sigilum gateway commands manage the local Sigilum gateway process, which enforces request signing, authorization checks, and proxies requests to upstream providers.
gateway start
Start the Sigilum gateway service.Usage
Options
| Option | Default | Description |
|---|---|---|
--namespace <value> | Auto-detected | Target namespace |
--home <path> | ~/.sigilum-workspace | Gateway Sigilum home directory |
--api-url <url> | https://api.sigilum.id | Sigilum API base URL |
--addr <addr> | :38100 | Listen address |
-h, --help | - | Show help |
Namespace Resolution
The namespace is resolved in this order:--namespaceflagSIGILUM_NAMESPACEenvironment variableGATEWAY_SIGILUM_NAMESPACEenvironment variable~/.sigilum/config.envfile (SIGILUM_NAMESPACEorGATEWAY_SIGILUM_NAMESPACE)- Interactive prompt (if terminal is available)
Identity Auto-Bootstrap
On first start, the gateway automatically:- Creates a master key file at
<home>/gateway-master-key(mode0600) - Initializes Sigilum identity at
<home>/identities/<namespace>/identity.json - Registers the identity with the API
Examples
Start gateway with auto-detected namespace:Environment Variables
The command recognizes these environment variables:SIGILUM_NAMESPACE- Default namespaceGATEWAY_SIGILUM_NAMESPACE- Gateway-specific namespaceGATEWAY_SIGILUM_HOME- Gateway home directorySIGILUM_API_URL- API base URLSIGILUM_REGISTRY_URL- Alternative API URL variableGATEWAY_ADDR- Listen addressGATEWAY_MASTER_KEY- Pre-generated master key
Master Key
The gateway generates and stores a master encryption key at<home>/gateway-master-key on first start. This key encrypts sensitive data stored by the gateway.
To use a pre-generated master key:
gateway connect
One-command managed onboarding that ensures gateway health (auto-starts if needed) and starts the pairing bridge in daemon mode.Usage
Required Options
| Option | Description |
|---|---|
--session-id <id> | Dashboard pairing session ID |
--pair-code <code> | Dashboard pairing code |
--namespace <namespace> | Target namespace |
Optional Options
| Option | Default | Description |
|---|---|---|
--api-url <url> | https://api.sigilum.id | Sigilum API base URL |
--gateway-admin-url <url> | http://127.0.0.1:38100 | Local gateway admin URL |
--reconnect-ms <ms> | 2000 | WebSocket reconnect delay |
--connect-timeout-ms <ms> | 5000 | Connection timeout |
--gateway-start-timeout-seconds <n> | - | Wait for gateway health timeout |
--lifecycle-mode <mode> | auto | Daemon lifecycle: auto, stable, compat |
Examples
Connect gateway to managed dashboard:Lifecycle Modes
auto(default): Use systemd user service on Linux if available, otherwise fallback to compat modestable: Require systemd user service (Linux only)compat: Usenohuporsetsidfor background process
gateway pair
Start the local WebSocket bridge used by dashboard pairing mode. This command establishes a persistent connection between your local gateway and the dashboard.Usage
Required Options
| Option | Description |
|---|---|
--session-id <id> | Dashboard pairing session ID |
--pair-code <code> | Dashboard pairing code (6 characters) |
--namespace <namespace> | Target namespace |
Optional Options
| Option | Default | Description |
|---|---|---|
--api-url <url> | Auto-detected | Sigilum API base URL |
--gateway-admin-url <url> | http://127.0.0.1:38100 | Local gateway admin endpoint |
--reconnect-ms <ms> | 2000 | WebSocket reconnect delay |
--connect-timeout-ms <ms> | 5000 | HTTP/WebSocket timeout |
--heartbeat-ms <ms> | - | WebSocket heartbeat interval |
--relay-timeout-ms <ms> | - | Relay command timeout |
Daemon Options
| Option | Description |
|---|---|
--daemon | Run bridge in background |
--foreground | Force foreground mode (default) |
--lifecycle-mode <mode> | Lifecycle mode: auto, stable, compat |
--log-file <path> | Daemon log file |
--pid-file <path> | Daemon pid file |
--status | Print daemon status |
--stop | Stop daemon process |
Examples
Start pairing bridge in foreground:Systemd Integration (Linux)
On Linux systems with systemd user service support, the daemon mode automatically creates and manages a systemd unit at~/.config/systemd/user/sigilum-gateway-pair.service.
View systemd logs:
Pairing Workflow
- Start your gateway with
sigilum gateway start --namespace johndee - In the dashboard, click “Start Pairing” to generate a session ID and pair code
- Run the connect command shown in the dashboard
- The bridge establishes a WebSocket connection and relays dashboard commands to your local gateway
- Complete provider setup in the dashboard
- The bridge automatically exits when pairing is complete
Important Notes
- The
--api-urlmust point to the Sigilum API service, not the dashboard app- Managed default:
https://api.sigilum.id - Local OSS default:
http://127.0.0.1:8787
- Managed default:
- Local gateway admin must be running on
--gateway-admin-urlfor pairing relay to work - Namespace-owner JWT is not required for gateway pairing
- Pairing sessions expire after a period of inactivity
Environment Variables
All gateway commands recognize these environment variables:| Variable | Description |
|---|---|
SIGILUM_NAMESPACE | Default namespace |
GATEWAY_SIGILUM_NAMESPACE | Gateway-specific namespace |
GATEWAY_SIGILUM_HOME | Gateway home directory |
SIGILUM_API_URL | API base URL |
SIGILUM_REGISTRY_URL | Alternative API URL |
GATEWAY_ADDR | Gateway listen address |
GATEWAY_ADMIN_URL | Gateway admin endpoint URL |
GATEWAY_MASTER_KEY | Gateway master encryption key |
GATEWAY_DATA_DIR | Gateway data directory |
Troubleshooting
Gateway won’t start
Check if the port is already in use:Pairing fails to connect
Verify gateway is running:Session expired error
Pairing sessions expire after inactivity. Start a new pairing session in the dashboard and use the new session ID and pair code.Next Steps
OpenClaw Commands
Integrate with OpenClaw agents
Service Management
Add and configure services