Source-grounded rewrite of 529 published docs pages with per-unit information-loss verification: 1,713 factual corrections cited to src/**, generated surfaces regenerated, frontmatter titles preserved for i18n, release notes pages untouched. All docs gates green. Closes #100141
14 KiB
summary, read_when, title
| summary | read_when | title | ||
|---|---|---|---|---|
| CLI reference for `openclaw models` (status/list/set/scan, aliases, fallbacks, auth) |
|
Models |
openclaw models
Model discovery, scanning, and configuration (default model, fallbacks, auth profiles).
Related:
- Providers + models: Models
- Model selection concepts +
/modelsslash command: Models concept - Provider auth setup: Getting started
Common commands
openclaw models status
openclaw models list
openclaw models set <model-or-alias>
openclaw models set-image <model-or-alias>
openclaw models scan
status and auth subcommands accept --agent <id> to target a configured agent; list, scan, aliases, and fallbacks/image-fallbacks always use the configured default agent, and set/set-image reject --agent outright. When omitted, --agent-aware commands use OPENCLAW_AGENT_DIR if set, otherwise the configured default agent.
Status
openclaw models status shows the resolved default/fallbacks plus an auth overview. When provider usage snapshots are available, the OAuth/API-key status section includes provider usage windows and quota snapshots. Current usage-window providers: Anthropic, GitHub Copilot, Gemini CLI, OpenAI, MiniMax, Xiaomi, and z.ai. Usage auth comes from provider-specific hooks when available; otherwise OpenClaw falls back to matching OAuth/API-key credentials from auth profiles, env, or config.
In --json output, auth.providers is the env/config/store-aware provider overview, while auth.oauth is auth-store profile health only.
Options:
| Flag | Effect |
|---|---|
--json |
JSON output; auth-profile, provider, and startup diagnostics go to stderr so stdout stays pipeable into jq. |
--plain |
Plain text output. |
--check |
Exit non-zero if auth is expiring/expired: 1 = expired/missing, 2 = expiring. |
--probe |
Live probe of configured auth profiles. Real requests; may consume tokens and trigger rate limits. |
--probe-provider <name> |
Probe one provider only. |
--probe-profile <id> |
Probe specific auth profile ids (repeat or comma-separated). |
--probe-timeout <ms> |
Per-probe timeout. |
--probe-concurrency <n> |
Concurrent probes. |
--probe-max-tokens <n> |
Probe max tokens (best effort). |
--agent <id> |
Configured agent id; overrides OPENCLAW_AGENT_DIR. |
Probe rows can come from auth profiles, env credentials, or models.json. Probe status buckets: ok, auth, rate_limit, billing, timeout, format, unknown, no_model.
Probe detail/reason codes to expect when a probe never reaches a model call:
excluded_by_auth_order: a stored profile exists, but explicitauth.order.<provider>omitted it, so probe reports the exclusion instead of trying it.missing_credential,invalid_expires,expired,unresolved_ref: profile is present but not eligible or resolvable.ineligible_profile: profile is incompatible with provider config for another reason.no_model: provider auth exists, but OpenClaw could not resolve a probeable model candidate for that provider.
For OpenAI ChatGPT/Codex OAuth troubleshooting, openclaw models status, openclaw models auth list --provider openai, and openclaw config get agents.defaults.model --json are the quickest way to confirm whether an agent has a usable openai OAuth profile for openai/* through the native Codex runtime. See OpenAI provider setup.
List
openclaw models list is read-only: it reads config, auth profiles, existing catalog state, and provider-owned catalog rows, but never rewrites models.json.
Options: --all (full catalog), --local (filter to local models), --provider <id>, --json, --plain.
Notes:
- The
Authcolumn is provider-level and read-only. It is computed from local auth profile metadata, env markers, configured provider keys, local-provider markers, AWS Bedrock env/profile markers, and plugin synthetic-auth metadata; it does not load provider runtime, read keychain secrets, call provider APIs, or prove exact per-model execution readiness. models list --all --provider <id>can include provider-owned static catalog rows from plugin manifests or bundled provider catalog metadata even when you have not authenticated with that provider yet. Those rows still show as unavailable until matching auth is configured.models listkeeps the control plane responsive while provider catalog discovery is slow. The default and configured views fall back to configured or synthetic model rows after a short wait and let discovery finish in the background. Use--allwhen you need the exact full discovered catalog and are willing to wait for provider discovery.- Broad
models list --allmerges manifest catalog rows over registry rows without loading provider runtime supplement hooks. Provider-filtered manifest fast paths use only providers markedstatic; providers markedrefreshablestay registry/cache-backed and append manifest rows as supplements, while providers markedruntimestay on registry/runtime discovery. models listkeeps native model metadata and runtime caps distinct. In table output,CtxshowscontextTokens/contextWindowwhen an effective runtime cap differs from the native context window; JSON rows includecontextTokenswhen a provider exposes that cap.models list --provider <id>filters by provider id, such asmoonshotoropenai. It does not accept display labels from interactive provider pickers, such asMoonshot AI.- Model refs are parsed by splitting on the first
/. If the model ID includes/(OpenRouter-style), include the provider prefix (example:openrouter/moonshotai/kimi-k2). - If you omit the provider, OpenClaw resolves the input as an alias first, then as a unique configured-provider match for that exact model id, and only then falls back to the configured default provider with a deprecation warning. If that provider no longer exposes the configured default model, OpenClaw falls back to the first configured provider/model instead of surfacing a stale removed-provider default.
models statusmay showmarker(<value>)in auth output for non-secret placeholders (for exampleOPENAI_API_KEY,secretref-managed,minimax-oauth,oauth:chutes,ollama-local) instead of masking them as secrets.
Set default / image model
openclaw models set <model-or-alias>
openclaw models set-image <model-or-alias>
set writes agents.defaults.model.primary; set-image writes agents.defaults.imageModel.primary. Both accept provider/model or a configured alias. set also repairs Codex/Copilot runtime plugin installs when the newly selected model needs one; set-image does not. Neither command accepts --agent; they always write agent defaults.
Scan
models scan reads OpenRouter's public :free catalog and ranks candidates for fallback use. The catalog itself is public, so metadata-only scans do not need an OpenRouter key.
By default OpenClaw tries to probe tool and image support with live model calls. If no OpenRouter key is configured, the command falls back to metadata-only output and explains that :free models still require OPENROUTER_API_KEY for probes and inference.
Options:
--no-probe(metadata only; no config/secrets lookup)--min-params <b>--max-age-days <days>--provider <name>--max-candidates <n>--timeout <ms>(catalog request and per-probe timeout)--concurrency <n>--yes--no-input--set-default--set-image--json
--set-default and --set-image require live probes; metadata-only scan results are informational and are not applied to config.
Aliases
openclaw models aliases list [--json] [--plain]
openclaw models aliases add <alias> <model-or-alias>
openclaw models aliases remove <alias>
Aliases are stored per model entry as agents.defaults.models.<key>.alias. add resolves <model-or-alias> to a canonical provider/model key first, so aliasing an alias repoints it rather than chaining.
Fallbacks
openclaw models fallbacks list [--json] [--plain]
openclaw models fallbacks add <model-or-alias>
openclaw models fallbacks remove <model-or-alias>
openclaw models fallbacks clear
Manages agents.defaults.model.fallbacks. openclaw models image-fallbacks list|add|remove|clear manages the parallel agents.defaults.imageModel.fallbacks list with the same subcommand shape.
Auth profiles
openclaw models auth add
openclaw models auth list [--provider <id>] [--json]
openclaw models auth login --provider <id>
openclaw models auth login --provider openai --profile-id openai:work
openclaw models auth login-github-copilot
openclaw models auth paste-api-key --provider <id>
openclaw models auth setup-token --provider <id>
openclaw models auth paste-token --provider <id>
openclaw models auth order get --provider <id>
openclaw models auth order set --provider <id> <profileIds...>
openclaw models auth order clear --provider <id>
models auth add is the interactive auth helper. It can launch a provider auth flow (OAuth/API key) or guide you into manual token paste, depending on the provider you choose.
models auth list lists saved auth profiles for the selected agent without printing token, API-key, or OAuth secret material. Use --provider <id> to filter to one provider, such as openai, and --json for scripting.
models auth login runs a provider plugin's auth flow (OAuth/API key). Use openclaw plugins list to see which providers are installed. login accepts --profile-id <id> for providers that support named profiles during login (use this to keep multiple logins for the same provider separate), --method <id> to pick a specific auth method, --device-code as a shortcut for --method device-code, --set-default to apply the provider's recommended default model, and --force to remove existing profiles for that provider first (use when a cached OAuth profile is stuck or you want to switch accounts).
models auth login-github-copilot is a shortcut for models auth login --provider github-copilot --method device (GitHub device flow); it accepts --yes to overwrite an existing profile without prompting.
Use openclaw models auth --agent <id> <subcommand> to write auth results to a specific configured agent store. The parent --agent flag is honored by add, list, login, paste-api-key, setup-token, paste-token, login-github-copilot, and order get/set/clear.
For OpenAI models, --provider openai defaults to ChatGPT/Codex account login. Use --method api-key only when you want to add an OpenAI API-key profile, usually as a backup for Codex subscription limits. Run openclaw doctor --fix to migrate older legacy OpenAI Codex prefix auth/profile state to openai.
Examples:
openclaw models auth login --provider openai --set-default
openclaw models auth login --provider openai --method api-key
openclaw models auth paste-api-key --provider openai
openclaw models auth list --provider openai
Notes:
paste-api-keyaccepts API keys generated elsewhere, prompts for the key value, and writes it to the default profile id<provider>:manualunless you pass--profile-id. In automation, pipe the key on stdin, for exampleprintf "%s\n" "$OPENAI_API_KEY" | openclaw models auth paste-api-key --provider openai.setup-tokenandpaste-tokenremain generic token commands for providers that expose token auth methods.setup-tokenrequires an interactive TTY and runs the provider's token-auth method (defaulting to that provider'ssetup-tokenmethod when it exposes one).paste-tokenrequires--provider, prompts for the token value by default, and writes it to the default profile id<provider>:manualunless you pass--profile-id. In automation, pipe the token on stdin instead of passing it as an argument so provider credentials do not appear in shell history or process lists.paste-token --expires-in <duration>stores an absolute token expiry from a relative duration such as365dor12h.- For
openai, OpenAI API keys and ChatGPT/OAuth token material are different auth shapes. Usepaste-api-keyforsk-...OpenAI API keys andpaste-tokenonly for token auth material. - Anthropic:
setup-token/paste-tokenare supported OpenClaw auth paths foranthropic, but OpenClaw prefers reusing the Claude CLI (claude -p) on the host when it is available. auth order get/set/clearmanages a per-agent auth profile order override for one provider, stored inauth-state.json(separate from theauth.order.<provider>config key).settakes one or more profile ids in priority order;clearfalls back to config/round-robin ordering.