Onboarding (macOS app)

Page order (current)

1. Welcome + security notice
2. Gateway selection (Local / Remote / Configure later)
3. Auth (Anthropic OAuth) — local only
4. Setup Wizard (Gateway‑driven)
5. Permissions (TCC prompts)
6. CLI (optional)
7. Onboarding chat (dedicated session)
8. Ready

1) Welcome + security notice

2) Local vs Remote

• Local (this Mac): onboarding can run OAuth flows and write credentials locally.
• Remote (over SSH/Tailnet): onboarding does not run OAuth locally; credentials must exist on the gateway host.
• Configure later: skip setup and leave the app unconfigured.

• The wizard now generates a token even for loopback, so local WS clients must authenticate.
• If you disable auth, any local process can connect; use that only on fully trusted machines.
• Use a token for multi‑machine access or non‑loopback binds.

3) Local-only auth (Anthropic OAuth)

• Opens the browser for OAuth (PKCE)
• Asks the user to paste the code#state value
• Writes credentials to ~/.openclaw/credentials/oauth.json

4) Setup Wizard (Gateway‑driven)

5) Permissions

• Notifications
• Accessibility
• Screen Recording
• Microphone / Speech Recognition
• Automation (AppleScript)

6) CLI (optional)

7) Onboarding chat (dedicated session)

Agent bootstrap ritual

• Seeds AGENTS.md, BOOTSTRAP.md, IDENTITY.md, USER.md
• Runs a short Q&A ritual (one question at a time)
• Writes identity + preferences to IDENTITY.md, USER.md, SOUL.md
• Removes BOOTSTRAP.md when finished so it only runs once

Optional: Gmail hooks (manual)

openclaw webhooks gmail setup --account you@gmail.com

Remote mode notes

• ~/.openclaw/credentials/oauth.json
• ~/.openclaw/agents/<agentId>/agent/auth-profiles.json