--- summary: "Invoke a single tool directly via the Gateway HTTP endpoint" read_when: - Calling tools without running a full agent turn - Building automations that need tool policy enforcement title: "Tools Invoke API" --- # Tools Invoke (HTTP) OpenClaw’s Gateway exposes a simple HTTP endpoint for invoking a single tool directly. It is always enabled and uses Gateway auth plus tool policy, but unlike the OpenAI-compatible `/v1/*` surface, shared-secret bearer auth is not enough to use it. - `POST /tools/invoke` - Same port as the Gateway (WS + HTTP multiplex): `http://:/tools/invoke` Default max payload size is 2 MB. ## Authentication Uses the Gateway auth configuration. Send a bearer token: - `Authorization: Bearer ` Notes: - When `gateway.auth.mode="token"`, use `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`). - When `gateway.auth.mode="password"`, use `gateway.auth.password` (or `OPENCLAW_GATEWAY_PASSWORD`). - If `gateway.auth.rateLimit` is configured and too many auth failures occur, the endpoint returns `429` with `Retry-After`. - Shared-secret bearer auth (`gateway.auth.mode="token"` or `"password"`) is rejected here with `403`. - To use `/tools/invoke`, the request must come from an HTTP mode that carries a trusted operator identity and declared scopes (for example trusted proxy auth or `gateway.auth.mode="none"` on a private ingress). ## Request body ```json { "tool": "sessions_list", "action": "json", "args": {}, "sessionKey": "main", "dryRun": false } ``` Fields: - `tool` (string, required): tool name to invoke. - `action` (string, optional): mapped into args if the tool schema supports `action` and the args payload omitted it. - `args` (object, optional): tool-specific arguments. - `sessionKey` (string, optional): target session key. If omitted or `"main"`, the Gateway uses the configured main session key (honors `session.mainKey` and default agent, or `global` in global scope). - `dryRun` (boolean, optional): reserved for future use; currently ignored. ## Policy + routing behavior Tool availability is filtered through the same policy chain used by Gateway agents: - `tools.profile` / `tools.byProvider.profile` - `tools.allow` / `tools.byProvider.allow` - `agents..tools.allow` / `agents..tools.byProvider.allow` - group policies (if the session key maps to a group or channel) - subagent policy (when invoking with a subagent session key) If a tool is not allowed by policy, the endpoint returns **404**. Important boundary notes: - `POST /tools/invoke` is intentionally stricter than `/v1/chat/completions` and `/v1/responses`: shared-secret bearer auth does not unlock direct tool invocation over HTTP. - Exec approvals are operator guardrails, not a separate authorization boundary for this HTTP endpoint. If a tool is reachable here via Gateway auth + tool policy, `/tools/invoke` does not add an extra per-call approval prompt. - Do not share Gateway bearer credentials with untrusted callers. If you need separation across trust boundaries, run separate gateways (and ideally separate OS users/hosts). Gateway HTTP also applies a hard deny list by default (even if session policy allows the tool): - `exec` — direct command execution (RCE surface) - `spawn` — arbitrary child process creation (RCE surface) - `shell` — shell command execution (RCE surface) - `fs_write` — arbitrary file mutation on the host - `fs_delete` — arbitrary file deletion on the host - `fs_move` — arbitrary file move/rename on the host - `apply_patch` — patch application can rewrite arbitrary files - `sessions_spawn` — session orchestration; spawning agents remotely is RCE - `sessions_send` — cross-session message injection - `cron` — persistent automation control plane - `gateway` — gateway control plane; prevents reconfiguration via HTTP - `nodes` — node command relay can reach system.run on paired hosts - `whatsapp_login` — interactive setup requiring terminal QR scan; hangs on HTTP You can customize this deny list via `gateway.tools`: ```json5 { gateway: { tools: { // Additional tools to block over HTTP /tools/invoke deny: ["browser"], // Remove tools from the default deny list allow: ["gateway"], }, }, } ``` To help group policies resolve context, you can optionally set: - `x-openclaw-message-channel: ` (example: `slack`, `telegram`) - `x-openclaw-account-id: ` (when multiple accounts exist) ## Responses - `200` → `{ ok: true, result }` - `400` → `{ ok: false, error: { type, message } }` (invalid request or tool input error) - `401` → unauthorized - `429` → auth rate-limited (`Retry-After` set) - `404` → tool not available (not found or not allowlisted) - `405` → method not allowed - `500` → `{ ok: false, error: { type, message } }` (unexpected tool execution error; sanitized message) ## Example ```bash curl -sS http://127.0.0.1:18789/tools/invoke \ -H 'Content-Type: application/json' \ -H 'x-openclaw-scopes: operator.write' \ -d '{ "tool": "sessions_list", "action": "json", "args": {} }' ``` Use this example only on a private ingress with a trusted identity-bearing HTTP mode (for example trusted proxy auth or `gateway.auth.mode="none"`). Shared-secret bearer auth does not work on `/tools/invoke`.