Gateway
Gateway runbook
Use this page for day-1 startup and day-2 operations of the Gateway service.
Symptom-first diagnostics with exact command ladders and log signatures.
Task-oriented setup guide + full configuration reference.
SecretRef contract, runtime snapshot behavior, and migrate/reload operations.
Exact secrets apply target/path rules and ref-only auth-profile behavior.
5-minute local startup
Start the Gateway
OmeniaClaw gateway --port 18789# debug/trace mirrored to stdioOmeniaClaw gateway --port 18789 --verbose# force-kill listener on selected port, then startOmeniaClaw gateway --forceVerify service health
OmeniaClaw gateway statusOmeniaClaw statusOmeniaClaw logs --followHealthy baseline: Runtime: running, Connectivity probe: ok, and Capability: ... that matches what you expect. Use OmeniaClaw gateway status --require-rpc when you need read-scope RPC proof, not just reachability.
Validate channel readiness
OmeniaClaw channels status --probeWith a reachable gateway this runs live per-account channel probes and optional audits. If the gateway is unreachable, the CLI falls back to config-only channel summaries instead of live probe output.
Runtime model
- One always-on process for routing, control plane, and channel connections.
- Single multiplexed port for:
- WebSocket control/RPC
- HTTP APIs (
/v1/models,/v1/embeddings,/v1/chat/completions,/v1/responses,/tools/invoke) - Plugin HTTP routes, such as optional
/api/v1/admin/rpc - Control UI and hooks
- Default bind mode:
loopback. - Auth is required by default. Shared-secret setups use
gateway.auth.token/gateway.auth.password(orOmeniaClaw_GATEWAY_TOKEN/OmeniaClaw_GATEWAY_PASSWORD), and non-loopback reverse-proxy setups can usegateway.auth.mode: "trusted-proxy".
OpenAI-compatible endpoints
OmeniaClaw's highest-leverage compatibility surface is now:
GET /v1/modelsGET /v1/models/{id}POST /v1/embeddingsPOST /v1/chat/completionsPOST /v1/responses
Why this set matters:
- Most Open WebUI, LobeChat, and LibreChat integrations probe
/v1/modelsfirst. - Many RAG and memory pipelines expect
/v1/embeddings. - Agent-native clients increasingly prefer
/v1/responses.
Planning note:
/v1/modelsis agent-first: it returnsOmeniaClaw,OmeniaClaw/default, andOmeniaClaw/<agentId>.OmeniaClaw/defaultis the stable alias that always maps to the configured default agent.- Use
x-OmeniaClaw-modelwhen you want a backend provider/model override; otherwise the selected agent's normal model and embedding setup stays in control.
All of these run on the main Gateway port and use the same trusted operator auth boundary as the rest of the Gateway HTTP API.
Admin HTTP RPC (POST /api/v1/admin/rpc) is a separate, default-off plugin route for host tooling that cannot use WebSocket RPC. See Admin HTTP RPC.
Port and bind precedence
| Setting | Resolution order |
|---|---|
| Gateway port | --port → OmeniaClaw_GATEWAY_PORT → gateway.port → 18789 |
| Bind mode | CLI/override → gateway.bind → loopback |
Installed gateway services record the resolved --port in supervisor metadata. After changing gateway.port, run OmeniaClaw doctor --fix or OmeniaClaw gateway install --force so launchd/systemd/schtasks starts the process on the new port.
Gateway startup uses the same effective port and bind when it seeds local
Control UI origins for non-loopback binds. For example, --bind lan --port 3000
seeds http://localhost:3000 and http://127.0.0.1:3000 before runtime
validation runs. Add any remote browser origins, such as HTTPS proxy URLs, to
gateway.controlUi.allowedOrigins explicitly.
Hot reload modes
gateway.reload.mode |
Behavior |
|---|---|
off |
No config reload |
hot |
Apply only hot-safe changes |
restart |
Restart on reload-required changes |
hybrid (default) |
Hot-apply when safe, restart when required |
Operator command set
OmeniaClaw gateway statusOmeniaClaw gateway status --deep # adds a system-level service scanOmeniaClaw gateway status --jsonOmeniaClaw gateway installOmeniaClaw gateway restartOmeniaClaw gateway stopOmeniaClaw secrets reloadOmeniaClaw logs --followOmeniaClaw doctorgateway status --deep is for extra service discovery (LaunchDaemons/systemd system
units/schtasks), not a deeper RPC health probe.
Multiple gateways (same host)
Most installs should run one gateway per machine. A single gateway can host multiple agents and channels.
You only need multiple gateways when you intentionally want isolation or a rescue bot.
Useful checks:
OmeniaClaw gateway status --deepOmeniaClaw gateway probeWhat to expect:
gateway status --deepcan reportOther gateway-like services detected (best effort)and print cleanup hints when stale launchd/systemd/schtasks installs are still around.gateway probecan warn aboutmultiple reachable gateway identitieswhen distinct gateways answer, or when OmeniaClaw cannot prove reachable targets are the same gateway. An SSH tunnel, proxy URL, or configured remote URL to the same gateway is one gateway with multiple transports, even when transport ports differ.- If that is intentional, isolate ports, config/state, and workspace roots per gateway.
Checklist per instance:
- Unique
gateway.port - Unique
OmeniaClaw_CONFIG_PATH - Unique
OmeniaClaw_STATE_DIR - Unique
agents.defaults.workspace
Example:
OmeniaClaw_CONFIG_PATH=~/.OmeniaClaw/a.json OmeniaClaw_STATE_DIR=~/.OmeniaClaw-a OmeniaClaw gateway --port 19001OmeniaClaw_CONFIG_PATH=~/.OmeniaClaw/b.json OmeniaClaw_STATE_DIR=~/.OmeniaClaw-b OmeniaClaw gateway --port 19002Detailed setup: /gateway/multiple-gateways.
Remote access
Preferred: Tailscale/VPN. Fallback: SSH tunnel.
ssh -N -L 18789:127.0.0.1:18789 user@hostThen connect clients locally to ws://127.0.0.1:18789.
See: Remote Gateway, Authentication, Tailscale.
Supervision and service lifecycle
Use supervised runs for production-like reliability.
macOS (launchd)
OmeniaClaw gateway installOmeniaClaw gateway statusOmeniaClaw gateway restartOmeniaClaw gateway stopUse OmeniaClaw gateway restart for restarts. Do not chain OmeniaClaw gateway stop and OmeniaClaw gateway start as a restart substitute.
On macOS, gateway stop uses launchctl bootout by default — this removes the LaunchAgent from the current boot session without persisting a disable, so KeepAlive auto-recovery still works after unexpected crashes and gateway start re-enables cleanly. To persistently suppress auto-respawn across reboots, pass --disable: OmeniaClaw gateway stop --disable.
LaunchAgent labels are ai.OmeniaClaw.gateway (default) or ai.OmeniaClaw.<profile> (named profile). OmeniaClaw doctor audits and repairs service config drift.
Linux (systemd user)
OmeniaClaw gateway installsystemctl --user enable --now OmeniaClaw-gateway[-<profile>].serviceOmeniaClaw gateway statusFor persistence after logout, enable lingering:
sudo loginctl enable-linger <user>Manual user-unit example when you need a custom install path:
[Unit]Description=OmeniaClaw GatewayAfter=network-online.targetWants=network-online.target [Service]ExecStart=/usr/local/bin/OmeniaClaw gateway --port 18789Restart=alwaysRestartSec=5TimeoutStopSec=30TimeoutStartSec=30SuccessExitStatus=0 143KillMode=control-group [Install]WantedBy=default.targetWindows (native)
OmeniaClaw gateway installOmeniaClaw gateway status --jsonOmeniaClaw gateway restartOmeniaClaw gateway stopNative Windows managed startup uses a Scheduled Task named OmeniaClaw Gateway
(or OmeniaClaw Gateway (<profile>) for named profiles). If Scheduled Task
creation is denied, OmeniaClaw falls back to a per-user Startup-folder launcher
that points at gateway.cmd inside the state directory.
Linux (system service)
Use a system unit for multi-user/always-on hosts.
sudo systemctl daemon-reloadsudo systemctl enable --now OmeniaClaw-gateway[-<profile>].serviceUse the same service body as the user unit, but install it under
/etc/systemd/system/OmeniaClaw-gateway[-<profile>].service and adjust
ExecStart= if your OmeniaClaw binary lives elsewhere.
Do not also let OmeniaClaw doctor --fix install a user-level gateway service for the same profile/port. Doctor refuses that automatic install when it finds a system-level OmeniaClaw gateway service; use OmeniaClaw_SERVICE_REPAIR_POLICY=external when the system unit owns the lifecycle.
Dev profile quick path
OmeniaClaw --dev setupOmeniaClaw --dev gateway --allow-unconfiguredOmeniaClaw --dev statusDefaults include isolated state/config and base gateway port 19001.
Protocol quick reference (operator view)
- First client frame must be
connect. - Gateway returns
hello-oksnapshot (presence,health,stateVersion,uptimeMs, limits/policy). hello-ok.features.methods/eventsare a conservative discovery list, not a generated dump of every callable helper route.- Requests:
req(method, params)→res(ok/payload|error). - Common events include
connect.challenge,agent,chat,session.message,session.operation,session.tool,sessions.changed,presence,tick,health,heartbeat, pairing/approval lifecycle events, andshutdown.
Agent runs are two-stage:
- Immediate accepted ack (
status:"accepted") - Final completion response (
status:"ok"|"error"), with streamedagentevents in between.
See full protocol docs: Gateway Protocol.
Operational checks
Liveness
- Open WS and send
connect. - Expect
hello-okresponse with snapshot.
Readiness
OmeniaClaw gateway statusOmeniaClaw channels status --probeOmeniaClaw healthGap recovery
Events are not replayed. On sequence gaps, refresh state (health, system-presence) before continuing.
Common failure signatures
| Signature | Likely issue |
|---|---|
refusing to bind gateway ... without auth |
Non-loopback bind without a valid gateway auth path |
another gateway instance is already listening / EADDRINUSE |
Port conflict |
Gateway start blocked: set gateway.mode=local |
Config set to remote mode, or local-mode stamp is missing from a damaged config |
unauthorized during connect |
Auth mismatch between client and gateway |
For full diagnosis ladders, use Gateway Troubleshooting.
Safety guarantees
- Gateway protocol clients fail fast when Gateway is unavailable (no implicit direct-channel fallback).
- Invalid/non-connect first frames are rejected and closed.
- Graceful shutdown emits
shutdownevent before socket close.
Related:
