openclaw/docs/cli/daemon.md

---
summary: "CLI reference for `openclaw daemon` (legacy alias for gateway service management)"
read_when:
  - You still use `openclaw daemon ...` in scripts
  - You need service lifecycle commands (install/start/stop/restart/status)
title: "daemon"
---

# `openclaw daemon`

Legacy alias for Gateway service management commands.

`openclaw daemon ...` maps to the same service control surface as `openclaw gateway ...` service commands.

## Usage

```bash
openclaw daemon status
openclaw daemon install
openclaw daemon start
openclaw daemon stop
openclaw daemon restart
openclaw daemon uninstall
```

## Subcommands

- `status`: show service install state and probe Gateway health
- `install`: install service (`launchd`/`systemd`/`schtasks`)
- `uninstall`: remove service
- `start`: start service
- `stop`: stop service
- `restart`: restart service

## Common options

- `status`: `--url`, `--token`, `--password`, `--timeout`, `--no-probe`, `--require-rpc`, `--deep`, `--json`
- `install`: `--port`, `--runtime <node|bun>`, `--token`, `--force`, `--json`
- lifecycle (`uninstall|start|stop|restart`): `--json`

Notes:

- `status` resolves configured auth SecretRefs for probe auth when possible.
- If a required auth SecretRef is unresolved in this command path, `daemon status --json` reports `rpc.authWarning` when probe connectivity/auth fails; pass `--token`/`--password` explicitly or resolve the secret source first.
- If the probe succeeds, unresolved auth-ref warnings are suppressed to avoid false positives.
- On Linux systemd installs, `status` token-drift checks include both `Environment=` and `EnvironmentFile=` unit sources.
- When token auth requires a token and `gateway.auth.token` is SecretRef-managed, `install` validates that the SecretRef is resolvable but does not persist the resolved token into service environment metadata.
- If token auth requires a token and the configured token SecretRef is unresolved, install fails closed.
- If both `gateway.auth.token` and `gateway.auth.password` are configured and `gateway.auth.mode` is unset, install is blocked until mode is set explicitly.

## Prefer

Use [`openclaw gateway`](/cli/gateway) for current docs and examples.
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			`---`
			summary: "CLI reference for `openclaw daemon` (legacy alias for gateway service management)"
			`read_when:`
			- You still use `openclaw daemon ...` in scripts
			`- You need service lifecycle commands (install/start/stop/restart/status)`
			`title: "daemon"`
			`---`

			# `openclaw daemon`

			`Legacy alias for Gateway service management commands.`

			`openclaw daemon ...` maps to the same service control surface as `openclaw gateway ...` service commands.

			`## Usage`

			```bash
			`openclaw daemon status`
			`openclaw daemon install`
			`openclaw daemon start`
			`openclaw daemon stop`
			`openclaw daemon restart`
			`openclaw daemon uninstall`
			```

			`## Subcommands`

			- `status`: show service install state and probe Gateway health
			- `install`: install service (`launchd`/`systemd`/`schtasks`)
			- `uninstall`: remove service
			- `start`: start service
			- `stop`: stop service
			- `restart`: restart service

			`## Common options`

secrets: harden read-only SecretRef command paths and diagnostics (#47794) * secrets: harden read-only SecretRef resolution for status and audit * CLI: add SecretRef degrade-safe regression coverage * Docs: align SecretRef status and daemon probe semantics * Security audit: close SecretRef review gaps * Security audit: preserve source auth SecretRef configuredness * changelog Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> --------- Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> 2026-03-15 21:55:24 -05:00			- `status`: `--url`, `--token`, `--password`, `--timeout`, `--no-probe`, `--require-rpc`, `--deep`, `--json`
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			- `install`: `--port`, `--runtime <node\|bun>`, `--token`, `--force`, `--json`
			- lifecycle (`uninstall\|start\|stop\|restart`): `--json`

Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails (#35094) 2026-03-05 12:53:56 -06:00			`Notes:`

			- `status` resolves configured auth SecretRefs for probe auth when possible.
secrets: harden read-only SecretRef command paths and diagnostics (#47794) * secrets: harden read-only SecretRef resolution for status and audit * CLI: add SecretRef degrade-safe regression coverage * Docs: align SecretRef status and daemon probe semantics * Security audit: close SecretRef review gaps * Security audit: preserve source auth SecretRef configuredness * changelog Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> --------- Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> 2026-03-15 21:55:24 -05:00			- If a required auth SecretRef is unresolved in this command path, `daemon status --json` reports `rpc.authWarning` when probe connectivity/auth fails; pass `--token`/`--password` explicitly or resolve the secret source first.
			`- If the probe succeeds, unresolved auth-ref warnings are suppressed to avoid false positives.`
gateway: harden shared auth resolution across systemd, discord, and node host 2026-03-07 18:28:32 -06:00			- On Linux systemd installs, `status` token-drift checks include both `Environment=` and `EnvironmentFile=` unit sources.
Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails (#35094) 2026-03-05 12:53:56 -06:00			- When token auth requires a token and `gateway.auth.token` is SecretRef-managed, `install` validates that the SecretRef is resolvable but does not persist the resolved token into service environment metadata.
			`- If token auth requires a token and the configured token SecretRef is unresolved, install fails closed.`
			- If both `gateway.auth.token` and `gateway.auth.password` are configured and `gateway.auth.mode` is unset, install is blocked until mode is set explicitly.

docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			`## Prefer`

			Use [`openclaw gateway`](/cli/gateway) for current docs and examples.