Skip to main content
Reference for the api.runtime object injected into every plugin during registration. Use these helpers instead of importing host internals directly.

Channel plugins

Step-by-step guide that uses these helpers in context for channel plugins.

Provider plugins

Step-by-step guide that uses these helpers in context for provider plugins.
api.runtime.version is the current OpenClaw product version, sourced from the shared version resolver so plugins see the same value the CLI reports.

Config loading and writes

Prefer config that was already passed into the active call path, for example api.config during registration or a cfg argument on channel/provider callbacks. This keeps one process snapshot flowing through the work instead of reparsing config on hot paths. Use api.runtime.config.current() only when a long-lived handler needs the current process snapshot and no config was passed to that function. The returned value is readonly; clone or use a mutation helper before editing. Tool factories receive ctx.runtimeConfig plus ctx.getRuntimeConfig(). Use the getter inside a long-lived tool’s execute callback when config can change after the tool definition was created. Persist changes with api.runtime.config.mutateConfigFile(...) or api.runtime.config.replaceConfigFile(...). Each write must choose an explicit afterWrite policy:
  • afterWrite: { mode: "auto" } lets the gateway reload planner decide.
  • afterWrite: { mode: "restart", reason: "..." } forces a clean restart when the writer knows hot reload is unsafe.
  • afterWrite: { mode: "none", reason: "..." } suppresses automatic reload/restart only when the caller owns the follow-up.
The mutation helpers return afterWrite plus a typed followUp summary so callers can log or test whether they requested a restart. The gateway still owns when that restart actually happens.
api.runtime.config.loadConfig() and api.runtime.config.writeConfigFile(...) are deprecated. They warn once per plugin at runtime and remain available only for old external plugins during the migration window. Bundled plugins must not use them: an internal config boundary guard fails the build if plugin code calls them or imports those helpers from plugin SDK subpaths. Use current(), a passed-in cfg, mutateConfigFile(...), or replaceConfigFile(...) instead.
For direct SDK imports, prefer the focused config subpaths over the broad openclaw/plugin-sdk/config-runtime compatibility barrel: config-contracts for types, plugin-config-runtime for already-loaded config assertions, plugin entry lookup, and canonical config merging, runtime-config-snapshot for current process snapshots, and config-mutation for writes. Bundled plugin tests should mock these focused subpaths directly instead of mocking the broad compatibility barrel. Internal OpenClaw runtime code follows the same direction: load config once at the CLI, gateway, or process boundary, then pass that value through. Successful mutation writes refresh the process runtime snapshot and advance its internal revision; long-lived caches should key off the runtime-owned cache key instead of serializing config locally. Long-lived runtime modules have a zero-tolerance scanner for ambient loadConfig() calls; use a passed cfg, a request context.getRuntimeConfig(), or getRuntimeConfig() at an explicit process boundary. Provider and channel execution paths must use the active runtime config snapshot, not a file snapshot returned for config readback or editing. File snapshots preserve source values such as SecretRef markers for UI and writes; provider callbacks need the resolved runtime view. When a helper may be called with either the active source snapshot or the active runtime snapshot, route through selectApplicableRuntimeConfig() before reading credentials.

Reusable runtime utilities

Use inbound botLoopProtection facts for bot-authored inbound messages. Core applies the shared in-memory sliding-window guard before session record and dispatch, without tying the policy to one channel. The guard tracks (scopeId, conversationId, participant pair) keys, counts both directions of a pair together, applies a cooldown once the window budget is exceeded, and prunes inactive entries opportunistically. Channel plugins that expose this behavior to operators should prefer the shared channels.defaults.botLoopProtection shape for baseline budgets, then layer channel/provider-specific overrides on top. The shared config uses seconds because it is user-facing:
Pass normalized bot-pair facts with the resolved turn. Core resolves defaults, unit conversion, and enabled semantics:
Use openclaw/plugin-sdk/pair-loop-guard-runtime directly only for custom two-party event loops that do not go through the shared inbound reply runner.

Runtime namespaces

Agent identity, directories, and session management.
runEmbeddedAgent(...) is the neutral helper for starting a normal OpenClaw agent turn from plugin code. It uses the same provider/model resolution and agent-harness selection as channel-triggered replies.runEmbeddedPiAgent(...) remains as a deprecated compatibility alias for existing plugins. New code should use runEmbeddedAgent(...).resolveThinkingPolicy(...) returns the provider/model’s supported thinking levels and optional default. Provider plugins own the model-specific profile through their thinking hooks, so tool plugins should call this runtime helper instead of importing or duplicating provider lists.normalizeThinkingLevel(...) converts user text such as on, x-high, or extra high to the canonical stored level before checking it against the resolved policy.Session store helpers are under api.runtime.agent.session:
Prefer getSessionEntry(...), listSessionEntries(...), patchSessionEntry(...), or upsertSessionEntry(...) for session workflows. These helpers address sessions by agent/session identity so plugins do not depend on the legacy sessions.json storage shape. Use preserveActivity: true for metadata-only patches that should not refresh session activity, and replaceEntry: true only when the callback returns a complete entry and deleted fields must stay deleted. Doctor and migration paths can combine fallbackEntry, skipMaintenance, and requireWriteSuccess for one atomic canonical-store repair.createSessionEntry(...) creates a new canonical session row and transcript. Its trusted initialEntry surface is deliberately narrow: a non-empty agentHarnessId, optional modelSelectionLocked: true, and optional pluginExtensions. The injected runtime accepts only harness ids owned by the calling plugin through registerAgentHarness(...); this is an ownership invariant, not a sandbox between in-process plugins. It rejects an existing row; label and spawnedCwd are separate creation fields rather than trusted-entry patches.Creation holds the session lifecycle mutation fence through afterCreate, so new work waits for plugin-owned initialization to finish and pre-existing admitted work makes creation fail. The callback receives a clone of the created state. If it returns a patch, that patch may contain only pluginExtensions, and its value is the complete final pluginExtensions field. A callback or final-persistence failure rolls back the unchanged new row and transcript; guarded rollback preserves a row changed or claimed concurrently. recoverMatchingInitialEntry: true is only for retrying interrupted initialization when the persisted trusted fields match exactly, and recovery requires afterCreate to return a final patch.Use runWithWorkAdmission(...) when a plugin starts work on a persisted session. The callback rejects archived or concurrently replaced sessions, keeps archive/reset/delete mutations coordinated through completion, and receives an AbortSignal that must be forwarded to the agent run. A harness may explicitly name trusted execution delegates through its experimental delegatedExecutionPluginIds registration field. Delegates can admit and run only an exact existing model-locked session; all session mutations remain restricted to the harness owner. See Agent harness plugins.Maintenance and repair plugins may use deleteSessionEntry(...) for one scoped session entry, cleanupSessionLifecycleArtifacts(...) for lifecycle-owned scratch sessions, and resolveSessionStoreBackupPaths(...) before mutating a store. These helpers are narrow repair/lifecycle surfaces, not a general store deletion API.resolveStorePath(...) and updateSessionStoreEntry(...) round out the session helpers: resolveStorePath resolves the session store path for a given scope, and updateSessionStoreEntry({ storePath, sessionKey, update }) patches one entry directly by store path when the caller already knows it.loadTranscriptEventsSync(...) is available for synchronous doctor and repair paths that cannot use the async transcript runtime. It returns raw SessionStoreTranscriptEvent records. Normal plugin runtime code should prefer openclaw/plugin-sdk/session-transcript-runtime.formatSqliteSessionFileMarker(...), parseSqliteSessionFileMarker(...), and sqliteSessionFileMarkerMatchesSession(...) are transitional helpers for code that still receives a legacy field named sessionFile. A parsed SQLite marker identifies a live SQLite transcript target; it is not a filesystem path. New APIs should carry typed session identity instead of marker strings.For transcript reads and writes, import openclaw/plugin-sdk/session-transcript-runtime and use resolveSessionTranscriptIdentity(...), resolveSessionTranscriptTarget(...), readSessionTranscriptEvents(...), readVisibleSessionTranscriptMessageEntries(...), appendSessionTranscriptMessageByIdentity(...), publishSessionTranscriptUpdateByIdentity(...), or withSessionTranscriptWriteLock(...) with { agentId, sessionKey, sessionId }. These APIs let plugins identify a transcript, read raw events or visible branch-safe message entries, append messages, publish updates, and run related operations under the same transcript write lock without depending on active transcript file paths. readVisibleSessionTranscriptMessageEntries(...) returns ordered read metadata; its seq field is not a resumable cursor.The legacy whole-store and active transcript file helpers are no longer exported from the plugin SDK. Use the scoped entry helpers for session metadata and the transcript identity helpers for active transcript operations. Archive/support workflows that need file artifacts should use their dedicated archive surfaces instead of active session runtime APIs.
Default model and provider constants:
Run a host-owned text completion without importing provider internals or duplicating OpenClaw model/auth/base URL preparation.
Provider orchestration can also acquire the configured local-service lifecycle before issuing an HTTP request:
acquireLocalService(...) is a stable, generic provider-service SDK contract. The host resolves process configuration from models.providers.<providerId>.localService; callers cannot supply a command, arguments, environment, or lifecycle policy. Process spawning, readiness, diagnostics, and idle-stop policy remain internal to the host.Pass the exact configured provider id and resolved request base URL. Do not replace aliases with an adapter id: separate aliases can point at separate local GPU hosts. The host rejects endpoints that do not match the configured provider base URL, apart from the /v1 normalization used by Ollama and LM Studio adapters. The host owns startup serialization, readiness probes, request leases, abort handling, and idle shutdown.The helper uses the same simple-completion preparation path as OpenClaw’s built-in runtime and the host-owned runtime config snapshot. Context engines receive a session-bound llm.complete capability, so model calls use the active session’s agent and do not silently fall back to the default agent. The result includes provider/model/agent attribution plus normalized token, cache, and estimated cost usage when available.
Model overrides require operator opt-in via plugins.entries.<id>.llm.allowModelOverride: true in config. Use plugins.entries.<id>.llm.allowedModels to restrict trusted plugins to specific canonical provider/model targets. Cross-agent completions require plugins.entries.<id>.llm.allowAgentIdOverride: true.
Call another Gateway method in process while preserving the current plugin’s trusted runtime identity. This is intended for bundled or trusted official plugins that compose plugin-owned Gateway capabilities without opening a loopback WebSocket connection.
Requests use operator.write scope and do not grant admin scope. Calls from arbitrary external plugins are rejected. Failed methods throw a GatewayClientRequestError, preserving structured details, retry metadata, and the Gateway error code for recovery flows. Use isAvailable() before choosing this path from tools that can also run in standalone agent processes.
Launch and manage background subagent runs.
Model overrides (provider/model) require operator opt-in via plugins.entries.<id>.subagent.allowModelOverride: true in config. Untrusted plugins can still run subagents, but override requests are rejected.
toolsAlsoAllow adds exact, uniquely owned tools registered by the calling plugin to the worker’s normal tool surface. The runtime rejects core tools and names shared with another plugin. Profiles and operator tool policies still apply, including explicit allowlists and denies.deleteSession(...) can delete sessions created by the same plugin through api.runtime.subagent.run(...). Deleting arbitrary user or operator sessions still requires an admin-scoped Gateway request.
Inspect the effective sandbox workspace authority for an agent session.
The result reports whether this session is sandboxed, whether its workspace is unavailable, read-only, or writable, and an optional confinementError when the effective Docker, tool, session, browser, or elevated policy can escape that workspace. Use this for host-owned delegation decisions that must not grant a worker more authority than its caller. It is an attestation helper, not a replacement for checking the caller’s own authorization.prepareWorkspaceAuthority(...) performs the same policy check and also prepares the Docker sandbox for workspaceDir. It rejects a hot container whose live config hash does not match the requested mounts or policy. Pass only exact tool names whose registered implementations the calling plugin confines; wildcard prefixes do not prove tool ownership.
List connected nodes and invoke a node-host command from Gateway-loaded plugin code or from plugin CLI commands. Use this when a plugin owns local work on a paired device, for example a browser or audio bridge on another Mac.
nodes.list(...) includes each connected node’s advertised nodePluginTools descriptors when that node exposes plugin or MCP-backed tools to the agent. Those descriptors are live connection state: the Gateway drops them when the node disconnects, and a node can replace them with node.pluginTools.update after local plugin/MCP inventory changes.Inside the Gateway this runtime is in-process. In plugin CLI commands it calls the configured Gateway over RPC, so commands such as openclaw googlemeet recover-tab can inspect paired nodes from the terminal. Node commands still go through normal Gateway node pairing, command allowlists, plugin node-invoke policies, and node-local command handling.Plugins that expose node-hosted agent tools can set agentTool.defaultPlatforms for non-dangerous commands that should be allowlisted by default. Omit it when operators must opt in with gateway.nodes.allowCommands. Dangerous node-host commands should register a node-invoke policy with api.registerNodeInvokePolicy(...); the policy runs in the Gateway after command allowlist checks and before the command is forwarded to the node, so direct node.invoke calls, node-hosted plugin tools, and higher-level plugin tools share the same enforcement path.
The optional scopes field requests Gateway operator scopes for the invocation. OpenClaw honors it only for bundled plugins and trusted official plugin installations; requests from other plugins do not elevate the call. Use it only when a trusted plugin must invoke a node command with a stricter Gateway scope, such as operator.admin.
Bind Task Flow and Task Run state to an existing OpenClaw session key or trusted tool context.
  • api.runtime.tasks.managedFlows is mutation-capable: create, advance, and cancel Task Flows.
  • api.runtime.tasks.flows and api.runtime.tasks.runs are read-only DTO views for listing and status lookups; both expose bindSession(...) / fromToolContext(...) plus get, list, findLatest, and resolve.
  • api.runtime.tasks.flow is a deprecated alias for managedFlows.
Task Flow tracks durable multi-step workflow state. It is not a scheduler: use Cron or api.session.workflow.scheduleSessionTurn(...) for future wakeups, then use managedFlows from the scheduled turn when that work needs flow state, child tasks, waits, or cancellation.
Use bindSession({ sessionKey, requesterOrigin }) when you already have a trusted OpenClaw session key from your own binding layer. Do not bind from raw user input.
Text-to-speech synthesis.
Uses core messages.tts configuration and provider selection. Returns PCM audio buffer + sample rate. textToSpeechStream is also available for streaming synthesis.
Image, audio, and video analysis.
Returns { text: undefined } when no output is produced (e.g. skipped input).describeImageFileWithModel(...) describes an already-known image through a specific provider/model, bypassing the default active-model resolution that describeImageFile(...) uses.
api.runtime.stt.transcribeAudioFile(...) remains as a compatibility alias for api.runtime.mediaUnderstanding.transcribeAudioFile(...).
Image generation.
Video generation, mirroring the image generation shape.
Music generation, mirroring the image generation shape.
Web search.
Low-level media utilities.
Current runtime config snapshot and transactional config writes. Prefer config that was already passed into the active call path; use current() only when the handler needs the process snapshot directly.
mutateConfigFile(...) and replaceConfigFile(...) return a followUp value, for example { mode: "restart", requiresRestart: true, reason }, which records the writer intent without taking restart control away from the gateway.
System-level utilities.
runHeartbeatOnce(...) runs a single heartbeat cycle immediately, bypassing the normal coalesce timer. Pass { heartbeat: { target: "last" } } to force delivery to the last active channel instead of the default target: "none" suppression.runCommandWithTimeout(...) returns captured stdout and stderr, optional truncation counts, code, signal, killed, termination, and noOutputTimedOut. Timeout and no-output-timeout results report code: 124 when the child process does not provide a non-zero exit code. Non-timeout signal exits can still return code: null, so use termination and noOutputTimedOut to distinguish timeout reasons.
Event subscriptions.
Logging.
Model and provider auth resolution.
State directory resolution and SQLite-backed keyed storage.
Keyed stores survive restarts and are isolated by the runtime-bound plugin id. Use registerIfAbsent(...) for atomic dedupe claims: it returns true when the key was missing or expired and registered, or false when a live value already exists without overwriting its value, creation time, or TTL. Limits: maxEntries per namespace, 50,000 live rows per plugin, JSON values under 64KB, and optional TTL expiry. By default, a write at either row limit sheds the oldest live rows from the namespace being written; sibling namespaces are not evicted for that write, and the write still fails if the namespace cannot free enough rows. Set overflowPolicy: "reject-new" for durable ownership records that must never be evicted: new keys fail at either limit, while existing keys remain updateable.openSyncKeyedStore<T>(...) returns the same store shape with synchronous methods (register, registerIfAbsent, lookup, consume, clear all return values directly instead of promises) for callers that cannot await.openChannelIngressQueue<TPayload>(...) opens a persisted ingress queue scoped to the calling plugin, for buffering inbound events that need at-least-once processing across restarts. When stale-claim recovery uses shouldRecover, also provide shouldRecoverCorrupt if corrupt claimed payloads should be quarantined: its payload-independent claim identity lets the plugin preserve live owner and lane policy before the queue tombstones the row.
openKeyedStore, openSyncKeyedStore, and openChannelIngressQueue are available only to bundled plugins and trusted official plugin installations in this release.
Channel-specific runtime helpers (available when a channel plugin is loaded). Grouped by concern:
GroupPurpose
textChunking (chunkText, chunkMarkdownText, resolveChunkMode), control-command detection, Markdown table conversion.
replyBuffered-block reply dispatch, envelope formatting, effective messages/human-delay config resolution.
routingbuildAgentSessionKey, resolveAgentRoute.
pairingbuildPairingReply, allowlist reads, pairing-request upserts.
mediaRemote media download/save (see below).
activityRecord/read last channel activity.
sessionSession metadata from inbound events, last-route updates.
mentionsMention-policy helpers (see below).
reactionsAck-reaction handles for in-flight processing indicators.
groupsGroup policy and require-mention resolution.
debounceInbound message debouncing.
commandsCommand authorization and text-command gating.
outboundLoad a channel’s outbound adapter.
inboundBuild inbound event context and run the shared inbound-event/reply kernel.
threadBindingsAdjust idle-timeout/max-age for bound session threads.
runtimeContextsRegister, read, and watch process-local per-channel/account/capability context.
api.runtime.channel.media is the preferred surface for channel media downloads and storage:
Use saveRemoteMedia(...) when a remote URL should become OpenClaw media. Use saveResponseMedia(...) when the plugin already fetched a Response with plugin-owned auth, redirect, or allowlist handling. Use readRemoteMediaBuffer(...) only when the plugin needs raw bytes for inspection, transforms, decryption, or reupload. fetchRemoteMedia(...) remains a deprecated compatibility alias for readRemoteMediaBuffer(...).api.runtime.channel.mentions is the shared inbound mention-policy surface for bundled channel plugins that use runtime injection:
Available mention helpers:
  • buildMentionRegexes
  • matchesMentionPatterns
  • matchesMentionWithExplicit
  • implicitMentionKindWhen
  • resolveInboundMentionDecision
api.runtime.channel.mentions intentionally does not expose the older resolveMentionGating* compatibility helpers. Prefer the normalized { facts, policy } path.Several fields under reply, session, and inbound carry per-field @deprecated notes pointing at the current channel-turn kernel or channel-outbound adapters; check the inline JSDoc on the specific helper before building new code on it.

Storing runtime references

Use createPluginRuntimeStore to store the runtime reference for use outside the register callback:
1

Create the store

2

Wire into the entry point

3

Access from other files

Prefer pluginId for the runtime-store identity. The lower-level key form is for uncommon cases where one plugin intentionally needs more than one runtime slot.

Other top-level api fields

Beyond api.runtime, the API object also provides:
api.id
string
Plugin id.
api.name
string
Plugin display name.
api.config
OpenClawConfig
Current config snapshot (active in-memory runtime snapshot when available).
api.pluginConfig
Record<string, unknown>
Plugin-specific config from plugins.entries.<id>.config.
api.logger
PluginLogger
Scoped logger (debug, info, warn, error).
api.registrationMode
PluginRegistrationMode
Current load mode: "full" (live activation), "discovery" / "tool-discovery" (read-only capability discovery), "setup-only" (lightweight setup entry), "setup-runtime" (setup flow that also needs the runtime channel entry), or "cli-metadata" (CLI command metadata collection).
api.resolvePath(input)
(string) => string
Resolve a path relative to the plugin root.