← Back to Docs

OpenClaw Gateway Setup

Connect your OpenClaw gateway to NervePay for multi-agent orchestration, sub-agent spawning, and autonomous workflows.

What is OpenClaw?

OpenClaw is a multi-agent orchestration platform that runs AI agents on your infrastructure. By connecting an OpenClaw gateway to NervePay, you can spawn sub-agents, assign tasks, and monitor progress from the NervePay Mission Control dashboard.

Sub-Agent Spawning

Launch AI agents on your gateway directly from the dashboard

Task Orchestration

Break down PRDs into tasks, assign agents, track progress

Secure Pairing

WebSocket-based pairing with encrypted token storage

OpenClaw Skills

NervePay publishes three skills for OpenClaw agents. Install the one that fits your use case.

nervepay

Full CLI — gateway pairing, identity setup, vault, and more

npm
npx nervepay pair --code YOUR_CODE

Or install globally: npm install -g nervepay

OpenClaw Plugin

Install as an OpenClaw plugin for automatic gateway integration

Plugin
openclaw plugins install nervepay

Then run: openclaw nervepay setup

Standalone Scripts

Zero-dependency scripts for agents without npm access

curl
curl -sO https://nervepay.xyz/nervepay-gateway-pair.mjs
curl -sO https://nervepay.xyz/nervepay-request.mjs

Prerequisites

Before connecting to NervePay, you need an OpenClaw gateway running on your machine or server.

bash
# Install OpenClaw CLI (if not already installed)
curl -fsSL https://get.openclaw.ai | sh
# Start your OpenClaw gateway
openclaw gateway start
# Verify it's running (default port 18789)
openclaw gateway status
See the OpenClaw Getting Started guide for detailed installation instructions.

Option 0: Quick Pair with Code (Recommended)

Easiest

Generate a 6-character pairing code in the dashboard, then run one command on your gateway machine. No WebSocket ports needed — the gateway calls the NervePay API directly.

bash
# 1. Open NervePay Dashboard > Integrations > Connect Gateway > "Pair" tab
# 2. A 6-character pairing code is generated automatically (e.g. ABC123)
# 3. Copy the code
# 4. On your gateway machine, run:
npx nervepay pair --code ABC123
# That's it! The command reads your gateway token from
# ~/.openclaw/openclaw.json automatically.
# Or tell your OpenClaw agent:
# "Pair with NervePay using code ABC123"
# The dashboard auto-detects completion and the gateway appears in your list.

Why this is the easiest method

  • No inbound ports or WebSocket access required
  • Works behind firewalls, NAT, and Tailscale
  • One curl + one command — done in 30 seconds
  • Code expires after 15 minutes for security

Option 1: Auto Pair

WebSocket RPC

Auto Pair connects to your gateway via WebSocket, requests pairing, and automatically receives an auth token once you approve. No manual token copy-pasting needed.

bash
# 1. Open NervePay Dashboard > Integrations > Connect Gateway > "Auto Pair" tab
# 2. Enter your gateway URL (e.g. http://localhost:18789)
# 3. Click "Start Pairing"
# NervePay connects to your gateway via WebSocket and requests pairing.
# You'll see a request ID and the approval command in the dashboard.
# 4. On your gateway machine, approve the request:
openclaw devices approve <requestId>
# The dashboard auto-detects approval and the gateway appears in your list.

How Auto Pair works under the hood

bash
# What happens during Auto Pair (WebSocket RPC):
#
# 1. NervePay opens WebSocket to ws://your-gateway:18789
# 2. Gateway sends connect.challenge with nonce
# 3. NervePay generates an Ed25519 device keypair, signs the nonce
# 4. NervePay sends connect request as operator:
# role: "operator"
# scopes: ["operator.read", "operator.write"]
# device: { id, publicKey, signature, signedAt, nonce }
# 5. NervePay sends node.pair.request with display name
# 6. Gateway creates a pending pairing request
# 7. You approve: openclaw devices approve <requestId>
# 8. Gateway issues auth token to NervePay
# 9. NervePay encrypts and stores the token (AES-256-GCM)
# 10. Gateway appears in your dashboard - ready to use
#
# NervePay connects as "operator" (not "node") because it is a cloud
# orchestration service — it issues commands via HTTP /tools/invoke,
# not a companion device providing hardware capabilities.

Option 2: Manual Setup

If Auto Pair doesn't work (e.g. WebSocket port blocked), you can enter your gateway details manually.

bash
# If you prefer manual setup, you can enter details directly.
# 1. Find your gateway token:
cat ~/.openclaw/openclaw.json
# Look for the "auth" or "token" field
# 2. In NervePay Dashboard > Integrations > Connect Gateway > "Enter Details" tab:
# - Gateway Name: e.g. "My Dev Machine"
# - Gateway URL: e.g. http://localhost:18789
# - Gateway Token: (paste from openclaw.json)
# 3. Click "Connect Gateway"

Gateway Behind Tailscale

If your OpenClaw gateway runs on a machine protected by Tailscale, you need to expose it so the NervePay backend can reach it. The NervePay backend runs remotely and is not on your tailnet, so private Tailscale IPs won't work. Use Tailscale Funnel to securely expose your gateway to the internet over HTTPS.

Why Funnel?

When you click "Start Pairing" in the dashboard, the NervePay backend server (not your browser) opens a WebSocket connection to your gateway. Since the backend is hosted externally, it cannot reach Tailscale IPs like 100.x.x.x. Funnel gives your gateway a public HTTPS URL that the NervePay backend can connect to, while Tailscale handles TLS termination and access control.

Step 1: Enable Funnel in your Tailscale ACL policy

Funnel requires an explicit ACL grant. Without it, tailscale funnel silently falls back to Serve (tailnet-only) and your gateway won't be reachable from the internet. You can tell by the output: if it says (tailnet only), Funnel is not enabled.

json
# ─── Step 1: Enable Funnel in your Tailscale ACL policy ─────────────
# Funnel requires an ACL grant. Without it, "tailscale funnel" silently
# falls back to Serve (tailnet-only) and your gateway won't be reachable
# from the internet.
#
# Go to: https://login.tailscale.com/admin/acls/file
#
# Add this to your ACL JSON (or merge with existing nodeAttrs):
{
"nodeAttrs": [
{
"target": ["autogroup:member"],
"attr": ["funnel"]
}
]
}
# This allows all members of your tailnet to use Funnel.
# You can also restrict to specific nodes:
# "target": ["tag:server"] or "target": ["user@example.com"]

Step 2: Expose your gateway with Funnel

bash
# ─── Step 2: Reset any existing serve config and enable Funnel ──────
# If you see "listener already exists for port 443", clear existing config:
tailscale serve reset
# Now enable Funnel for your OpenClaw gateway port:
tailscale funnel 18789
# Expected output:
# Available on the internet:
# https://my-machine.tail1234.ts.net/
# |-- / proxy http://127.0.0.1:18789
#
# ⚠️ If it says "(tailnet only)" instead of "Available on the internet",
# Funnel is NOT enabled — go back to Step 1 and check your ACL policy.
# Use this URL in the NervePay dashboard:
# Gateway URL: https://my-machine.tail1234.ts.net
# Tailscale terminates TLS — your gateway receives plain HTTP locally.

Verify Funnel is working

bash
# Verify Funnel is on (not just Serve):
tailscale funnel status
# ✅ Correct (Funnel working):
# https://my-machine.tail1234.ts.net/
# |-- / proxy http://127.0.0.1:18789
# (with NO "tailnet only" label)
# ❌ Wrong (Serve only, not Funnel):
# https://my-machine.tail1234.ts.net (tailnet only)
# |-- / proxy http://127.0.0.1:18789
# → Fix: enable Funnel in ACL policy (Step 1)
# Test from any machine NOT on your tailnet:
curl https://my-machine.tail1234.ts.net/health

Alternative: Public IP (no Funnel needed)

If your gateway machine already has a public IP address with port 18789 open (e.g. a cloud VPS), you can skip Tailscale entirely and use the IP directly.

bash
# ─── Alternative: Skip Tailscale if your gateway has a public IP ────
# If your gateway machine already has a public IP and port 18789 is open,
# you don't need Tailscale Funnel at all. Just use the public IP directly:
#
# Gateway URL: http://<your-public-ip>:18789
#
# Check if port 18789 is reachable:
curl http://<your-public-ip>:18789/health
#
# This works for both Auto Pair and Manual Setup.

Keep Funnel running after pairing

Pairing is a one-time step, but NervePay continues to communicate with your gateway for health checks, spawning sub-agents, and fetching agent logs. These are all HTTP requests to your gateway URL. If you turn Funnel off, the stored auth token remains valid but NervePay won't be able to reach your gateway — it will show as "unhealthy" and agent operations will fail. Keep Funnel running as long as you want NervePay to manage your gateway.

Self-hosted NervePay on the same tailnet?

If you self-host the NervePay backend on a machine that's on the same Tailscale network as your gateway, you can use Tailscale Serve instead of Funnel. Serve only exposes the port within your tailnet (not the public internet).

bash
# If you only need access from within your tailnet (not the internet),
# use Tailscale Serve instead of Funnel:
tailscale serve 18789
# This makes the gateway available at:
# https://my-machine.tail1234.ts.net/
# but only to devices on your tailnet.
#
# Use this if you're self-hosting the NervePay backend on the same
# tailnet as your gateway.

After Connecting

Once your gateway is connected, you can verify the connection and start using it.

Health Checks

NervePay periodically checks if your gateway is reachable. You can also trigger a manual health check.

bash
# From the NervePay dashboard:
# Integrations > OpenClaw > expand gateways > click refresh icon
# Or check directly from your terminal:
openclaw gateway status
# Expected output:
# Gateway running on :18789
# Nodes: 1 connected
# Uptime: 2h 15m

Spawning Sub-Agents

With a connected gateway, you can spawn AI agents to work on tasks.

bash
# After connecting a gateway, you can spawn sub-agents from Mission Control:
# Via Dashboard:
# Mission Control > Sub-Agents > "Spawn Agent"
# - Select gateway
# - Enter task description
# - Choose model (optional)
# - Click "Spawn"
# The agent runs on your OpenClaw gateway and reports back to NervePay.

Connection Methods

MethodHow it worksToken handlingBest for
Pairing Code6-char code + curl scriptAutomatic (encrypted)Most users (recommended)
Auto PairWebSocket RPC to gatewayAutomatic (encrypted)Most users
Enter DetailsManual URL + token inputCopy from config fileFirewalled environments
Incoming RequestsGateway initiates pairingGateway sends after approvalGateway-first workflows
Tailscale FunnelAuto Pair over Funnel HTTPS URLAutomatic (encrypted)Gateway on private network

Troubleshooting

bash
# Connection refused
# → Ensure your gateway is running: openclaw gateway start
# → Check the port: default is 18789
# → If behind a firewall, ensure the port is accessible
# Pairing timed out
# → You have 5 minutes to approve after starting pairing
# → Run: openclaw devices list (to see pending requests)
# → Run: openclaw devices approve <requestId>
# Gateway shows "unhealthy"
# → Click the refresh icon to re-check health
# → Verify the gateway process is still running
# → Check gateway logs: openclaw gateway logs
# Token expired / invalid
# → Disconnect and reconnect the gateway
# → Or use Auto Pair to get a fresh token automatically
# Tailscale: connection refused / timeout
# → Verify both machines are on the same tailnet: tailscale status
# → Test reachability: curl http://<tailscale-ip>:18789/health
# → If using Funnel, ensure it's still running: tailscale funnel status
# → Check that Tailscale ACLs allow traffic on port 18789

Next Steps