› OpenClaw Integration
Run OpenLeash next to OpenClaw as a sidecar. Every tool execution passes through OpenLeash for policy evaluation before reaching the external world.
Architecture
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ │ │ │ │ │
│ OpenClaw │────▶│ OpenLeash │────▶│ External │
│ (agent) │ │ (sidecar) │ │ Service │
│ │◀────│ │◀────│ │
└──────────────┘ └──────────────┘ └──────────────┘
│
│ policy files
│ audit log
│ proof tokens
▼
┌──────────┐
│ ./data/ │
│ │
└──────────┘
OpenClaw calls OpenLeash before executing any tool. OpenLeash evaluates policies, logs the decision, and optionally issues a PASETO proof token. The external service can verify the token independently.
Integration point
In your OpenClaw tool execution hook, call OpenLeash before running the tool:
openclaw-hook.ts
// Before executing a tool in OpenClaw
async function beforeToolExecution(tool: Tool, context: Context) {
const res = await fetch("http://127.0.0.1:8787/v1/authorize", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
agent_id: context.agentId,
action: tool.name,
resource: tool.target,
context: tool.params
})
});
const { decision, proof_token } = await res.json();
if (decision !== "ALLOW") {
throw new Error(`Action denied: ${decision}`);
}
// Attach proof token to outgoing request
return { ...context, proofToken: proof_token };
}
Setup
terminal
# Install OpenLeash and the TypeScript SDK
$ npm i -g openleash
$ npm install @openleash/sdk-ts
# Start OpenLeash sidecar
$ npx openleash start
✓ OpenLeash running on http://127.0.0.1:8787
# Non-interactive setup (generates owner, agent keypair, and policy)
$ npx openleash init --owner-name "Alice" --agent-id my-agent --output-env agent.env
# Or use the interactive wizard instead
$ npx openleash wizard
The init command writes all required environment variables
(OPENLEASH_URL, OPENLEASH_AGENT_ID,
OPENLEASH_AGENT_PRIVATE_KEY_B64, OWNER_PRINCIPAL_ID)
to the file specified by --output-env.
Source this file in your agent runtime.