Setup CLI Reference

The @agenthifive/openclaw-setup package provides a CLI wizard for connecting OpenClaw to AgentHiFive. It handles agent registration, key pair generation, connection syncing, plugin installation, and patching.

Installation

The setup CLI is published as a standalone npm package:

npx @agenthifive/openclaw-setup

Or install globally:

npm install -g @agenthifive/openclaw-setup
ah5-setup

Current version: 0.2.17

Interactive Mode (Default)

Running without flags presents an interactive menu:

npx @agenthifive/openclaw-setup

Menu options:

Option	Description
Connect to vault	First-time setup — register agent, fetch connections, install plugin, apply patches
Change default LLM	Re-pick the default LLM model while keeping existing connections
Reconnect to vault	Re-authenticate with a new bootstrap secret (e.g., after key rotation)
Sync connections	Re-fetch vault connections and update OpenClaw config
Verify installation	Check that patches, config, and authentication are working (no changes made)
Remove AgentHiFive	Cleanly remove the plugin, patches, and configuration

CLI Options

npx @agenthifive/openclaw-setup [options]

Flag	Description
`--base-url <url>`	AgentHiFive API base URL (default: `https://app.agenthifive.com`)
`--bootstrap-secret <secret>`	Enrolment key from the dashboard (`ah5b_...`)
`--default-model <model>`	Default LLM model (e.g., `anthropic/claude-sonnet-4-6`)
`--config-path <path>`	Explicit OpenClaw config file path
`--openclaw-dir <path>`	Explicit OpenClaw installation directory
`--mode <mode>`	Run a specific mode: `setup`, `change-model`, `reconnect`, `sync`, `verify`, `remove`
`--non-interactive`	Run without prompts (requires `--base-url` and `--bootstrap-secret`)
`--skip-onboard`	Skip the OpenClaw onboard step
`--skip-plugin-install`	Skip plugin installation (useful when deploying from tarball)
`--sync`	Shorthand for `--mode sync`
`--verify`	Shorthand for `--mode verify`
`-h`, `--help`	Show help message

What the Setup Does

The first-time setup performs these steps in order:

Check OpenClaw installation — validates that openclaw --version works
Prompt for base URL — the AgentHiFive API endpoint (SaaS or self-hosted)
Bootstrap agent — uses the enrolment key to authenticate and register an ES256 key pair
Fetch vault connections — retrieves available integrations (LLM providers, messaging, productivity)
Choose default LLM — interactive model selection from connected LLM providers
Configure channels — enables vault-managed Telegram and Slack channels if available
Run OpenClaw onboard — initializes OpenClaw with the agent configuration
Install plugin — runs openclaw plugins install @agenthifive/agenthifive
Write configuration — merges plugin config into ~/.openclaw/openclaw.json
Apply patches — injects vault integration into OpenClaw's runtime
Verify — checks that everything is configured correctly

Config File Location

The setup wizard writes to the standard OpenClaw config path:

~/.openclaw/openclaw.json

It looks for existing config in this priority order:

$OPENCLAW_CONFIG_PATH or $CLAWDBOT_CONFIG_PATH environment variable
$OPENCLAW_STATE_DIR/openclaw.json
~/.openclaw/openclaw.json (preferred default)

Common Workflows

First-time setup (interactive)

npx @agenthifive/openclaw-setup
# Select "Connect to vault"
# Enter base URL and enrolment key when prompted

First-time setup (non-interactive / CI)

npx @agenthifive/openclaw-setup \
  --non-interactive \
  --base-url https://app.agenthifive.com \
  --bootstrap-secret ah5b_...

Reconnect after key rotation

npx @agenthifive/openclaw-setup --mode reconnect \
  --base-url https://app.agenthifive.com \
  --bootstrap-secret ah5b_NEW_SECRET

Re-sync connections (manual)

Connections are synced automatically during setup. If you need to manually re-sync after making changes in the dashboard:

npx @agenthifive/openclaw-setup --sync

Verify installation

Check that everything is working without making changes:

npx @agenthifive/openclaw-setup --verify

Troubleshooting

"Token exchange rejected — clock out of sync"

The agent's JWT assertion has a timestamp that the server considers too far from its own clock. Sync the system clock:

# Linux
sudo timedatectl set-ntp true

# macOS
sudo sntp -sS time.apple.com

"Token exchange rejected (401) — key pair no longer valid"

The agent's ES256 key has been rotated or the agent was disabled. Generate a new enrolment key from the dashboard and reconnect:

npx @agenthifive/openclaw-setup --mode reconnect \
  --bootstrap-secret ah5b_NEW_KEY

"Patch verification failed"

The OpenClaw installation was updated and patches need to be reapplied:

npx @agenthifive/openclaw-setup --mode setup --skip-plugin-install

Setup can't find OpenClaw

Specify the installation directory explicitly:

npx @agenthifive/openclaw-setup --openclaw-dir /path/to/openclaw

Installation​

Interactive Mode (Default)​

CLI Options​

What the Setup Does​

Config File Location​

Common Workflows​

First-time setup (interactive)​

First-time setup (non-interactive / CI)​

Reconnect after key rotation​

Re-sync connections (manual)​

Verify installation​

Troubleshooting​

"Token exchange rejected — clock out of sync"​

"Token exchange rejected (401) — key pair no longer valid"​

"Patch verification failed"​

Setup can't find OpenClaw​