A working OpenClaw install is only the beginning. The moment you start connecting chat apps, remote access, or extra tools, configuration becomes the difference between a clean personal assistant setup and a gateway that is far too open or oddly fragile.
That sounds heavier than it really is. Most people do not need to memorize the full OpenClaw schema. You just need to understand which settings matter first, where they live, and how to change them without turning the Gateway into a debugging project.
If you still need the base install and onboarding path, start with How to Install OpenClaw on Ubuntu and Complete Your First Setup. This guide assumes the CLI already works and you are ready to tune the setup you now have.
Where OpenClaw configuration lives
OpenClaw reads its main config from:
~/.openclaw/openclaw.json
The docs call this an optional JSON5 config, which matters because JSON5 is more forgiving than plain JSON. Comments and trailing commas are allowed, which makes hand-editing much less annoying.
If the file does not exist, OpenClaw falls back to safe defaults. That is a good starting point, but the defaults are not the same thing as a finished setup.
The four safe ways to edit it
You do not have to edit the file by hand every time.
1. Run onboarding again
openclaw onboard
This is still the friendliest option if you want guided setup.
2. Use the config wizard
openclaw configure
That is a nice middle ground when you want help without redoing everything.
3. Use CLI one-liners
openclaw config get agents.defaults.workspace
openclaw config set agents.defaults.heartbeat.every "2h"
openclaw config unset plugins.entries.brave.config.webSearch.apiKey
This is the best path when you know exactly what you want to change.
4. Use the Control UI
Open the dashboard and use the Config tab.
The UI renders a form from the live schema and also includes a Raw JSON editor when the form view is not enough.
The first rule: OpenClaw validates config strictly
This is the part beginners usually learn the annoying way.
OpenClaw does strict schema validation. Unknown keys, bad types, and invalid values can make the Gateway refuse to start. The docs are explicit about that.
So if you are used to tools that silently ignore sloppy config, do not assume OpenClaw will do the same.
When a config change goes sideways, run:
openclaw doctor
And if you want OpenClaw to try common repairs:
openclaw doctor --fix
That single habit will save you time.
The settings that matter first
If I were helping someone tune a fresh OpenClaw setup, these are the areas I would touch before anything more exotic.
1. Keep the Gateway bound to loopback unless you have a real reason not to
For many personal setups, the safest default is still local-only access.
That means keeping the Gateway on loopback instead of exposing it broadly on the network. The OpenClaw docs repeatedly treat loopback plus SSH or Tailscale as the normal safer pattern.
Why this matters:
it keeps the Control UI off the public internet by default
it reduces accidental exposure while you are still learning the platform
it works well with SSH tunneling and Tailscale Serve later
If you are running OpenClaw on a VPS or home server, this is usually the better beginner posture than opening the port directly.
2. Decide who is allowed to message your bot
As soon as you connect a chat channel, access control becomes a real issue.
The docs show a shared pattern across channels such as Telegram:
{
channels: {
telegram: {
enabled: true,
botToken: "123:abc",
dmPolicy: "pairing",
allowFrom: ["tg:123"],
},
},
}
The key setting here is dmPolicy.
For Telegram, OpenClaw supports:
pairingallowlistopendisabled
For a personal assistant, pairing or allowlist makes the most sense.
I would be very cautious with open. The Telegram docs specifically warn that an open bot can let any Telegram account that finds or guesses the username start commanding it. That is not what most people want on a tool-enabled assistant.
3. Require mentions in groups unless you intentionally want always-on behavior
Group chats get messy fast.
OpenClaw's docs show a good default pattern like this:
{
channels: {
telegram: {
enabled: true,
botToken: "123:abc",
dmPolicy: "pairing",
groups: {
"*": { requireMention: true },
},
},
},
}
This is one of the most practical beginner settings in the whole platform.
requireMention: true helps prevent the bot from reacting to every stray line in a group. It also lowers the odds of accidental tool use from background chatter, jokes, or messages that were never meant for the assistant in the first place.
If you later want a more active group workflow, you can relax that deliberately. It is a much better idea than starting wide open.
4. Choose a remote-access pattern before you expose anything
One of OpenClaw's strengths is that the Gateway can live on one machine while you connect from somewhere else.
The docs describe three beginner-reasonable remote patterns:
SSH tunnel as the universal fallback
Tailscale Serve for a cleaner tailnet-only browser path
direct LAN or Tailnet bind when you intentionally trust that private network
SSH tunnel: boring and reliable
ssh -N -L 18789:127.0.0.1:18789 user@host
This keeps the remote Gateway loopback-only and forwards it to your local machine.
Tailscale Serve: strong default for people already using Tailscale
The Tailscale docs for OpenClaw are unusually clear here. A simple config looks like this:
{
gateway: {
bind: "loopback",
tailscale: { mode: "serve" },
},
}
That keeps OpenClaw on 127.0.0.1 while Tailscale handles HTTPS and tailnet routing.
For a personal setup, that is much cleaner than throwing the dashboard onto a public reverse proxy before you understand the rest of the security model.
Direct Tailnet bind: only when you mean it
The docs also show this pattern:
{
gateway: {
bind: "tailnet",
auth: { mode: "token", token: "your-token" },
},
}
That is valid, but it is a deliberate exposure choice, not just a convenience toggle. If you are early in your OpenClaw setup, I think loopback plus SSH or Tailscale Serve is the safer first move.
5. Make authentication an actual decision, not an afterthought
OpenClaw supports several gateway auth modes, including:
nonetokenpasswordtrusted-proxy
For most normal self-hosters, the useful choices are token or password.
The Tailscale docs also note that allowTailscale can let Control UI and WebSocket auth use verified Tailscale identity headers in Serve mode, but that assumes you trust the host boundary. If you want the simplest conservative posture, explicit token or password auth is easier to reason about.
The main thing is this: do not leave remote access vague. Decide how the Gateway authenticates before you make it reachable anywhere beyond localhost.
A clean starter config example
This is not the only valid way to configure OpenClaw, but it is a good example of a cautious personal setup:
{
gateway: {
bind: "loopback",
auth: { mode: "token", token: "replace-with-a-real-token" },
tailscale: { mode: "serve" },
},
channels: {
telegram: {
enabled: true,
botToken: "123:abc",
dmPolicy: "pairing",
groups: {
"*": { requireMention: true },
},
},
},
}
Why I like this shape for beginners:
the Gateway stays local on the host
remote browser access can happen over Tailscale instead of broad public exposure
Telegram DMs are not open to everyone by default
groups need an explicit mention before the bot wakes up
That is a much saner baseline than connecting a chat app and hoping the defaults happen to match your threat model.
The Control UI is better than many people realize
A lot of people assume the web dashboard is just there for chatting.
It is more useful than that. The docs say the Control UI can:
edit config
validate and apply changes
manage channels
inspect sessions
manage skills
handle cron jobs
review device approvals
That matters because it means you do not have to treat OpenClaw like a terminal-only system once the base install is working.
What to do when a config edit breaks something
When the Gateway stops behaving normally, use the current troubleshooting ladder from the docs instead of guessing.
openclaw status
openclaw gateway status
openclaw logs --follow
openclaw doctor
openclaw channels status --probe
That sequence is worth bookmarking because it covers the most common failure modes:
the service is down
the config is invalid
a channel is misconfigured
an update changed something important
the Gateway is up but not actually healthy
My practical recommendation
If you are new to OpenClaw, do not try to tune everything.
Start with these questions only:
is the Gateway staying on loopback?
who can DM the bot?
do group chats require a mention?
how will remote access work?
what auth mode protects that access?
If you answer those cleanly, your setup will already be in much better shape than the average first attempt.
The main thing to remember
OpenClaw's configuration system is powerful, but the beginner mistake is thinking power means you should touch everything immediately.
You should not.
Treat config as a way to make access, channel behavior, and remote use intentional. Once those basics are solid, the rest of the platform becomes much easier to expand safely.
A good next step after this
Once your config is stable, the next high-value OpenClaw follow-up is usually one of these:
a focused troubleshooting pass
a channel-specific setup like Telegram
a remote-access article built entirely around Tailscale or another private-access workflow
That is when OpenClaw starts feeling like a dependable system instead of just an interesting install.
Frequently Asked Questions
Where does OpenClaw keep its main config file?
Can I edit OpenClaw config from the browser instead of a terminal?
What should I run if OpenClaw stops starting after a config change?
Was this article helpful?
Let me know so I can keep improving.