Beginner
WhatsApp / Messaging
Estimated time: 10 min

Configure WhatsApp for OpenClaw (Baileys / WhatsApp Web)

Connect WhatsApp to OpenClaw, choose a safe inbound policy, complete QR login, and verify that only intended senders can reach the agent.

Implementation Steps

If possible, use a separate phone number for the assistant. This reduces account risk and avoids self-chat quirks.

What this guide helps you finish

By the end of this guide, you should have one WhatsApp login path working, one deliberate inbound access policy in place, and a quick recovery path if the session drops later.

Who this is for (and not for)

This guide is for operators setting up WhatsApp for the first time and trying to keep the blast radius small.

It is not the best page if your WhatsApp connection already exists and you only need a narrow credential or listener fix.

Before you start: collect these four facts

Before you scan a QR code, decide:

  1. whether you can use a dedicated number,
  2. whether unknown senders should be blocked or paired,
  3. whether you need self-chat mode or a real external contact path,
  4. where your OpenClaw state directory is backed up.

Those choices shape almost every later recovery decision.

Before you start (important expectations)

OpenClaw connects to WhatsApp using the WhatsApp Web flow (Baileys-style). That means:

  • You will log in by scanning a QR code (Linked Devices)
  • The connection relies on WhatsApp Web session credentials stored in your OpenClaw state dir
  • You should treat the WhatsApp integration as “powerful but sensitive”: keep it private and locked down

Official reference:

If you want the fuller operating model before you scan a QR code, read /channels/whatsapp alongside this quick setup guide. Use this page for the shortest path to first login; use the channel page for number strategy, session ownership, and long-run trust posture.

If you’re still getting comfortable with openclaw.json (paths, env vars, allowlists, model refs), see:

If you can, use a separate number for the assistant:

  • Lower risk (you are not experimenting on your personal account)
  • Cleaner routing (no self-chat quirks)
  • Easier recovery if you need to rotate credentials

Avoid “free SMS”/VoIP numbers when possible (WhatsApp often blocks them).

Step 1: minimal WhatsApp config (secure defaults)

Open your config file:

  • Default path: ~/.openclaw/openclaw.json (or $OPENCLAW_STATE_DIR/openclaw.json)

Add a conservative DM policy and allowlist:

{
  channels: {
    whatsapp: {
      // Options are typically: "pairing" (default), "allowlist", "open", "disabled"
      dmPolicy: "allowlist",
      allowFrom: ["+15551234567"],
    },
  },
}

Notes:

  • Use E.164 format (+15551234567)
  • Start strict. You can loosen it later once you trust your setup.

Step 2: log in (scan QR)

Run:

openclaw channels login

Then on your phone:

  • WhatsApp -> Settings
  • Linked Devices -> Link a device
  • Scan the QR

When login succeeds, OpenClaw will persist credentials under your state directory. Back up your state directory if you want an easy restore path.

Step 3: choose your inbound DM policy

You have two common secure patterns:

Option A (simplest): allowlist only

  • Set dmPolicy: "allowlist"
  • Add trusted numbers to allowFrom
  • Everyone else is blocked

Option B (friendlier): pairing

Pairing lets unknown senders request access, and you approve them:

{
  channels: {
    whatsapp: {
      dmPolicy: "pairing",
    },
  },
}

Approve requests:

openclaw pairing list whatsapp
openclaw pairing approve whatsapp <code>

Optional: personal number + self-chat mode (fallback)

If you must run on your personal number, enable self-chat mode and keep an allowlist:

{
  channels: {
    whatsapp: {
      selfChatMode: true,
      dmPolicy: "allowlist",
      allowFrom: ["+15551234567"],
    },
  },
}

This is useful for testing without messaging other people.

Verification checklist after login

Before you call the setup done, verify:

  • the QR login completed and survived one gateway restart
  • one intended sender can reach the agent
  • one unintended sender is blocked or forced into the policy you chose
  • you know how to re-link the session without improvising

What to tighten first if the setup feels risky

If the setup feels too exposed, tighten in this order:

  1. use or move to a dedicated number
  2. move from open behavior to allowlist or pairing
  3. make sure the state directory is private and backed up
  4. keep Control UI and gateway access private while you test

Troubleshooting quick wins

  • QR does not appear: make sure the gateway is running, then rerun openclaw channels login.
  • “Logged out” or messages stop arriving: rerun openclaw channels login to re-link.
  • You changed config but behavior did not change: restart the gateway (openclaw gateway restart).

If the lane links successfully but later throws credential or listener failures, go straight to:

Security checklist (do this)

  • Do not run with dmPolicy: "open" unless you really understand the blast radius.
  • Keep the gateway Control UI private (token/password protected, not public).
  • Keep ~/.openclaw/ private and backed up (it contains WhatsApp creds).

Verification & references

  • Reviewed by:CoClaw Editorial Team
  • Last reviewed:March 14, 2026
  • Verified on: WhatsApp · Messaging

References

  1. OpenClaw docs: /channels/whatsappOfficial docs

Related Resources

One Gateway, Many Agents: Practical Routing, Bindings, and Multi-Account Patterns
Guide
Design a multi-agent OpenClaw setup that stays understandable: choose what should be shared, bind every route on purpose, give each agent a real job, and verify that each ingress path lands on the worker you intended.
OpenClaw Brave `llm-context` Web Search: When It’s Better Than Normal Search
Guide
A practical guide to Brave's `llm-context` mode in OpenClaw: what it returns, when to use it instead of normal web search, how to think about freshness and region, and how to avoid common key and environment mistakes.
OpenClaw Week-One Checklist: Secure Setup You Can Verify
Guide
A beginner-safe, execution-first checklist for your first OpenClaw week: daemon install, tokenized dashboard access, channel safety policy, backups, and fast debugging.
WhatsApp: 'No active WhatsApp Web listener' when sending messages
Fix
Fix outbound WhatsApp send failures by ensuring the gateway process is running and owns the WhatsApp Web socket (restart, re-link, and check runtime).
WhatsApp: channels login fails (408 Request Time-out / WebSocket Error)
Fix
Fix WhatsApp QR login failures caused by restricted networks, proxies without WebSocket support, or running the login on the wrong machine.
WhatsApp: 401 'No cookie auth credentials found' / bot replies fail
Fix
Fix WhatsApp failures caused by missing/expired WhatsApp Web credentials by re-linking the account and ensuring the gateway owns the session files.

Need live assistance?

Ask in the community forum or Discord support channels.

Get Support