.env.example to .env.local (development) or .env (production) and customize as needed.
Authentication
Admin username seeded on first run (only if no users exist in the database).
Admin password for the initial user.
Base64-encoded admin password. Overrides
AUTH_PASS if set.Generate with:API key for headless/external access. Send via
x-api-key header for programmatic access.Generate a secure random key:
Secret for legacy cookie authentication (backward compatibility).
Session & Cookie Security
Enable secure cookies (HTTPS-only). Defaults to
true in production unless overridden.SameSite cookie attribute. Valid values:
strict, lax, none.Network Access Control
Mission Control implements host-based access control to prevent unauthorized access.Bypass host restrictions and allow any host to access the application.
Comma-separated list of allowed hostnames or patterns.Supported patterns:
- Exact hosts:
app.example.com - Subdomains:
*.example.com(matchesa.example.combut not bareexample.com) - Prefix wildcard:
100.*(useful for Tailscale IPs like100.64.0.1)
Google OAuth Integration
Server-side Google OAuth client ID for Sign-In approval workflow.Create in Google Cloud Console as a Web application and configure authorized origins/redirect URIs.
Client-side Google OAuth client ID (exposed to browser).
OpenClaw Gateway
Path to
.openclaw home directory. Required for memory browser, gateway config, and logs.Example: /home/user/.openclawExplicitly point to
openclaw.json instead of deriving from OPENCLAW_HOME.Gateway host for server-side connections.
Gateway port for server-side connections.
Authentication token for server-side gateway calls (optional).
Frontend Gateway Configuration
These variables are prefixed withNEXT_PUBLIC_ and are exposed to the browser.
Gateway hostname for browser WebSocket connections.
Gateway port for browser WebSocket connections.
WebSocket protocol:
ws or wss. Defaults based on page protocol.Complete gateway WebSocket URL. Overrides individual host/port/protocol settings.
Client-side gateway authentication token (if required by gateway).
Coordinator Identity
Server-side coordinator agent identifier for chat status replies.
Client-side coordinator agent identifier for UI.
Gateway Defaults
Default gateway name used for
/api/gateways seeding if database is empty.Data Paths
All paths default to.data/ in the project root if not specified.
Root directory for all Mission Control data files.
SQLite database file path.
Token storage file path.
OpenClaw Paths
These paths are derived fromOPENCLAW_HOME if not explicitly set.
Directory containing OpenClaw logs.Default:
{OPENCLAW_HOME}/logsDirectory containing agent memory files.
OpenClaw does NOT store agent memory markdown files under
OPENCLAW_HOME/memory/ by default.Agent memory lives in each agent’s workspace (e.g., ~/clawd-agents/{agent}/memory/).Point this at your agents root to make the Memory Browser useful:Directory containing soul templates.Default:
{OPENCLAW_HOME}/templates/soulsOpenClaw CLI binary name or path.
1Password Integration
Vault name for 1Password CLI pulls (used by Integrations panel).
Super Admin / Provisioning
These variables are only required if using super-admin provisioning helpers.Path to the Mission Control repository root.
Path to template
openclaw.json used to seed new tenant state (required for tenant bootstrap).Base path for provisioned Linux user homes.
Workspace directory name under each tenant user home.
Data Retention
All retention periods are in days. Set to0 to keep data forever.
Activity log retention period.
Audit log retention period.
Application log retention period.
Notification retention period.
Pipeline run history retention period.
Token usage statistics retention period.
Server Configuration
HTTP server port.Example:
Bind address for the HTTP server. Set in Dockerfile for containerized deployments.
Node.js environment. Set to
production for production deployments.