Connect OpenClaw to your BuildOS agent
BuildOS now supports an external agent call gateway for OpenClaw. Users generate a BuildOS Agent Key, OpenClaw dials that user's BuildOS agent, and BuildOS decides whether to accept the call and which tools the agent is allowed to use.
Current status: the OpenClaw integration is live as a scoped agent bridge. Read tools are included by default, and task write tools appear only when granted. The user-facing setup lives in Profile > Agent Keys.
What this integration actually does
This is not a generic chatbot-to-chatbot connection. OpenClaw is treated as an external caller. It receives a BuildOS-issued key, calls a specific user's BuildOS agent, and then works through a scoped tool contract.
BuildOS remains the system of record for projects, tasks, docs, and permissions.
OpenClaw never gets direct database access.
BuildOS authenticates the caller before any tool access is granted.
The accepted call session becomes the trust boundary for all tool execution.
BuildOS Agent Key
The BuildOS Agent Key is the secret users give to OpenClaw so it can identify itself as a trusted caller.
Each key belongs to one external agent installation. BuildOS stores only the hash, exposes the raw secret once, and lets the user rotate or revoke the key later.
How it works
The OpenClaw integration follows a simple call model: identify the caller, identify the user BuildOS agent being called, accept or reject the call, then expose scoped tools.
Generate a BuildOS Agent Key
Go to Profile > Agent Keys in BuildOS. Create a caller for OpenClaw and optionally scope it to specific projects.
BuildOS shows the one-time bearer token, the BuildOS callee handle, and the caller key you will paste into OpenClaw.
Paste the values into OpenClaw
Store the BuildOS key inside your OpenClaw plugin or secret configuration, not in normal prompt text.
Use BUILDOS_BASE_URL, BUILDOS_AGENT_TOKEN, BUILDOS_CALLEE_HANDLE, and BUILDOS_CALLER_KEY.
OpenClaw dials your BuildOS agent
OpenClaw calls the BuildOS gateway with bearer auth and asks to dial your user-scoped BuildOS agent.
BuildOS checks who is calling, which user agent is being called, and what scope is allowed before accepting the session.
Use the BuildOS gateway progressively
After the call is accepted, OpenClaw lists the scoped BuildOS tools it can use and calls direct tools by name.
OpenClaw receives support tools like skill_load, tool_search, and tool_schema, plus direct tools such as list_onto_projects, list_onto_tasks, create_onto_task, or update_onto_task when the key grants them.
The call model
If you think about this like a phone call, the abstraction is: caller identity first, tool access second.
User BuildOS Agent
Each user has an internal BuildOS agent identity. This is the callee OpenClaw is trying to reach.
BuildOS Agent Key
Each external agent installation gets its own BuildOS-issued bearer token. BuildOS stores only the hash.
Call Session
OpenClaw does not impersonate the browser session. It creates a separate authenticated call session.
Scoped Tool Access
BuildOS can accept, reject, or constrain the call. Tools are exposed only after that decision.
What OpenClaw can access today
The current bridge exposes a small, explicit BuildOS tool surface. These tools are only available after the call is accepted.
Load a BuildOS skill playbook when the workflow is multi-step, stateful, or easy to get wrong.
Discover candidate BuildOS tools when the exact direct tool is not already clear.
Inspect the exact arguments for one canonical BuildOS op before calling the returned direct tool.
Execute scoped BuildOS actions directly, such as list_onto_projects, list_onto_tasks, create_onto_task, or update_onto_task.
What you paste into OpenClaw
BuildOS generates the values. OpenClaw stores them as plugin config or secrets and uses them when dialing the BuildOS gateway.
Env snippet
BuildOS gives you these values from the Agent Keys screen.
BUILDOS_BASE_URL=https://build-os.com
BUILDOS_AGENT_TOKEN=boca_your_one_time_secret
BUILDOS_CALLEE_HANDLE=buildos:user:YOUR_USER_ID
BUILDOS_CALLER_KEY=openclaw:workspace:your-workspaceGateway request flow
OpenClaw first dials the BuildOS agent, then lists and calls tools.
POST /api/agent-call/buildos
Authorization: Bearer <BUILDOS_AGENT_TOKEN>
Content-Type: application/json
{
"method": "call.dial",
"params": {
"callee_handle": "buildos:user:YOUR_USER_ID",
"requested_scope": {
"mode": "read_only"
},
"client": {
"provider": "openclaw",
"caller_key": "openclaw:workspace:your-workspace"
}
}
}
// then:
// 1. tools/list
// 2. tools/call name=list_onto_projects arguments={}
// 3. tools/call name=tool_schema arguments={ "op": "onto.task.update", "include_schema": true }
// 4. tools/call name=update_onto_task arguments={ "task_id": "...", "state_key": "done" }
// 5. call.hangupCurrent boundaries
The current integration is intentionally narrow. That is by design.
OpenClaw gets a BuildOS-issued key, not the user browser session.
Calls are user-scoped. A caller cannot dial another user BuildOS agent.
Project scoping is enforced before tools run.
Read access is included by default; task create/update tools appear only when the key grants read-write access.
Keys can be rotated or revoked from Profile > Agent Keys.
Task write tools are opt-in per key. Broader write surfaces, approvals, and long-running delegated runs are still outside this bridge while the trust boundary matures.
Ready to connect OpenClaw?
Start by generating a BuildOS Agent Key, then paste the emitted values into your OpenClaw plugin or secret configuration.
If you are already signed in, the setup UI is at /profile?tab=agent-keys.