docs/cli/configure.md
openclaw configureInteractive prompts for targeted changes to an existing setup: credentials, devices, agent defaults, gateway, channels, plugins, skills, and health checks.
Use openclaw onboard or openclaw setup for the full guided first-run journey, openclaw setup --baseline for the baseline config/workspace only, and openclaw channels add when you only need channel account setup.
--section <section>: repeatable section filter. Available sections:
workspace, model, web, gateway, daemon, channels, plugins, skills, health
openclaw configure
openclaw configure --section web
openclaw configure --section model --section channels
openclaw configure --section gateway --section daemon
Selecting gateway, daemon, or health (or running the full wizard with no --section) prompts where the Gateway runs and updates gateway.mode. Section filters that skip all three go straight to the requested setup with no gateway-mode prompt. Picking remote gateway mode writes the remote config and exits immediately; it does not run local-only steps like plugin installs.
Re-running provider auth from configure preserves an existing agents.defaults.model.primary, even when the provider's auth step returns a config patch with its own recommended default model. Adding or reauthing a provider makes its models available without taking over your current primary model. Use openclaw models auth login --provider <id> --set-default or openclaw models set <model> to intentionally change the default model.
</Note>
When configure starts from a provider auth choice, the default-model and allowlist pickers prefer that provider automatically. For paired providers such as Volcengine and BytePlus, the same preference also matches their coding-plan variants (volcengine-plan/*, byteplus-plan/*). If the preferred-provider filter would produce an empty list, configure falls back to the unfiltered catalog instead of showing a blank picker.
openclaw configure --section web picks a web-search provider and configures its credentials. Some providers show provider-specific follow-ups:
x_search setup with the same xAI OAuth profile or API key, and let you pick an x_search model.api.moonshot.ai vs api.moonshot.cn) and the default Kimi web-search model.gateway.auth.token is SecretRef-managed, configure validates the SecretRef but does not persist resolved plaintext token values into supervisor service environment metadata; if the SecretRef is unresolved, configure blocks daemon install with actionable remediation guidance.gateway.auth.token and gateway.auth.password are configured and gateway.auth.mode is unset, configure blocks daemon install until you set the mode explicitly.