← All guides

OpenClaw Gateway Explained: What It Does, How to Fix It, and Best Practices

Everything you need to know about the OpenClaw gateway: what it does, how to monitor it, and how to fix it when it breaks.

Need help with your gateway?

Book a Call for 1:1 setup or troubleshooting help.

The OpenClaw Gateway is the central process that routes messages between your agents, channels (Telegram, WhatsApp, Discord), and tools. If your gateway is not running, nothing works. Here is what it does, how to check its status, and how to fix the most common issues.

TL;DR

  • The gateway is the single process that connects agents, channels, and tools.
  • Run openclaw gateway status to check health. Run openclaw gateway restart to fix most issues.
  • Default port is 18709. Bind to loopback for local-only, lan if other devices need access.
  • Token mismatches are the #1 gateway error. Regenerate with openclaw doctor --generate-gateway-token.
  • On Mac, use openclaw gateway install to create a launchd service so the gateway survives reboots.

What the gateway actually does

Think of the gateway as the switchboard operator for your entire OpenClaw setup. Every message flows through it. When your Telegram bot receives a message, the gateway picks it up, routes it to the correct agent, waits for the agent to call any tools it needs, and sends the response back through the channel. Without the gateway, agents have no way to receive input or deliver output.

The gateway handles four responsibilities:

  1. Message routing. Inbound messages from any channel get matched to the right agent based on your routing rules.
  2. Authentication. Every connection to the gateway requires a valid token. This prevents unauthorized access to your agents and tools.
  3. Tool execution. When an agent calls a tool (file read, web search, API call), the gateway brokers that execution and returns the result.
  4. Channel management. The gateway maintains persistent connections to each configured channel and handles reconnection when connections drop.

Key gateway commands

These three commands cover 90% of gateway management:

# Check if the gateway is running and healthy
openclaw gateway status

# Restart the gateway (fixes most transient issues)
openclaw gateway restart

# Install the gateway as a system service
openclaw gateway install

The status command returns the process state, uptime, port, binding mode, connected channels, and recent errors. Always run it first when something breaks.

The restart command does a graceful stop followed by a fresh start. Connected channels and agents reconnect automatically within a few seconds.

The install command registers the gateway as a persistent service so it starts on boot and restarts if it crashes. On macOS this creates a launchd plist. On Linux it creates a systemd unit.

Gateway binding: loopback vs lan

The binding mode controls which network interfaces the gateway listens on.

# Local only (recommended default)
openclaw config set gateway.bind loopback

# Accessible from other devices on your network
openclaw config set gateway.bind lan

Use loopback when everything runs on one machine. The gateway only accepts connections from 127.0.0.1. This is the secure default and what you should use unless you have a specific reason not to.

Use lan when you need other devices on your local network to reach the gateway. For example, if your agents run on a Mac Mini but you access the Control UI from a laptop on the same network, you need lan binding.

Never expose the gateway to the public internet without a reverse proxy and TLS in front of it. See the security checklist for the full hardening guide.

Token management

The gateway requires a token for every connection. This prevents unauthorized clients from sending commands to your agents.

# View current token
openclaw config get gateway.auth.token

# Generate a new token
openclaw doctor --generate-gateway-token

When you regenerate a token, every connected client (Control UI, channel bridges, external integrations) needs the new value. The most common symptom of a stale token is a disconnected (1008): unauthorized error in the logs.

If you use Docker, the token can also be set via the OPENCLAW_GATEWAY_TOKEN environment variable. When both the env var and config file exist, the env var wins. This is a frequent source of mismatch issues. Pick one method and stick with it.

Port 18709: what it is and how to check for conflicts

Port 18709 is the default gateway port for RPC and WebSocket traffic. If another process is already using it, the gateway fails to start with:

timed out waiting for gateway port 18709

Find what is using the port:

# macOS / Linux
lsof -i :18709

# If something else owns it, either stop that process or change the gateway port
openclaw config set gateway.port 18710

After changing the port, restart the gateway with openclaw gateway restart.

Mac launchd setup (persistent gateway)

On macOS, the gateway stops when you close the terminal unless you install it as a launchd service.

# Install the launchd plist
openclaw gateway install

# Verify it registered
launchctl list | grep openclaw

# Manual start/stop via launchctl
launchctl start com.openclaw.gateway
launchctl stop com.openclaw.gateway

The plist lives at ~/Library/LaunchAgents/com.openclaw.gateway.plist. If you need to uninstall it:

openclaw gateway uninstall

Logs for the launchd service go to ~/.openclaw/logs/gateway.log. Check there first when the service is running but behaving unexpectedly.

Docker gateway considerations

In Docker, the gateway runs inside the container. A few things change:

  • Binding must be lan (or auto), not loopback, because the container’s loopback is isolated from the host. If you bind to loopback inside Docker, nothing outside the container can reach the gateway.
  • Port mapping is handled in your docker-compose.yml with ports: "18709:18709". Make sure the host port is free.
  • Token via env var is the cleanest approach. Set OPENCLAW_GATEWAY_TOKEN in your Compose environment block rather than baking it into the config file.
  • Health checks should target the gateway’s health endpoint. The Docker setup guide has a full production Compose file with health checks included.

Top 5 gateway errors and quick fixes

ErrorFix
disconnected (1008): unauthorizedToken mismatch. Run openclaw config get gateway.auth.token and update clients.
timed out waiting for gateway port 18709Port conflict. Run lsof -i :18709 to find the blocking process.
gateway not runningStart it with openclaw gateway restart or install the service with openclaw gateway install.
connection refused on 127.0.0.1:18709Gateway is bound to a different interface or port. Check with openclaw gateway status.
EADDRINUSE 0.0.0.0:18709Another gateway instance is already running. Kill it with openclaw gateway stop first.

For a deeper dive into each error with full logs and context, see the complete troubleshooting guide.

Try this now

Open a terminal and run:

openclaw gateway status

If the output says "running," you are good. If it says "not running" or shows errors, work through the fixes above. Still stuck? Book a Call and we will walk through it together.

Next steps

Need OpenClaw fixed live?

Remote rescue sessions for gateway, auth, tunnel, VPS, and model access problems.

See Rescue Session

Read next

Caveman Mode for Claude Code: Cut Output Tokens 61-75% (2026)
Caveman Mode is a CLAUDE.md snippet that strips preambles, summaries, and filler to cut Claude Code output tokens 61-75% — about $100-140/month saved with no loss of code quality.
Restart Claude Code Sessions at 200K Tokens (Save Up to 80%) (2026)
Every Claude Code message resends the full conversation. Past 200K tokens the cost per message balloons. Restarting with a handoff doc cut one developer's bill from $1,600 to $320.
Fix the claude -p $1,800 API Bill Trap (2026)
The claude -p print-mode flag bills via API even on a paid Max plan — one overnight run hit $1,800. Here is how to check your auth mode and never get burned.