Environment variables
OpenClaw pulls environment variables from multiple sources. The rule is never override existing values.Precedence (highest → lowest)
- Process environment (what the Gateway process already has from the parent shell/daemon).
.envin the current working directory (dotenv default; does not override).- Global
.envat~/.openclaw/.env(aka$OPENCLAW_STATE_DIR/.env; does not override). - Config
envblock in~/.openclaw/openclaw.json(applied only if missing). - Optional login-shell import (
env.shellEnv.enabledorOPENCLAW_LOAD_SHELL_ENV=1), applied only for missing expected keys.
Config env block
Two equivalent ways to set inline env vars (both are non-overriding): Shell env import
env.shellEnv runs your login shell and imports only missing expected keys: OPENCLAW_LOAD_SHELL_ENV=1OPENCLAW_SHELL_ENV_TIMEOUT_MS=15000
Runtime-injected env vars
OpenClaw also injects context markers into spawned child processes:OPENCLAW_SHELL=exec: set for commands run through theexectool.OPENCLAW_SHELL=acp: set for ACP runtime backend process spawns (for exampleacpx).OPENCLAW_SHELL=acp-client: set foropenclaw acp clientwhen it spawns the ACP bridge process.OPENCLAW_SHELL=tui-local: set for local TUI!shell commands.
UI env vars
OPENCLAW_THEME=light: force the light TUI palette when your terminal has a light background.OPENCLAW_THEME=dark: force the dark TUI palette.COLORFGBG: if your terminal exports it, OpenClaw uses the background color hint to auto-pick the TUI palette.
Env var substitution in config
You can reference env vars directly in config string values using${VAR_NAME} syntax: Secret refs vs ${ENV} strings
OpenClaw supports two env-driven patterns: ${VAR}string substitution in config values.- SecretRef objects (
{ source: "env", provider: "default", id: "VAR" }) for fields that support secrets references.
Path-related env vars
| Variable | Purpose |
|---|---|
OPENCLAW_HOME | Override the home directory used for all internal path resolution (~/.openclaw/, agent dirs, sessions, credentials). Useful when running OpenClaw as a dedicated service user. |
OPENCLAW_STATE_DIR | Override the state directory (default ~/.openclaw). |
OPENCLAW_CONFIG_PATH | Override the config file path (default ~/.openclaw/openclaw.json). |
Logging
| Variable | Purpose |
|---|---|
OPENCLAW_LOG_LEVEL | Override log level for both file and console (e.g. debug, trace). Takes precedence over logging.level and logging.consoleLevel in config. Invalid values are ignored with a warning. |
OPENCLAW_HOME
When set, OPENCLAW_HOME replaces the system home directory ($HOME / os.homedir()) for all internal path resolution. This enables full filesystem isolation for headless service accounts. Precedence: OPENCLAW_HOME > $HOME > USERPROFILE > os.homedir() Example (macOS LaunchDaemon): OPENCLAW_HOME can also be set to a tilde path (e.g. ~/svc), which gets expanded using $HOME before use. nvm users: web_fetch TLS failures
If Node.js was installed via nvm (not the system package manager), the built-infetch() uses nvm’s bundled CA store, which may be missing modern root CAs (ISRG Root X1/X2 for Let’s Encrypt, DigiCert Global Root G2, etc.). This causes web_fetch to fail with "fetch failed" on most HTTPS sites. On Linux, OpenClaw automatically detects nvm and applies the fix in the actual startup environment: openclaw gateway installwritesNODE_EXTRA_CA_CERTSinto the systemd service environment- the
openclawCLI entrypoint re-execs itself withNODE_EXTRA_CA_CERTSset before Node startup
node ... launches): Export the variable before starting OpenClaw: ~/.openclaw/.env for this variable; Node reads NODE_EXTRA_CA_CERTS at process startup.