Gateway
The v1 gateway routes incoming requests to registered plugins. It supports three payment methods — Stripe (existing), MPP (Machine Payments Protocol) via the Tempo blockchain, and session-based billing for low-latency, off-chain per-call payments.Base URL
Request
Headers
Body
Additional body fields are forwarded to the target plugin.
Plugins
The gateway routes to the following plugins:generate-text is the default plugin when no plugin ID is specified.Authentication
Protected plugins require either a valid session (cookie-based via NextAuth), a verified MPP payment credential, or an active payment session. If you pay with MPP or use session-based billing, cookie-based authentication is not required.Payment flow
The gateway supports three payment methods per request:- Stripe — Default. Requires an active subscription or credits. See Stripe integration.
- MPP — Crypto-native payments on the Tempo blockchain. See MPP payments.
- Session — Off-chain, per-call billing using a pre-funded payment session. See MPP payments — sessions and the wallet sessions API.
X-Payment-Methodheader (session,mpp, orstripe)- Presence of an
Authorization: Paymentheader (impliesmpp) - Default:
stripe
MPP 402 challenge
When an MPP request has no valid credential, the gateway returns402 Payment Required with pricing information for both payment methods:
WWW-Authenticate header is also set:
Session-based billing
WhenX-Payment-Method is session, the gateway auto-debits the caller’s payment session using an off-chain voucher. This avoids the 402 challenge/response round-trip and settles each call in sub-100ms.
To use session-based billing:
- Open a payment session via
POST /api/wallet/sessions. See wallet sessions. - Include
X-Session-IdandX-Wallet-Addressheaders on every gateway request. - The gateway looks up the session, verifies the balance covers the plugin price, and debits the session automatically.
- The response includes a
Payment-Receiptheader with the voucher reference and anX-Session-Remainingheader with the updated balance.
402 with a descriptive error. See error responses for the full list of session-related error codes.
Response
Success (200)
Payment-Receipt header and the payment.receipt field contains the transaction hash. When paid via a session, the payment.receipt field contains the voucher reference (formatted as session:<sessionId>:<nonce>).
Response headers
Error responses
Per-agent gateway authentication
Each agent container receives a unique gateway auth token at provisioning time. The internal gateway authenticates requests using token-based auth on port18789.
The container entrypoint writes its own minimal configuration to
$HOME/.openclaw/openclaw.json using a slightly different schema (auth.method at the top level instead of gateway.auth.mode). The provisioning config written by the backend uses the gateway.auth.mode path. When the entrypoint runs, it overwrites the provisioning config with its own minimal skeleton. To preserve the full provisioning config, pass the gateway token via the OPENCLAW_GATEWAY_TOKEN environment variable so the entrypoint uses the same token.Agent container configuration
When an agent is provisioned, the backend generates an OpenClaw configuration with the following parameters. These values are set automatically and cannot be overridden by the caller.Container environment variables
The following environment variables are set on every agent container at launch:Gateway settings
Tool settings
Session settings
Agent defaults
Health monitoring
The gateway monitors channel health for each agent container. When a channel becomes unresponsive, the gateway can automatically restart it.CORS
The gateway supports CORS preflight viaOPTIONS /api/v1/gateway. Allowed methods are POST and OPTIONS. The Authorization, Content-Type, X-Plugin-Id, X-Payment-Method, X-Session-Id, and X-Wallet-Address headers are permitted.