OpenClaw CLI Command Cheat Sheet (and the Reddit FAQ)

OpenClaw has a lot of subcommands, and the docs are deep — but most real-world usage (and most Reddit threads) repeatedly circle the same themes:

• “Is my gateway even running?”
• “Why does the dashboard say unauthorized?”
• “Why does the UI/TUI disconnect with pairing required (1008)?”
• “Gateway disconnected (4008)… what do I run first?”
• “What’s the smallest set of commands I can paste when asking for help?”

This guide is a practical command map plus a community-driven FAQ. It also links to deeper CoClaw pages when you need them.

If you want one thing to remember: always start from --help.

openclaw --help
openclaw <command> --help

What this guide helps you finish

This page is not trying to teach every OpenClaw subcommand. It is trying to get you from “something feels broken” to the right layer, the right command, and the right evidence bundle fast.

By the end, you should know:

• which command to run first when the gateway, dashboard, channels, or models feel wrong
• how to collect a small, shareable diagnostic bundle instead of random screenshots
• when a symptom belongs to auth, pairing, channels, models, or runtime drift
• where to go next once the CLI tells you which layer is failing

Who this is for (and not for)

Use this page if you know the symptom you are seeing but not the smallest command set that will clarify it.

If you already know the exact subsystem and need a full workflow guide, jump straight to the linked deep-dive pages.

Before you run the 60-second diagnosis pack: collect these four facts

1. Which host are you actually on? Local laptop, container shell, VPS, or node host.
2. What changed most recently? Update, new token, new proxy path, new channel, or new model config.
3. Which surface is failing? Gateway, dashboard, TUI, channel replies, or model calls.
4. What evidence do you need to share if the quick pack does not solve it? Logs, status output, and probe results beat narrative guesses.

0) The mental model (why “random commands” don’t help)

Most issues are not “OpenClaw is broken”. They’re typically one of these:

1. Gateway layer: service not running, wrong port/bind, wrong host, wrong profile.
2. Auth layer: token mismatch (dashboard unauthorized) or password mismatch.
3. Pairing layer: new device not approved (1008 pairing required).
4. Channel layer: WhatsApp/Telegram/Slack session expired or disconnected.
5. Model layer: API key missing/expired, rate limit, wrong endpoint (OpenAI-compatible relays).

The sections below map commands to these layers so you can stop guessing.

1) The 60-second diagnosis pack (pasteable)

When Reddit asks “what do I run?”, this is the high-signal bundle.

Run on the gateway host (local machine, container shell, or SSH session to the server):

# 1) “Tell me everything that’s safe to paste”
openclaw status --all

# 2) Is the gateway service alive and reachable?
openclaw gateway status

# 3) Can it actually call your model provider (live)?
openclaw models status --probe

# 4) Are channels authorized and probeable?
openclaw channels status --probe

# 5) Tail recent logs (use --plain when sharing)
openclaw logs --limit 200 --plain

Notes:

• openclaw status --all is intentionally designed to be “copy/paste friendly”.
• openclaw doctor is your next move if the above indicates service/auth drift:

  openclaw doctor

  Only use repair modes when you understand the tradeoff: openclaw doctor --repair / openclaw doctor --force.

Deep dives:

• Operability patterns: /guides/openclaw-operability-and-observability
• “No response / rate limits”: /guides/openclaw-no-response-and-rate-limit-troubleshooting

2) The commands people actually use (task-first cheat sheet)

Setup / onboarding

openclaw onboard
openclaw onboard --install-daemon
openclaw configure

Open the dashboard (Control UI)

openclaw dashboard

If you’re on a remote host, the CLI prints a tokenized URL. That is often the fastest fix for “unauthorized”.

Deep dive:

• /guides/control-ui-auth-and-pairing

Terminal UI (TUI)

openclaw tui

Common remote pattern (when you need to be explicit):

openclaw tui --url ws://HOST:PORT --token "$OPENCLAW_GATEWAY_TOKEN"

Gateway service operations (VPS/Docker/always-on)

openclaw gateway run
openclaw gateway install
openclaw gateway start
openclaw gateway stop
openclaw gateway restart
openclaw gateway status
openclaw gateway probe

If you’re publishing access (LAN / Tailnet / reverse proxy), pay attention to --bind:

openclaw gateway run --bind loopback --port 18789

Related:

• Deployment troubleshooting: /guides/openclaw-deployment-troubleshooting
• Docker deployment: /guides/docker-deployment

Devices (pairing required, 1008 loops)

If the UI/TUI disconnects with 1008: pairing required, the fix is usually a one-time device approval:

openclaw devices list
openclaw devices approve <requestId>

Last-resort cleanup (use with care on shared hosts):

openclaw devices remove <deviceId>
openclaw devices clear

Deep dive:

• /guides/control-ui-auth-and-pairing
• /guides/openclaw-pairing-explained

Channels (connectors)

openclaw channels list
openclaw channels login --channel whatsapp
openclaw channels add --channel telegram --token <token>
openclaw channels status --probe
openclaw channels logs

Channel guides:

• /guides/telegram-setup
• /guides/whatsapp-setup

Messaging (send/read)

openclaw message send --target <id-or-number> --message "Hello"
openclaw message read --target <id-or-number>

If you need IDs (common on Discord/Slack/Telegram):

openclaw directory self
openclaw directory peers
openclaw directory groups

Models (what is configured, what is actually reachable)

openclaw models list
openclaw models status
openclaw models status --probe
openclaw models set <model>

Local / OpenAI-compatible relays:

• /guides/self-hosted-ai-api-compatibility-matrix
• /guides/choose-local-ai-api-path-for-openclaw

Config (read, set, validate)

openclaw config file
openclaw config validate
openclaw config get <dot.path>
openclaw config set <dot.path> <value>

Logs (when you need evidence)

openclaw logs --limit 200
openclaw logs --follow
openclaw logs --plain --limit 200

Backup + update (before you do anything scary)

openclaw backup create
openclaw backup verify <archive>

openclaw update status
openclaw update

Deep dives:

• /guides/openclaw-backup-and-rollback
• /guides/updating-and-migration

3) The Reddit FAQ (what people worry about)

“Gateway disconnected (4008)”

Common causes:

• gateway service isn’t running (or running under a different profile)
• you’re hitting the wrong host/port (local vs remote)
• auth token mismatch, or device pairing is required

Start here:

openclaw gateway status
openclaw status --all
openclaw logs --plain --limit 200

If you see repeated reconnect loops, treat it as auth/pairing first:

• /guides/control-ui-auth-and-pairing

“Dashboard says unauthorized”

Almost always: you opened a non-tokenized URL or your token sources disagree.

Do this first:

openclaw dashboard

Then confirm you didn’t override the token in a different place (OPENCLAW_GATEWAY_TOKEN, config profile, container env, reverse proxy headers).

“Pairing required (1008) loop in the UI/TUI”

Approve the device once on the gateway host:

openclaw devices list
openclaw devices approve <requestId>

If you keep re-pairing on every reconnect, you likely have non-persistent state (common in containers) or multiple gateways fighting each other.

Start with:

• /guides/docker-deployment
• /guides/openclaw-state-workspace-and-memory

“I set exec to full, but tools still won’t run”

This is usually an approvals / allowlist problem on the actual execution host (gateway host or node host).

Start with:

• /guides/openclaw-exec-approvals-and-safe-bins

4) Community threads (Reddit) worth reading

These are representative threads that match the FAQ themes above (good for seeing real logs, real setups, and common pitfalls):

• Unauthorized dashboard access: https://www.reddit.com/r/openclaw/comments/1joyaco/unauthorized_gateway_when_opening_dashboard_on/
• Gateway disconnected (4008): https://www.reddit.com/r/openclaw/comments/1j2b9zf/anyone_else_have_gateway_disconnected_4008_after_fresh_install/
• Pairing required loop in the TUI: https://www.reddit.com/r/openclaw/comments/1jxt1ze/pairing_required_loop_when_opening_the_tui/
• “Stopped responding, what do I run?”: https://www.reddit.com/r/openclaw/comments/1h6en83/my_clawdbot_suddenly_stopped_responding_what_to_do/
• CLI command not found after install: https://www.reddit.com/r/clawdbot/comments/1ik8pe1/clawdbot_openclaw_cli_command_not_found_after_installing/

Tip: when you read older threads, always check whether the commands still exist with openclaw --help. Subcommands do change across releases.

Verification checklist after your first diagnosis pass

A good first-pass diagnosis should leave you with all of these:

• one failing layer identified more clearly than before
• one status or probe output you can paste when asking for help
• one next guide that matches the real subsystem, not a guess
• enough evidence to avoid random config edits

When to stop guessing and escalate with evidence

If the 60-second pack does not narrow the problem, stop experimenting and share the smallest reproducible evidence bundle: status --all, gateway status, the relevant probe output, and a short description of what changed. That is what turns a Reddit-style thread from “maybe try this” into an actual diagnosis.