Docs / Integrations / OpenClaw
OpenClaw compatibility path
Use OpenClaw compatibility endpoints for existing runtimes. For new runtime families, use the unified /adapters/http/* contract.
Start trial first
Primary flow: Start Self-Serve Trial to provision tenant + token instantly.
Then follow gated secure launch runbook for rollout and hardening.
Keep OpenClaw endpoints for compatibility:
/openclaw/register and /openclaw/intent.Where to hook the intent check
Insert the Gvner call at the tool-call boundary, before any side effect.
Include tool name and requested scopes in every request.
Persist
audit_id in your runtime logs for evidence correlation.Key endpoints
POST /openclaw/register — register OpenClaw runtime identityPOST /openclaw/intent — evaluate each OpenClaw tool intentGET /runtime/adapters/contracts — contract checks (openclaw + temporal + http_webhook)GET /evidence/packet — export evidence for audits/incidentsPayload mapping
# register
{
"tenant_id": "acme",
"runtime_id": "openclaw-01",
"description": "OpenClaw runtime"
}
# intent
{
"tenant_id": "acme",
"agent_id": "openclaw-01",
"intent": "update_customer",
"requested_scopes": ["update_customers"],
"tool": "crm",
"context": {"source": "openclaw"},
"requested_budget": 1.0,
"work_type": "execution"
}
Sample wrapper code
decision = post("/openclaw/intent", payload, headers={"X-Tenant-Token": token})
if decision["decision"] != "ALLOWED":
# fail closed
return {"status": "blocked", "reason": decision["reason"], "audit_id": decision["audit_id"]}
# execute tool only after explicit ALLOWED
result = run_openclaw_tool(tool_name, tool_args)
Fail-closed requirement
Required: if Gvner is unreachable, response is invalid, or decision is
DENIED, do not execute the tool call.