Skip to main content

Agents API

Create, manage, and interact with agents.
All agent endpoints that require authentication are scoped to the authenticated user’s data through row-level security. You can only access agents that belong to your account.

List agents

Returns all agents owned by the authenticated user. When no session is present, returns an empty list instead of a 401 error.

Response (backend)

The backend returns a flat array of agent objects:

Response (web proxy)

The web proxy wraps the response in an object:
The backend and web proxy return different response shapes. The backend returns a flat array with created, subdomain, and url fields. The web proxy wraps the data in an agents key and includes name, model, websocketUrl, createdAt, and updatedAt fields.

Create agent

Creates a new agent with an auto-generated ID and stores its metadata on disk. Requires bearer token authentication (backend).

Request body

Response (201 Created)

Errors

For provisioning an agent with messaging channel tokens and a live Render service deployment, use POST /api/agents/provision or POST /api/provision instead.

Get agent

Requires authentication and ownership of the agent.

Response (backend)

The backend returns the agent object directly without a wrapper:

Response (web proxy)

The web proxy wraps the agent in an object:
The backend returns the agent object directly. The web proxy wraps it in an agent key and adds a top-level status field.

Errors

Update agent

Updates an agent’s metadata including plan, AI provider, and configuration. Requires bearer token authentication (backend).

Request body

Response

Errors

To update agent configuration through the web proxy with session authentication, use PUT /api/agents/:id/config instead.

Delete agent

Destroys the agent’s Render service and removes its metadata. Requires bearer token authentication (backend).

Response

Errors

The backend uses best-effort cleanup (service destruction and metadata removal). If the agent does not exist, the operation succeeds silently and returns deleted: true.

Provision agent

Provisions a new agent. Requires an active subscription unless the caller is an admin.
Provisioning requests may be processed asynchronously through the background task queue. The agent is created immediately with a provisioning status and transitions to running once the backend deployment endpoint confirms the deployment. If deployment fails, the status changes to error.
The provisioning endpoint calls POST /api/deployments on the backend to deploy the agent as a Render service. The request includes a 15-second timeout. When the model is set to claude-opus-4-6, the AI provider is automatically set to anthropic; otherwise it falls back to the provider specified in the agent configuration (default: openrouter). The plan sent to the backend defaults to label when no tier is specified.

Request body

The web proxy enforces agent limits based on the subscription tier (starter: 1, pro: 3, enterprise: 100). The backend provisioning route (POST /api/provision) enforces its own limits (solo: 1, collective: 3, label: 10, network: practically unlimited). Plan resource allocations: solo → 2 GB RAM / 1 CPU, collective → 4 GB RAM / 2 CPUs, label → 8 GB RAM / 4 CPUs, network → 16 GB RAM / 4 CPUs. The limit cannot be overridden in the request body.

Admin bypass

Admin users (configured via ADMIN_EMAILS) are exempt from the following restrictions:
  • Subscription requirement — admins can provision agents without an active subscription (the 402 error is not returned).
  • Agent limit — admins receive an elevated agent slot limit instead of the plan-based cap.

Response (201 Created)

Errors

Clone agent

Creates a new agent by cloning an existing parent agent. Requires a verified payment proof on the Tempo chain (x402 protocol). The caller must pay 1.0 pathUSD to clone an agent.
This endpoint uses the x402 Tempo protocol for payment verification. The payment must be completed on the Tempo chain (chain ID 4217) before calling this endpoint.

Request body

Payment proof object

Response (200)

Errors

Clone service health

Returns the clone service status and protocol configuration. No authentication required.

List provisioned agents

Requires session authentication.

Response

Errors

Get agent configuration

Returns the current configuration for an agent. Requires authentication and ownership.

Response

Errors

Update agent configuration

Updates the configuration for an agent. Requires authentication and ownership. The request body is forwarded to the backend.

Response

Errors

Get agent logs

Returns logs for an agent. Requires authentication and ownership.
This endpoint currently returns mock data. Log entries are generated placeholders, not real agent logs. For real-time logs, use the live log stream endpoint instead.

Query parameters

Response

Errors

Stream agent logs

The live log streaming endpoints (/api/logs/:agentId/stream, /api/logs/:agentId/history, POST /api/logs/:agentId/stop, and GET /api/logs/active) are planned for a future release. See the live log tail page for the intended specification.

Get agent messages

Returns paginated messages for an agent. Requires authentication and ownership.

Query parameters

Response

This endpoint currently returns mock data. Message entries are generated placeholders. A future release will connect this endpoint to the backend message store.

Errors

Get agent stats

Returns live service metrics when available, with a mock fallback.

Response (live)

Response (mock fallback)

When the backend is unavailable, mock data is returned with "status": "mock":

Agent lifecycle

Lifecycle operations are available at two endpoint patterns depending on which service you call:
  • Web proxy: /api/instance/:userId/{action} — requires session authentication and proxies to the backend.
  • Backend direct: /api/agents/:id/{action} — requires API key authentication.
Both patterns support the same actions. The examples below use the backend pattern.
All lifecycle operations require the Render API to be available. When the Render API is unreachable, these endpoints return 500 with an error message describing the failure. You can check availability using the backend health endpoint — when the docker field is unavailable, lifecycle operations will fail. The API itself continues to serve non-lifecycle endpoints normally.

Start agent

Resumes a suspended agent service on Render.

Stop agent

Suspends the agent’s Render service. The service retains its data and can be resumed later.

Restart agent

Update agent image

Triggers an image update on the backend. Before replacing the service, the endpoint creates a backup of the agent’s data. If the new image fails to start, the endpoint automatically rolls back to the previous image.

Request body

Response

When the new service fails to start, the endpoint reverts to previousImage. The caller still receives a 500 error, but the agent is restored to its prior working state. The pre-update backup remains available at backupPath for manual recovery if needed.

Errors

Repair agent

Returns the backend response directly.

Reset agent memory

Returns the backend response directly.

Lifecycle error responses

Backend lifecycle endpoints return the following shape on failure:
Web proxy lifecycle endpoints return a different error shape:

Get instance details

Returns the current status and metadata for an agent instance.

Response

Get instance stats

Returns resource usage statistics for an agent instance.

Response

Get agent gateway token

Returns the gateway token for the agent. If no token exists, a new cryptographically random token is generated using 32 bytes of entropy (returned as a 64-character hex string). Tokens generated by the service entrypoint (when the OPENCLAW_GATEWAY_TOKEN environment variable is not set) use 16 bytes (32 hex characters).

Errors

Agent verification

Agents can be verified using multiple verification types: eas (Ethereum Attestation Service), coinbase, ens, or webauthn.

Get verification status

The backend GET endpoint uses /api/agents/:id/verification while POST and DELETE use /api/agents/:id/verify. The web API proxies all three methods through /api/agents/:id/verify.

Verify agent

Request body

Requires Content-Type: application/json header.
The web API always sets verified: true on success. When calling the backend directly, you can pass verified, verifierAddress, and metadata explicitly.

Response

Errors

Remove verification

Provision with channel tokens

Provisions a new agent with messaging channel tokens. Requires bearer token (API key) authentication. When a session is active, the user’s email is automatically resolved from it. At least one channel token is required.
This endpoint is subject to the general rate limit of 120 requests per minute per IP.
The request is proxied to the backend provisioning service. When MUX_TOKEN_ID and MUX_TOKEN_SECRET are configured, the backend creates a real Mux live stream via the Mux API with public playback policy. When Mux credentials are not configured, placeholder streaming credentials are returned instead.

Request body

When a session is active, the server resolves the user email from the session via getServerSession. If the email field is also present in the request body, the request body value takes precedence. The resolved email is sent to the backend provisioning service in the X-User-Email header.
The following request fields are deprecated and no longer accepted: whatsappPhoneNumberId, whatsappBusinessAccountId, discordGuildId, discordChannelId.

Response

The proxy returns a filtered subset of the backend response:
The /api/provision proxy returns only success, userId, subdomain, url, streamKey, and liveStreamId. The full response shape from the backend provisioning service is shown below.

Full backend response

When calling the backend provisioning service directly, the response includes additional fields.
Channel tokens (telegramToken, discordBotToken, whatsappToken) are no longer included in the provision response. Tokens are write-only secrets — they are stored server-side but never returned to the caller.
The container object is included when the backend successfully creates a service for the agent. If service creation fails (for example, when the Render API is unavailable), provisioning still succeeds and the container field is omitted. The agent can operate using API-side processing until the service becomes available. You can check Render API availability using the backend health endpoint.

Errors

AI provider defaults

Each aiProvider value maps to a default model and base URL. There are two model configurations: the container config (used by the agent’s internal gateway) and the provision response metadata (aiProviderConfig field). These may differ.

Container config models

These models are configured inside the agent service at provisioning time and are used by the gateway’s model fallback chain:

Provision response metadata models

The aiProviderConfig object returned in the provision response uses different default models: Each provider includes a fallback model in the service config that is used automatically when the primary model is unavailable or returns an error.
minimax is available as a fallback in the provider configuration map but is not currently accepted as a value for the aiProvider request parameter. Passing minimax as aiProvider returns a 400 validation error. This provider may be enabled in a future release.

Channel configuration

When an agent is provisioned, its channel configuration is generated based on the tokens provided. All channels share a set of defaults and each channel type has specific settings.

Channel defaults

Telegram channel settings

Discord channel settings

WhatsApp channel settings

Group chat mention patterns

All channels that support group chat use the following default mention patterns: @agent and agent. The agent only responds in group conversations when one of these patterns is detected in the message.

Tool profiles

Each agent is assigned a tool profile at provisioning time based on its plan tier. The tool profile determines which built-in tools the agent can use.
The tool profile is set once at service creation and persists for the lifetime of the agent. Upgrading your plan does not automatically change the tool profile of existing agents — you need to reprovision the agent or use the repair endpoint to apply the new profile.
All tool profiles deny browser and canvas tools inside agent services. The coding profile includes shell commands (ls, cat, grep, curl, git, node, python3, and others) while the messaging profile restricts the agent to chat-oriented capabilities.

Deploy agent (backend)

This is a backend-only endpoint. It deploys an agent as a Render web service and requires a Content-Type: application/json header. Requires bearer token authentication. Rate limited to 5 requests per minute per IP.

Request body

Response (201 Created)

Response (200 Already Active)

If the agent service is already running, returns the existing deployment details with the same shape as the 201 response.

Errors

OpenClaw version (backend)

Returns the current OpenClaw runtime version. Requires bearer token authentication.

Response

List instances (backend)

Returns all running agent services. Requires bearer token authentication.

Response

Errors

Get instance service stats (backend)

Returns resource usage for a specific agent service. Requires bearer token authentication.

Path parameters

Response

Agent interaction

Unified endpoint for interacting with agents. All requests require session authentication. The userId is always bound to the authenticated session and cannot be overridden by the client.

GET actions

Pass the action query parameter to select the operation.

List endpoints

Returns available endpoints and version information when no action is specified.

Health

List sessions

Get session

Returns the full session including messages.

Memory

Returns the last 10 messages from the active session (truncated to 100 characters each).

Skills

Returns skills available on the agent instance.

Credentials

Returns which credentials are configured for the agent.

POST actions

Pass the action field in the request body.

Chat

Create session

Update skill

Set credential

Errors

Send message

Requires session authentication.

Request body

Response

Errors

List messages

Returns the message history. Requires session authentication.

Response

Errors