openclaw/docs/cli/approvals.md

---
summary: "CLI reference for `openclaw approvals` (exec approvals for gateway or node hosts)"
read_when:
  - You want to edit exec approvals from the CLI
  - You need to manage allowlists on gateway or node hosts
title: "approvals"
---

# `openclaw approvals`

Manage exec approvals for the **local host**, **gateway host**, or a **node host**.
By default, commands target the local approvals file on disk. Use `--gateway` to target the gateway, or `--node` to target a specific node.

Related:

- Exec approvals: [Exec approvals](/tools/exec-approvals)
- Nodes: [Nodes](/nodes)

## Common commands

```bash
openclaw approvals get
openclaw approvals get --node <id|name|ip>
openclaw approvals get --gateway
```

## Replace approvals from a file

```bash
openclaw approvals set --file ./exec-approvals.json
openclaw approvals set --node <id|name|ip> --file ./exec-approvals.json
openclaw approvals set --gateway --file ./exec-approvals.json
```

## Allowlist helpers

```bash
openclaw approvals allowlist add "~/Projects/**/bin/rg"
openclaw approvals allowlist add --agent main --node <id|name|ip> "/usr/bin/uptime"
openclaw approvals allowlist add --agent "*" "/usr/bin/uname"

openclaw approvals allowlist remove "~/Projects/**/bin/rg"
```

## Notes

- `--node` uses the same resolver as `openclaw nodes` (id, name, ip, or id prefix).
- `--agent` defaults to `"*"`, which applies to all agents.
- The node host must advertise `system.execApprovals.get/set` (macOS app or headless node host).
- Approvals files are stored per host at `~/.openclaw/exec-approvals.json`.
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00			`---`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			summary: "CLI reference for `openclaw approvals` (exec approvals for gateway or node hosts)"
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00			`read_when:`
			`- You want to edit exec approvals from the CLI`
			`- You need to manage allowlists on gateway or node hosts`
Docs: add nav titles across docs (#5689) 2026-01-31 16:04:03 -05:00			`title: "approvals"`
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00			`---`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			# `openclaw approvals`
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00
feat: improve exec approvals defaults and wildcard 2026-01-21 09:54:48 +00:00			`Manage exec approvals for the local host, gateway host, or a node host.`
			By default, commands target the local approvals file on disk. Use `--gateway` to target the gateway, or `--node` to target a specific node.
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00
			`Related:`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00			`- Exec approvals: [Exec approvals](/tools/exec-approvals)`
			`- Nodes: [Nodes](/nodes)`

			`## Common commands`

			```bash
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw approvals get`
			`openclaw approvals get --node <id\|name\|ip>`
			`openclaw approvals get --gateway`
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00			```

			`## Replace approvals from a file`

			```bash
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw approvals set --file ./exec-approvals.json`
			`openclaw approvals set --node <id\|name\|ip> --file ./exec-approvals.json`
			`openclaw approvals set --gateway --file ./exec-approvals.json`
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00			```

			`## Allowlist helpers`

			```bash
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw approvals allowlist add "~/Projects/**/bin/rg"`
			`openclaw approvals allowlist add --agent main --node <id\|name\|ip> "/usr/bin/uptime"`
			`openclaw approvals allowlist add --agent "*" "/usr/bin/uname"`
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw approvals allowlist remove "~/Projects/**/bin/rg"`
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00			```

			`## Notes`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			- `--node` uses the same resolver as `openclaw nodes` (id, name, ip, or id prefix).
feat: improve exec approvals defaults and wildcard 2026-01-21 09:54:48 +00:00			- `--agent` defaults to `"*"`, which applies to all agents.
feat: add exec approvals tooling and service status 2026-01-18 15:23:36 +00:00			- The node host must advertise `system.execApprovals.get/set` (macOS app or headless node host).
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			- Approvals files are stored per host at `~/.openclaw/exec-approvals.json`.