nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openclaw/docs/gateway/tools-invoke-http-api.md

5.2 KiB
Raw Blame History

summary read_when title
Invoke a single tool directly via the Gateway HTTP endpoint
Calling tools without running a full agent turn
Building automations that need tool policy enforcement
Tools Invoke API

Tools Invoke (HTTP)

OpenClaws Gateway exposes a simple HTTP endpoint for invoking a single tool directly. It is always enabled and uses Gateway auth plus tool policy, but unlike the OpenAI-compatible /v1/* surface, shared-secret bearer auth is not enough to use it.

  • POST /tools/invoke
  • Same port as the Gateway (WS + HTTP multiplex): http://<gateway-host>:<port>/tools/invoke

Default max payload size is 2 MB.

Authentication

Uses the Gateway auth configuration. Send a bearer token:

  • Authorization: Bearer <token>

Notes:

  • When gateway.auth.mode="token", use gateway.auth.token (or OPENCLAW_GATEWAY_TOKEN).
  • When gateway.auth.mode="password", use gateway.auth.password (or OPENCLAW_GATEWAY_PASSWORD).
  • If gateway.auth.rateLimit is configured and too many auth failures occur, the endpoint returns 429 with Retry-After.
  • Shared-secret bearer auth (gateway.auth.mode="token" or "password") is rejected here with 403.
  • To use /tools/invoke, the request must come from an HTTP mode that carries a trusted operator identity and declared scopes (for example trusted proxy auth or gateway.auth.mode="none" on a private ingress).

Request body

{
  "tool": "sessions_list",
  "action": "json",
  "args": {},
  "sessionKey": "main",
  "dryRun": false
}

Fields:

  • tool (string, required): tool name to invoke.
  • action (string, optional): mapped into args if the tool schema supports action and the args payload omitted it.
  • args (object, optional): tool-specific arguments.
  • sessionKey (string, optional): target session key. If omitted or "main", the Gateway uses the configured main session key (honors session.mainKey and default agent, or global in global scope).
  • dryRun (boolean, optional): reserved for future use; currently ignored.

Policy + routing behavior

Tool availability is filtered through the same policy chain used by Gateway agents:

  • tools.profile / tools.byProvider.profile
  • tools.allow / tools.byProvider.allow
  • agents.<id>.tools.allow / agents.<id>.tools.byProvider.allow
  • group policies (if the session key maps to a group or channel)
  • subagent policy (when invoking with a subagent session key)

If a tool is not allowed by policy, the endpoint returns 404.

Important boundary notes:

  • POST /tools/invoke is intentionally stricter than /v1/chat/completions and /v1/responses: shared-secret bearer auth does not unlock direct tool invocation over HTTP.
  • Exec approvals are operator guardrails, not a separate authorization boundary for this HTTP endpoint. If a tool is reachable here via Gateway auth + tool policy, /tools/invoke does not add an extra per-call approval prompt.
  • Do not share Gateway bearer credentials with untrusted callers. If you need separation across trust boundaries, run separate gateways (and ideally separate OS users/hosts).

Gateway HTTP also applies a hard deny list by default (even if session policy allows the tool):

  • exec — direct command execution (RCE surface)
  • spawn — arbitrary child process creation (RCE surface)
  • shell — shell command execution (RCE surface)
  • fs_write — arbitrary file mutation on the host
  • fs_delete — arbitrary file deletion on the host
  • fs_move — arbitrary file move/rename on the host
  • apply_patch — patch application can rewrite arbitrary files
  • sessions_spawn — session orchestration; spawning agents remotely is RCE
  • sessions_send — cross-session message injection
  • cron — persistent automation control plane
  • gateway — gateway control plane; prevents reconfiguration via HTTP
  • nodes — node command relay can reach system.run on paired hosts
  • whatsapp_login — interactive setup requiring terminal QR scan; hangs on HTTP

You can customize this deny list via gateway.tools:

{
  gateway: {
    tools: {
      // Additional tools to block over HTTP /tools/invoke
      deny: ["browser"],
      // Remove tools from the default deny list
      allow: ["gateway"],
    },
  },
}

To help group policies resolve context, you can optionally set:

  • x-openclaw-message-channel: <channel> (example: slack, telegram)
  • x-openclaw-account-id: <accountId> (when multiple accounts exist)

Responses

  • 200{ ok: true, result }
  • 400{ ok: false, error: { type, message } } (invalid request or tool input error)
  • 401 → unauthorized
  • 429 → auth rate-limited (Retry-After set)
  • 404 → tool not available (not found or not allowlisted)
  • 405 → method not allowed
  • 500{ ok: false, error: { type, message } } (unexpected tool execution error; sanitized message)

Example

curl -sS http://127.0.0.1:18789/tools/invoke \
  -H 'Content-Type: application/json' \
  -H 'x-openclaw-scopes: operator.write' \
  -d '{
    "tool": "sessions_list",
    "action": "json",
    "args": {}
  }'

Use this example only on a private ingress with a trusted identity-bearing HTTP mode (for example trusted proxy auth or gateway.auth.mode="none"). Shared-secret bearer auth does not work on /tools/invoke.