to 18789.”
/new or /reset in the chat to start a fresh session, then ask: “Which model are you using?” to confirm.openclaw config set agents.defaults.model deepseek/deepseek-chat (replace with your field and value). Then openclaw config validate. Then openclaw gateway restart. A successful restart returns no error output and status shows “running” within seconds.ss -tlnp | grep 18789 (Linux) or lsof -i :18789 (macOS), replacing 18789 with your port. Kill the stale process, then restart.Step 3: Run openclaw doctor
If you are not sure which field is wrong, ask the agent to run a diagnostic:
Run openclaw doctor and show me the full output. Tell me which checks passed, which failed, and for any failure, what the correct value should be. Do not apply any fixes yet. Just show me the report first.
openclaw doctor reads your config and checks it against the ruleset of allowed values without changing anything. It works even when the gateway is stopped. Failed checks include the exact field name and what it should be.
openclaw doctor. The base command is read-only and changes nothing. For automatic repair, openclaw doctor --fix writes corrections to disk. Run it without --fix first and read the output, then decide if auto-repair is appropriate.--fix will reset it to the default. Review the report before running --fix and re-apply any intentional non-default values after. After any fix, run openclaw config validate before restarting.Step 4: OpenClaw rollback config change via backup restore
A backup snapshot replaces your current config with a saved version from a specific moment. Use this when doctor has not identified the problem. Any intentional changes since the backup date are also reverted.
First, check what backups exist:
List all available OpenClaw backups, sorted by date newest first. Show me the filename, the date it was created, and the size. Tell me which one is most likely to be from before my recent config change.
openclaw backup list prints a dated list of available backups. If your version of OpenClaw does not have this command, use ls -lt ~/.openclaw/backups/ to see raw files sorted by time. Backups are named with timestamps: openclaw-backup-20260322-143015.tar.gz. If the directory is empty, no automatic backups were created. Skip to Step 5.
If backups are not at ~/.openclaw/backups/: Run find ~ -name "openclaw-backup-*.tar.gz" 2>/dev/null to locate them. Some installs place backups under the workspace directory instead.
Once you know which backup to use:
Restore the OpenClaw backup from [filename or date]. Before restoring, show me what the config will be replaced with so I can confirm it is the right one. Then restore it, restart the gateway, and start a fresh session.
openclaw gateway stop (or sudo systemctl stop openclaw-gateway if you use systemd (Linux’s built-in service manager that automatically restarts crashed processes) with auto-restart). Status shows “stopped” when done. Then: openclaw backup restore ~/.openclaw/backups/openclaw-backup-YYYYMMDD-HHMMSS.tar.gz. Then: openclaw config validate. Then: openclaw gateway restart. Successful restart shows no error output.Step 5: Validate before restarting
Before restarting after any change, validate first:
Run openclaw config validate and tell me the result. If there are any errors, show me exactly which field failed and what the error message says. Do not restart until we have fixed any errors.
Validate is read-only. It checks the config file without restarting or changing anything. Skip it, restart with a broken config, and the gateway fails to start. A passing result shows “Config valid.” with no further output. A failing result names the exact field and what was expected.
openclaw config validate. If you skip this and restart with a broken config, the gateway fails to start and you are in a full terminal lockout. Fix any errors before running openclaw gateway restart.If validate passes but the problem persists, check the gateway log:
Show me the last 50 lines of the OpenClaw gateway log. Tell me if there are any errors and what they say in plain English.
Linux (systemd):
journalctl -u openclaw-gateway --lines=50 --no-pagermacOS (launchd):
log show --predicate 'process == "openclaw"' --last 10m --style compactDocker:
docker logs --tail 50 <container-name>Fallback (any platform): Check
~/.openclaw/logs/gateway.logGateway is unreachable
Step 1: Confirm the gateway process state
The gateway can be unreachable for two different reasons: it stopped (broken config, port conflict, startup crash) or it is running but blocked (wrong bind address, firewall). Find out which one you have before doing anything else.
openclaw gateway status
The command prints a single-line status such as “Gateway: running (pid 12345)” or “Gateway: stopped.” The pid number is the process ID, a number the system uses to track the running process. You do not need to do anything with it. Look for the word “running” or “stopped.”
“running”: the process is up. The problem is a network block. Jump to the “gateway is running but unreachable” subsection below.
“stopped” or “failed”: the gateway crashed or could not start. The config is the problem. Continue with Step 2.
In Docker: docker ps | grep openclaw to check if the container is running. If it is not listed, it is stopped: docker logs <container-name> --tail 30 to see why.
Using systemd: Cross-check with sudo systemctl status openclaw-gateway if the openclaw command gives inconsistent results.
Step 2: Run openclaw doctor
openclaw doctor reads your config file without starting the gateway, so it works even when the gateway is completely stopped. It tells you exactly which field is wrong so you can fix the specific problem instead of doing a full restore. A targeted fix on one field takes seconds. A full restore replaces everything (including changes you made on purpose) and takes a full stop-restore-restart cycle. Run doctor first.
openclaw doctor
The base command is read-only and changes nothing. Output lists checks with PASS or FAIL. FAIL lines include the field name and what it should be.
In Docker: docker exec -it <container-name> openclaw doctor
openclaw doctor --fix restores flagged fields to OpenClaw’s built-in defaults, not your previous values. If you deliberately set a non-default value that doctor considers invalid, --fix will reset it to the default. Read the report output first, then decide. After any fix, run openclaw config validate before restarting.Step 3: Read the startup error
If doctor passes but the gateway still will not start, read the last 30 lines of the log. Look for lines marked ERROR or FATAL.
journalctl -u openclaw-gateway -n 30 --no-pagermacOS (launchd):
log show --predicate 'process == "openclaw"' --last 5m --style compactDocker:
docker logs --tail 30 <container-name>Manual start (any OS): Run
openclaw gateway start and errors print directly to the terminal.
What the errors mean:
“SyntaxError: Unexpected token”: the config file has invalid JSON structure (missing comma, broken bracket). The gateway cannot read it at all. Go to Step 5 (manual edit).
“EADDRINUSE” / “address already in use”: the port is taken by another program. Change your gateway port or stop the conflicting process. If this appears right after a restart attempt, wait 5 seconds and try again before assuming a conflict.
“Model not found” / “Unknown provider”: the model name is wrong or formatted incorrectly. Revert the model field to a known working value.
“Plugin failed to load”: a plugin config is malformed or missing a dependency. Check the plugins.entries section of your config.
Step 4: Restore from backup (fastest path)
A backup is a snapshot of your config, API keys, and session data at a specific moment. Restoring one replaces your current broken config with that snapshot. Everything intentionally changed since the backup date is also reverted. Check the backup timestamp before restoring.
openclaw gateway stop first. If you use systemd with Restart=always, use sudo systemctl stop openclaw-gateway instead. (sudo runs the command with administrator-level permissions, required for managing system services.) Otherwise systemd restarts the process immediately. Save a copy of your current config before restoring: cp ~/.openclaw/openclaw.json ~/openclaw-json-before-restore.jsonopenclaw backup list or ls -lt ~/.openclaw/backups/. Pick the newest file that predates your bad change. Running the restore command below will restore openclaw.json to that snapshot. If the directory is empty, go to Step 5.
Restore:
openclaw gateway stop
openclaw backup restore ~/.openclaw/backups/openclaw-backup-YYYYMMDD-HHMMSS.tar.gz
openclaw config validate
openclaw gateway restart
Successful restart: no error output, openclaw gateway status returns a line containing “running.”
Step 5: Manual config edit (no backup available)
If you have no backup, edit the config file directly. Use openclaw config set when you know the exact field name and correct value. It handles the JSON formatting automatically and cannot corrupt the file structure. Use a text editor only if config set cannot handle what you need to change.
openclaw config validate before restarting. If validate fails, fix the syntax error before restarting.openclaw config set agents.defaults.model deepseek/deepseek-chatopenclaw config set gateway.port 18789
No output on success. Run openclaw config validate after to confirm.
Linux/macOS/WSL2:
nano ~/.openclaw/openclaw.jsonnano is a text editor that runs in the terminal. Use Ctrl+W to search for a field name. Ctrl+O to save. Ctrl+X to exit. If nano is not installed (common in minimal Docker/Alpine images), use
vi ~/.openclaw/openclaw.json instead. Or install nano: apt install nano (Debian/Ubuntu) or apk add nano (Alpine).Windows native:
notepad %APPDATA%\openclaw\openclaw.json
Common fields to check:
gateway.bind: if set to 127.0.0.1, the gateway only accepts connections from the same machine. Change to 0.0.0.0 for external access, or keep at 127.0.0.1 and use SSH tunneling.
gateway.port: if changed to a blocked or taken port, revert to 18789.
agents.defaults.model: format is provider/model-name, for example, deepseek/deepseek-chat.
models.providers.X.apiKey: must be the correct, current API key for that provider.
openclaw config validate
Fix any errors first. When validate shows “Config valid.”: openclaw gateway restart
Step 6: Git rollback (only if you set up git tracking)
Not sure if your config is in git? Run git -C ~/.openclaw status. If it returns “not a git repository,” this option is not available. Use Steps 4 or 5 instead. If it returns file status output, you have git tracking.
Git rollback reverts only the config file without touching your sessions or API keys, making it more precise than a backup restore.
git -C ~/.openclaw diff HEAD openclaw.json
Lines with - are the old values. Lines with + are the new (broken) values.
If your openclaw.json lives in a workspace subdirectory: replace ~/.openclaw with that path. Run find ~ -name "openclaw.json" -not -path "*/backups/*" 2>/dev/null to find it.
git -C ~/.openclaw checkout HEAD -- openclaw.json
This touches only openclaw.json. Nothing else changes. Success is silent: no output means it worked. Then:
openclaw config validate && openclaw gateway restart
To go back further: git -C ~/.openclaw log --oneline -- openclaw.json to see the history, then git -C ~/.openclaw checkout <commit-hash> -- openclaw.json
The gateway is running but unreachable
If openclaw gateway status shows “running” but you still cannot connect, something is blocking the connection rather than a startup failure. This is different from being openclaw config locked out entirely by a bad field value. The two most common causes: gateway.bind is set to 127.0.0.1 (loopback-only, drops all outside connections with no error message) or a firewall is blocking the gateway port.
Linux:
ss -tlnp | grep openclawmacOS:
lsof -iTCP -sTCP:LISTEN | grep openclawEither (cross-platform):
netstat -an | grep 18789 (replace 18789 with your port)
127.0.0.1:18789 = loopback only. That is why remote connections fail.
0.0.0.0:18789 = all interfaces. The problem is elsewhere (firewall, network).
Note: ss is Linux-only. On macOS, use lsof. On Windows WSL2, ss works inside the WSL2 terminal but shows the WSL2 network stack, not the Windows host network. If OpenClaw is running on the Windows host (not inside WSL2), check with netstat -an | findstr 18789 in CMD instead.
openclaw config set gateway.bind 0.0.0.0openclaw config validateopenclaw gateway restart
After restart, the gateway accepts external connections. Paired mobile nodes reconnect automatically because node pairing uses a URL that includes hostname and port, not the bind address. As long as the URL and port are unchanged, nodes reconnect on their next attempt.
IPv6 note: 0.0.0.0 only binds IPv4. For IPv6 access, set gateway.bind to :: instead. Some Linux systems (Ubuntu 22.04+) have IPv6 enabled by default. If your server has a public IPv6 address and you set 0.0.0.0, IPv6 connections will still be blocked until you switch to ::.
Linux Ubuntu/Debian (UFW is the built-in firewall manager): sudo ufw status. If the gateway port is not listed as ALLOW: sudo ufw allow YOUR_PORT/tcp.
Linux RHEL/Fedora (firewalld is the built-in firewall manager): sudo firewall-cmd --list-ports. If not listed: sudo firewall-cmd --add-port=YOUR_PORT/tcp --permanent && sudo firewall-cmd --reload.
macOS: System Settings > Network > Firewall. Add OpenClaw or disable the firewall temporarily to test.
Cloud VPS (DigitalOcean, Hetzner, AWS, etc.): Check the cloud firewall or security group rules in your provider dashboard. Cloud firewalls are separate from the OS firewall and are the most commonly missed cause of this problem.
Windows (WSL2): If OpenClaw runs inside WSL2, the Windows firewall may block incoming connections to the WSL2 network interface. Check Windows Defender Firewall > Advanced Settings > Inbound Rules for the gateway port.
Specific scenarios
These are the four most common lockout causes with targeted fixes. If your agent is still accessible, paste the blockquote commands into the chat. If not, use the terminal path in the blue callout.
You changed the model and the agent will not respond
The most common lockout after a model change. The model name is wrong, the provider does not support it, or the API key for that provider is not configured. The gateway is usually still running but the agent fails silently on every message.
What is the current value of agents.defaults.model in my config? Try calling the configured model with a simple test message: say “ping”. Show me the full response including any error messages. Then revert agents.defaults.model to deepseek/deepseek-chat and restart the gateway.
/new in the chat. The current session caches the old model even after a gateway restart. Then ask “Which model are you using?” to confirm.openclaw config set agents.defaults.model deepseek/deepseek-chat then openclaw gateway restart. Model name format: provider/model-name for API models, ollama/model-name for local models.ollama/llama3.1:8b. Check the model is downloaded: ollama list. If it is not there, download it: ollama pull model-name. Confirm Ollama is running: curl http://127.0.0.1:11434/api/tags should return a list of models. If it returns “connection refused,” Ollama is not running. Start it with: ollama serve.
macOS Apple Silicon / Homebrew: If ollama is not found, run eval "$(/opt/homebrew/bin/brew shellenv)" in your terminal.
Windows WSL2: Ollama installed on the Windows host is not automatically visible from inside WSL2. Either install Ollama inside WSL2 separately, or point OpenClaw to the Windows host IP ($(cat /etc/resolv.conf | grep nameserver | awk '{print $2}') from WSL2) instead of 127.0.0.1 when configuring the Ollama endpoint.
You changed gateway.bind or gateway.port and lost access
Changing gateway.bind to 127.0.0.1 makes the gateway loopback-only. It still runs but only accepts connections from the same machine. Any outside connection is silently dropped with no error message. Changing gateway.port to a taken or blocked port causes a startup failure.
Check my current gateway.bind and gateway.port settings. If gateway.bind is set to 127.0.0.1, change it to 0.0.0.0, validate the config, and restart the gateway. If gateway.port was changed from 18789, check whether the new port is available and revert it to 18789 if not.
openclaw config set gateway.bind 0.0.0.0 then openclaw config validate then openclaw gateway restart.
Terminal path (port conflict): Check what is using which ports: ss -tlnp | grep LISTEN (Linux) or lsof -iTCP -sTCP:LISTEN (macOS) or netstat -ano | findstr LISTENING (Windows CMD). Change your port to a free one or stop the conflicting process, then restart.
After fixing bind: If you set 0.0.0.0 without a firewall in place, your agent is now reachable by anyone. Set a firewall rule or revert to 127.0.0.1 and use SSH tunneling for remote access.
Paired mobile nodes: Node pairing uses a URL (hostname + port). Changing bind alone does not break it. But if you also changed gateway.port, those nodes have the old port and will fail to reconnect.
You changed an API key and all tool calls fail
API keys are the credentials your agent uses to call AI providers. A wrong key causes authentication errors on every tool call. The agent responds to messages but fails on any task that needs a tool.
List all configured API keys in my openclaw.json, but do not show me the actual key values. Just show me which providers have keys configured and tell me which ones are returning authentication errors when called.
models.providers.PROVIDER_NAME.apiKey. Set the correct key: openclaw config set models.providers.deepseek.apiKey YOUR_KEY_HERE.
Check for duplicate key locations: Some plugins store their own API keys separately, for example under plugins.entries.PLUGIN_NAME.config.llm.apiKey. If you changed the key in one place but not the other, one subsystem works and the other fails. Search the entire config for the provider name to find all locations.
You changed a plugin config and the agent is broken
Plugins are add-ons that extend what your agent can do. Plugin config errors are subtle: the gateway starts and the agent responds, but the plugin fails silently. Memory plugins are the most common cause. A bad config means every memory operation fails without any visible error and the agent acts as if it has no memory.
Show me the plugins.entries section of my openclaw.json. Tell me which plugins are enabled, which are disabled, and whether any have config errors or missing required fields. If there is a problem, tell me what the correct value should be.
openclaw config validate first. Plugin errors often appear here. If validate passes but the plugin is still broken, check the log:Linux:
journalctl -u openclaw-gateway --lines=100 --no-pager | grep -i pluginmacOS:
log show --predicate 'process == "openclaw"' --last 10m | grep -i pluginDocker:
docker logs --tail 100 <container-name> 2>&1 | grep -i pluginHow to prevent this next time
You just spent more time on this than you needed to. Set these up now and the next OpenClaw rollback config change takes 30 seconds instead.
Create a backup before every config change
OpenClaw creates backups automatically before changes made through the official commands (openclaw config set, openclaw config patch). Direct file edits get no automatic backup. Back up first, then edit.
Create a backup of my current OpenClaw config right now. Tell me the filename and where it was saved.
openclaw backup create. The command prints the path to the backup file. Your original config is unchanged.
Manual copy (Linux/macOS/WSL2): cp ~/.openclaw/openclaw.json ~/openclaw-config-backup-$(date +%Y%m%d-%H%M%S).json
Windows PowerShell: Copy-Item "$env:APPDATA\openclaw\openclaw.json" "$HOME\openclaw-config-backup-$(Get-Date -Format 'yyyyMMdd-HHmmss').json"
Always validate before restarting
openclaw config validate checks your config file against the ruleset of allowed values. Read-only and takes under a second. Skip it, restart with a broken config, and the gateway fails to start. That turns a fixable config problem into a lockout that requires terminal recovery.
After any config change, always run openclaw config validate before restarting the gateway. If there are any errors, tell me exactly what failed and what the correct value should be, and do not restart until we have fixed them.
openclaw config validate. “Config valid.” with no further output means it passed. Any other output means errors to fix before restarting.Put your config in git
Git is version control software that keeps a timestamped save history for files you tell it to track. With your config in git, you can always see exactly what changed and roll back to any previous state in one command. If you just had to manually edit your config and hunt for a broken field with no clues, this is what would have saved you that time.
Is my openclaw.json currently tracked in a git repository? If not, set it up now and make an initial commit. Tell me what you did and confirm the current config is committed.
git -C ~/.openclaw status. If it returns “not a git repository”:
git init ~/.openclaw (creates a .git/ folder, does not touch any existing files)
Before your first commit, create a .gitignore to avoid tracking large binary files, session data, and logs that live alongside your config:
printf "*.db\n*.log\nlogs/\nsessions/\nsessions-archive/\nnode_modules/\n" > ~/.openclaw/.gitignore
Then commit only the config:
git -C ~/.openclaw add openclaw.json .gitignore
git -C ~/.openclaw commit -m "initial config commit"
After this, commit after every intentional change:
git -C ~/.openclaw add openclaw.json && git -C ~/.openclaw commit -m "config change: [what you changed]"
If your openclaw.json is in a workspace subdirectory, replace ~/.openclaw with that path.
The safe change pattern
I am about to change [setting] to [value]. Before I do: create a backup, then show me what the config will look like after the change. Tell me if there are any concerns, and do not restart until I confirm.
openclaw config set or config patch. (3) Validate. (4) Restart. (5) Test: send a message and confirm the agent responds correctly. (6) If it works, git commit. If not, restore the backup from step 1.BRAND NEW CLAW
The complete hardening kit for OpenClaw operators
Every config, every security setting, every backup and recovery procedure you need. Covers gateway hardening, model routing, exec permissions, memory scoping, and more. Designed for operators who want their setup stable and auditable from day one.
FAQ
My agent responded to the rollback command but the gateway still shows the old config. Did it work?
The agent writes the change to disk immediately. The change takes effect on the next gateway restart. If you did not restart, the running gateway process is still using the version of the config it loaded at startup, held in memory. The file on disk is updated, but the running process does not re-read it until you restart.
Always include a restart in the rollback command: “Revert [setting] and restart the gateway.” Confirm it is live: “What is the current value of [setting]?” If the value is correct but behavior is still wrong, ask the agent to restart the gateway again and wait 15 seconds.
I do not know what I changed. How do I find the cause?
Three approaches, fastest to most thorough.
First:
Show me the last 100 lines of the OpenClaw gateway log and tell me what errors appear and what they mean in plain English.
Second:
Compare my current openclaw.json against OpenClaw’s default config values. List every setting that differs, what my current value is, what the default is, and whether my value looks valid.
Third, if your config is in git: git -C ~/.openclaw log --oneline -- openclaw.json to see the change history, then git -C ~/.openclaw diff HEAD~1 openclaw.json to see what changed in the last commit. Lines with - are the old values. Lines with + are the new (broken) values.
Is it safe to run openclaw backup restore while the gateway is running?
Stop the gateway first, then restore, then restart. Restoring while the gateway is running risks a corrupted config because both processes may write to the same files simultaneously. Stop the gateway first, always.
Using systemd with Restart=always: use sudo systemctl stop openclaw-gateway instead of openclaw gateway stop. systemd will restart the process immediately after a regular stop command.
My openclaw.json has no syntax errors but openclaw config validate still fails. What is happening?
JSON syntax and schema validation are different checks. Syntax means the structure is correct (no missing commas, no broken brackets). Schema means the values follow OpenClaw’s rules (right types, required fields present, recognized values). A file can have perfect syntax and still fail schema validation.
Common schema failures:
- Wrong type: a field expecting true or false has “true” or “false” in quotes (a string, not a boolean)
- Invalid value: a field accepting specific options has an unrecognized one (like an exec security mode that does not exist)
- Missing required field: a required setting was accidentally deleted
- Missing nested object: a plugin entry references a config block that does not exist
The validate output names the exact field and what was expected. “agents.defaults.contextTokens: expected number, got string” tells you the field and the fix (remove the quotes from the value).
I have dozens of backups. How do I know which one to restore?
The backup filename includes the timestamp. Match it to when you last had a working config. If you changed something and broke it at 2:15pm, you want the newest backup with a timestamp before 2:15pm.
To inspect a backup without restoring it (a .tar.gz file is a compressed archive, like a zip file; tar is the command to open it):
tar -xzf ~/.openclaw/backups/openclaw-backup-YYYYMMDD-HHMMSS.tar.gz -O openclaw.json
macOS (BSD tar): tar -xzf ~/.openclaw/backups/openclaw-backup-YYYYMMDD-HHMMSS.tar.gz --to-stdout openclaw.json
Both print the openclaw.json from inside the backup without extracting anything. If you get no output, run tar -tzf ~/.openclaw/backups/FILE.tar.gz to list what is inside and find the correct path.
If you are not sure which backup is good: restore the second-newest one first (not the newest, which is from after the bad change). Work backwards if needed.
The gateway restarted but I cannot tell if everything is working. How do I test it?
Run a self-check. Tell me which model you are currently using, whether you can access tools, whether memory is working, and whether the gateway config validates cleanly. If anything fails, tell me exactly what failed and what the error is.
If the agent responds and reports all systems working, you are back to a known good state.
I changed the exec security setting and now my agent cannot run any commands. Am I locked out?
The exec setting controls what terminal commands the agent is allowed to run on your behalf. The gateway is still up. The agent still responds to messages. You have restricted what the agent can do, not your own access to it.
Set agents.defaults.tools.exec.security to “full” and restart the gateway.
openclaw config set agents.defaults.tools.exec.security full then openclaw gateway restart. Valid values: full (unrestricted), allowlist (only listed commands), deny (no terminal commands at all).I am running OpenClaw in Docker and none of these commands work.
Docker runs OpenClaw in an isolated container separate from your host machine. The openclaw command lives inside the container. All commands in this article need docker exec -it <container-name> in front of them.
docker exec -it openclaw-gateway openclaw gateway statusdocker exec -it openclaw-gateway openclaw config validatedocker exec -it openclaw-gateway openclaw doctor
Find your container name: docker ps | grep openclaw. If stopped, start it: docker start <container-name>, then check logs: docker logs <container-name> --tail 50.
The config file inside the container is at /home/node/.openclaw/openclaw.json. If you mounted it as a volume (a shared folder between container and host), you can edit it from the host at the mount path. Edits via volume mount do not take effect until the gateway restarts inside the container.
Minimal images (Alpine-based): nano is not installed. Use vi /home/node/.openclaw/openclaw.json or install nano: apk add nano.
I am on macOS and journalctl is not found.
journalctl is Linux-only (systemd). macOS uses launchd and the log command for log viewing.
log show --predicate 'process == "openclaw"' --last 10m --style compact
If no results: check ~/.openclaw/logs/gateway.log or run find ~/.openclaw -name "*.log" -type f to find log files.
I am on Windows and the paths in this article do not work.
OpenClaw installed natively on Windows via npm: config is at %APPDATA%\openclaw\openclaw.json. Open it with notepad %APPDATA%\openclaw\openclaw.json in CMD. The openclaw command works in CMD and PowerShell if npm’s global bin is in your PATH. To check your npm global bin path: run npm prefix -g in CMD or PowerShell. The output is the folder that should be in your PATH, typically %APPDATA%\npm. If openclaw is not found, add that folder to your PATH via System Settings > Environment Variables.
OpenClaw installed inside WSL2 (Windows Subsystem for Linux 2, a Linux environment built into Windows 10/11): all the Linux commands in this article work as written inside your WSL2 terminal. The config is at ~/.openclaw/openclaw.json inside the WSL2 filesystem, not in the Windows filesystem. Open the WSL2 terminal, not PowerShell or CMD, before running any commands.
I initialized git in ~/.openclaw. Will it track files I do not want?
git init ~/.openclaw creates a git repository covering the entire ~/.openclaw/ directory, which includes session JSONLs, LCM databases, plugin node_modules, and log files alongside your config. Without a .gitignore, running git add -A could commit all of those, bloating the repo and potentially committing session data you did not intend to share.
The git setup instructions in this article include a .gitignore creation step that excludes databases, logs, session archives, and node_modules. If you already initialized git without one, create the file now:
printf "*.db\n*.log\nlogs/\nsessions/\nsessions-archive/\nnode_modules/\n" > ~/.openclaw/.gitignoregit -C ~/.openclaw add .gitignoregit -C ~/.openclaw commit -m "add gitignore"
Then always use git -C ~/.openclaw add openclaw.json specifically rather than git add -A to commit only what you intend.
Key terms
Gateway: The background process that runs your OpenClaw agent. It starts when you launch OpenClaw and keeps running. When you open the chat, you are connecting to the gateway.
Config file (openclaw.json): The text file that controls how OpenClaw behaves: which AI model to use, what port the gateway listens on, which plugins are enabled, where API keys are stored. Located at ~/.openclaw/openclaw.json (Linux/macOS/WSL2) or %APPDATA%\openclaw\openclaw.json (Windows native).
Port: A numbered channel on your server. The gateway listens on a specific port (default: 18789) for incoming connections.
Bind address / gateway.bind: Controls which network interfaces accept connections. 127.0.0.1 = loopback only (same machine). 0.0.0.0 = all interfaces (any machine that can reach your server).
Loopback (127.0.0.1): Traffic sent to this address never leaves the machine. If the gateway is loopback-only, only a browser running on the same computer can connect.
API key: A long string of characters proving you are an authorized user of an AI provider (Anthropic, DeepSeek, OpenAI, etc.). Stored in openclaw.json.
Rotate (credentials): Generate a new API key and replace the old one. Done when a key may have been exposed.
SSH: A way to open a terminal on a remote server from your own computer over an encrypted connection.
VPS (Virtual Private Server): A remote server you rent from a hosting company. Common providers: DigitalOcean, Hetzner, AWS, Vultr.
Firewall: Software or a network device that blocks or allows connections on specific ports. Can block access silently with no error message.
Reverse proxy: A server (Nginx, Caddy) that sits in front of the gateway, handles connections on its behalf, and can add authentication or HTTPS.
systemd: The service manager on most Linux systems. Starts, stops, and restarts background services. Can restart them automatically if they crash.
launchd: The service manager on macOS. Same role as systemd.
JSON: The file format used by openclaw.json. Uses curly braces, colons, and commas. One missing comma or extra brace breaks the entire file.
Schema: The ruleset defining which fields are allowed in openclaw.json, what type each must be, and which are required.
WSL2 (Windows Subsystem for Linux 2): A feature in Windows 10/11 that runs a Linux environment inside Windows. Gives you a Linux terminal and filesystem on a Windows machine.
git: Version control software. Keeps a timestamped history of file changes. Lets you roll back any file to any previous saved state.
Go deeper
Security
I accidentally pushed my openclaw.json to GitHub
If your config ended up in a public repository, the first step is credential rotation. This walks the full incident response: what to rotate, in what order, and how to verify nothing was used.
Security
How to set up SSH tunneling so OpenClaw never touches the public internet
If you want gateway.bind on 127.0.0.1 for security but still need remote access, SSH tunneling is how. Keeps the gateway off the public internet entirely while still letting you reach it from anywhere.