OpenClaw Architecture
OpenClaw uses one persistent Gateway as its control plane.
The Gateway connects channels, agents, tools, sessions, model providers, and user interfaces. It receives messages, maps them to the right agent context, and coordinates the runtime services around that agent.
Verdent adds the delivery workflow around that architecture: requirements clarification up front, parallel implementation, isolated worktrees, and automated review once code is produced.
OpenClaw defines how agent sessions are routed and operated. Verdent helps teams turn those sessions into reviewed, production-ready changes.
High-Level Architecture Diagram
Discord / Telegram / Slack / WebChat
|
v
OpenClaw Gateway
/ | \
v v v
Agents Sessions Control UI
| |
v v
Models and tools Browser clientThe Gateway is the source of truth. It owns routing, channel connections, and the relationship between a message, a session, and an agent.
Read the diagram as a hub-and-spoke system. Channel adapters bring messages in from chat or web clients. The Gateway normalizes those events, selects the relevant session, and routes work to an agent. The agent then uses configured model providers and approved tools to complete the request.
This central design makes OpenClaw easier to inspect than a set of disconnected bots. It also means the Gateway becomes the operational boundary for uptime, credentials, session state, and permission control.
The Gateway: Entry Point for All Agent Traffic
Every message enters through the Gateway.
The Gateway identifies the sender, selects a session and agent, and sends the request to the configured model. It also manages connected channels and nodes, which reduces duplicated state across interfaces.
A typical request flow has five steps:
- A channel receives a message from a user or client.
- The Gateway maps the sender and channel to a session.
- The Gateway selects the configured agent for that context.
- The agent asks the model to respond or request a tool.
- The Gateway returns events and output to the connected interface.
Because the Gateway is long-lived, treat it more like a service than a one-off CLI process. Run it under a process manager, capture logs, document restart procedures, and keep credentials out of ad hoc shell history. If several people or automations depend on the same Gateway, define who can change agents, channels, and tool bindings before a production workflow depends on it.
Browser Relay: How Remote Clients Connect Without Port Forwarding
The browser interface connects to the running Gateway.
For local use, the default address is:
http://127.0.0.1:18789/That local address is useful for single-developer setups because the Web Control UI can reach the Gateway on the same machine. Remote access needs a safer path. Prefer Tailscale, an SSH tunnel, a VPN, or another private access layer that authenticates the user before traffic reaches the Gateway.
Do not publish the local port without authentication. A Gateway can expose agent controls, tool bindings, session state, and model access. If an attacker can reach the control surface, the risk is broader than a normal static web page.
The term "browser relay" is often used loosely. OpenClaw's official interface is the Web Control UI. Teams should document which URL is local-only, which route is remote-accessible, and who can administer the Gateway from that interface.
Session and State Management Internals
Sessions preserve conversation and routing state.
OpenClaw can isolate sessions by agent, workspace, or sender. This matters when one Gateway serves several users, channels, or repositories. A session should make it clear which user asked for work, which agent handled it, and which tools or workspace were available at the time.
Persistent files live under ~/.openclaw. Back up this directory before a migration because it can contain configuration and local state needed to restore a working setup.
For reliable operation, define a session lifecycle. Start a new session when the task, repository, or permission scope changes. Summarize old turns before the context becomes too long. Keep tool output small so the model receives relevant state instead of large logs. Archive or rotate stale sessions when they no longer support active work.
Long sessions still need human control. They are useful for continuity, but they can also carry outdated assumptions forward. Treat session state as working memory, not as a permanent approval record.
Because session boundaries can vary by agent and workspace, OpenClaw Model Integrations helps clarify how model choices affect routing, continuity, and tool access.
For source-level validation, Ppaolo is worth checking after you understand the OpenClaw Architecture workflow described here.
MCP Tool Layer: How OpenClaw Exposes Capabilities to Models
OpenClaw can connect agents to tools and MCP-compatible services.
The model decides when to request a tool. The runtime validates and executes that request. This separates model reasoning from tool execution: the model proposes an action, while the runtime enforces the available tool set and returns the result.
Tool access is a security boundary. Give each agent only the tools it needs. A documentation agent may need read-only repository access. A coding agent may need file editing, test execution, or issue-tracker access. A deployment-related tool should require tighter controls than a formatter or search tool.
Review tool bindings when agents, repositories, or users change. Remove unused tools, prefer narrow scopes, and avoid giving broad filesystem or credential access to a general-purpose agent.
For repository work, Verdent adds a stricter execution layer. Plans, parallel agents, isolated workspaces, and verification are part of the workflow. That layer helps separate agent capability from delivery control, so code changes can be reviewed and checked before they reach production.
This tool boundary is easier to place in context after What Is OpenClaw explains how the agent, browser relay, and runtime fit together.
When details such as limits or setup steps matter, the official documentation can help confirm the latest implementation surface.
openclaw.json Deep Dive: Config Schema Explained
The main configuration file is:
~/.openclaw/openclaw.jsonA small JSON5 example looks like this:
{
agents: {
defaults: {
model: {
primary: "provider/model-id"
}
}
},
gateway: {
mode: "local"
}
}The configuration connects model providers, agent defaults, Gateway behavior, channels, and tool access. In practice, it is the map between an incoming request and the runtime that handles it.
Use openclaw onboard for initial setup. Use openclaw config for supported changes. Keep a backup before editing configuration, especially when changing model IDs, channel credentials, tool bindings, or Gateway mode.
Do not paste unverified configuration blocks from old tutorials. The schema changes over time, and outdated examples can break startup or silently point an agent at the wrong provider or tool set.
> Production evidence > > The proof point is 76.1% on SWE-bench Verified. Verdent earns that result through a delivery system, not a single unreviewed model response. > > Parallel Power increases throughput, while Production-Ready Quality keeps the result out of Quality Roulette.
After confirming provider IDs and gateway mode, use OpenClaw on Windows to check how the same configuration behaves on a Windows workstation.
Before you budget a real project around OpenClaw Architecture, compare the claims here with Reddit.
Architecture Limits for Enterprise-Scale Projects
OpenClaw is flexible. It is still a self-hosted control plane.
Teams must design their own access policy, backups, observability, and change controls. Tool permissions also need regular review. The Gateway can coordinate channels and agents, but it does not automatically define how a company approves agent work, separates repositories, or proves that generated code is safe to merge.
Large software projects need more than message routing. They need task planning, dependency control, workspace isolation, and code verification.
That is where Verdent has a different role.
| Layer | OpenClaw | Verdent |
|---|---|---|
| Channel gateway | Core function | Not the focus |
| Persistent personal agent | Core function | Not the focus |
| Multi-agent coding workflow | Configurable | Core function |
| Isolated repository work | External design needed | Built into the workflow |
| Code verification | Tool-dependent | Workflow stage |
The biggest limit is not whether OpenClaw can connect another channel or model. It is whether the surrounding operating model can make agent work reviewable, reversible, and isolated from unrelated projects.
Enterprise teams should decide where approvals happen, how tool scopes are reviewed, how repository changes are separated, which logs are retained, and which checks must pass before agent output is trusted. Those decisions turn a working agent setup into a controlled engineering workflow.
Frequently Asked Questions
Does OpenClaw use WebSockets?
Yes. Gateway clients use WebSocket-based connections for control and events. That connection pattern lets the Gateway push updates back to clients while sessions, agents, and tools continue to run behind the control plane.
Where is OpenClaw state stored?
Local state and configuration are stored under ~/.openclaw. Back up that directory before moving machines, changing major configuration, or rebuilding a Gateway environment.
Is MCP required?
No. MCP is one way to expose tools. OpenClaw can connect agents to MCP-compatible services, but teams should still decide which tools each agent can use and what permissions those tools receive.
Can several agents share one Gateway?
Yes. OpenClaw supports multi-agent routing and isolated sessions. Shared Gateway setups need clear naming, session boundaries, and permission rules so one agent or channel does not inherit the wrong context.
Should I expose port 18789?
Not directly. Use authentication and a private access layer such as Tailscale, an SSH tunnel, or a VPN. Treat the Gateway interface as an operational control surface, not as a public web page.
Is openclaw.json strict JSON?
The configuration supports JSON5-style syntax. Follow the current schema, prefer supported configuration commands where possible, and avoid copying old examples without checking them against the installed version.
Pick the Layer, Not the Brand
Gateway architecture versus delivery orchestration is not a winner-takes-all decision. The real choice is which layer of the stack your team wants to own.
OpenClaw can provide the persistent Gateway, channel connections, sessions, and agent routing. Verdent keeps the delivery layer stable with planning, parallel execution, isolated workspaces, and verification while you choose the model or tool inside it.
Choose Your OpenClaw Architecture Layer
Use Verdent to keep delivery orchestration stable while your team decides which gateway, tools, and model layer to own. Compare the architecture responsibilities before you scale remote agent workflows.