Authentication
WednesdayAI supports API keys and OAuth tokens for AI providers, plus delegated authentication through a trusted reverse proxy for multi-user deployments. This page covers provider authentication and the gateway access token. For per-provider details, see the provider guides.Quick start — API key
For a long-lived gateway, an API key is the most reliable option. OAuth/subscription tokens can expire and require interactive renewal; API keys do not.Persist it for the daemon
Put the key in
~/.openclaw/.env so the gateway service reads it at startup — shell environment is not inherited by systemd/launchd services:Supported providers
Anthropic (Claude)
API key, OAuth token, or setup-token
OpenAI
API key or Codex OAuth
Google (Gemini)
AI Studio key or Vertex AI
Ollama (local)
No auth — runs locally
OpenRouter
API key
LiteLLM / Bifrost
Proxy key
Environment variable lookup order
WednesdayAI resolves provider credentials in this order (first match wins):| Priority | Variable | Notes |
|---|---|---|
| 1 | OPENCLAW_LIVE_<PROVIDER>_KEY | Single override, useful in CI |
| 2 | <PROVIDER>_API_KEYS | Comma- or semicolon-separated list for rotation |
| 3 | <PROVIDER>_API_KEY | Standard single key |
| 4 | <PROVIDER>_API_KEY_* | Numbered variants (_KEY_1, _KEY_2, …) |
<PROVIDER> with the uppercase provider name: ANTHROPIC, OPENAI, OPENROUTER, etc. Google/Gemini providers also fall back to the bare GOOGLE_API_KEY. The gateway deduplicates entries before use.
Key rotation
When a provider returns a rate-limit error (HTTP 429 orrate_limit/quota/resource exhausted in the body), the gateway retries with the next key in the rotation list. Non-rate-limit errors are not retried with alternate keys.
Anthropic subscription (setup-token)
If you have a Claude subscription rather than an API key, the setup-token flow is supported. Generate the token on any machine, then paste it on the gateway host:Auth profiles
Auth profiles let you maintain multiple sets of credentials for the same provider and switch between them per-session or per-agent.--agent <id> to target a specific agent. Per-session override in a running chat:
/model anthropic/claude-sonnet-4-6@anthropic:work
Gateway access token
Provider credentials are separate from the gateway access token, which authenticates callers to the gateway API and control panel. It is configured undergateway.auth (not the top-level auth key, which is the provider credential store). See Gateway configuration for the full resolution order.
Rotating the gateway token
Update config (and env if used)
Set
gateway.auth.token in ~/.openclaw/openclaw.json. If OPENCLAW_GATEWAY_TOKEN is also set (for example in a systemd EnvironmentFile), update or remove it too — the env var takes precedence and will block the config change otherwise.Automated auth monitoring
To detect expiring tokens in unattended deployments:Trusted-proxy auth (multi-user)
For deployments behind an identity-aware reverse proxy (Pomerium, Caddy + OAuth, nginx + oauth2-proxy), you can delegate authentication to the proxy. Use it when: you are behind an identity-aware proxy, want SSO/IdP login, or hit WebSocket1008 Unauthorized because browsers cannot pass tokens in WebSocket handshakes.
Do not use it when: the proxy is a TLS terminator only, any path bypasses the proxy, or you only need single-user access (use Tailscale Serve + loopback instead).
allowUsers become the effective access control.
Troubleshooting
"No credentials found"
"No credentials found"
- Check the env var is set on the gateway host:
echo $ANTHROPIC_API_KEY - For a daemon, the key must be in
~/.openclaw/.env— shell env is not inherited by systemd/launchd. - Restart the daemon after adding the key.
- Verify:
openclaw models status
Token expired
Token expired
For setup-token (subscription) auth, re-run
claude setup-token and openclaw models auth paste-token --provider anthropic. For long-lived deployments, switch to an API key.