Add AgentLeash to an existing OpenClaw agent
Install the AgentLeash plugin on your agent to enforce on-chain permission tokens. Every tool call will be verified against your agent's PAT before execution.
✓ OpenClaw agent running
✓ AgentLeash API key
✓ Permission token minted
Don't have a permission token yet? Create one first, then come back here to connect your agent.
Select Your Agent
Choose the agent and token to configure. Code examples below will update automatically.
🚀
Quick Deploy: Config Bundle
Download a ready-to-use bundle with everything configured. Just add your API keys and run
docker compose up.
Includes: agentleash.config.json, docker-compose.yml, .env.example, README.md
— or follow the manual setup steps below —
1
Get your API Key
Your API key authenticates your agent with the AgentLeash verification service. Keep it secret.
••••••••••••••••
Need a new key? Go to Settings → API Keys
2
Install the AgentLeash plugin
Install the plugin on the machine where your OpenClaw agent runs.
npm install @agentleash/openclaw-plugin
yarn add @agentleash/openclaw-plugin
# Clone and install from source
git clone https://github.com/TokenFormLLC/agentleash-plugin.git
cd agentleash-plugin
npm install
npm link
3
Configure your agent
Add the AgentLeash plugin to your OpenClaw gateway configuration. This registers the
before_tool_call hook that intercepts every tool call.
# Add to your openclaw.yaml (or ~/.openclaw/config.yaml)
plugins:
entries:
agentleash:
enabled: true
package: "@agentleash/openclaw-plugin"
config:
apiKey: "al_live_your_api_key_here"
agentId: "your-agent-id"
verifyEndpoint: "https://api.agentleash.com/v1/verify"
chain: "base" # or "algorand"
cache:
enabled: true
ttlSeconds: 60
onDeny: "block" # "block" | "warn" | "log"
auditLog: true
# Add to your .env or shell profile
AGENTLEASH_API_KEY=al_live_your_api_key_here
AGENTLEASH_AGENT_ID=your-agent-id
AGENTLEASH_ENDPOINT=https://api.agentleash.com/v1/verify
AGENTLEASH_CHAIN=base
AGENTLEASH_CACHE_TTL=60
AGENTLEASH_ON_DENY=block
AGENTLEASH_AUDIT_LOG=true
onDeny: "block" is the default and recommended setting. It prevents tool execution when permissions are denied. Use "warn" during testing to log denials without blocking, or "log" for silent audit-only mode.
4
Restart your agent
Restart the OpenClaw gateway to load the AgentLeash plugin.
openclaw gateway restart
Check the logs to confirm the plugin loaded:
openclaw gateway logs | grep agentleash
# Expected output:
[agentleash] Plugin loaded. Agent: your-agent-id
[agentleash] Chain: base | Cache: 60s TTL | Mode: block
[agentleash] PAT verified ✓ Token #1234 active
5
Verify the connection
Send a test verification request to confirm your agent is properly connected and the PAT is being enforced.
Connection Test
Sends a test tool call through the PAT verification pipeline
# Test request
POST https://api.agentleash.com/v1/verify
{
"agentId": "your-agent-id",
"toolName": "read",
"params": { "path": "/tmp/test.txt" },
"sessionKey": "test"
}
# Or test from command line:
curl -X POST https://api.agentleash.com/v1/verify \
-H "Authorization: Bearer al_live_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"agentId": "your-agent-id",
"toolName": "read",
"params": {"path": "/tmp/test.txt"},
"sessionKey": "test"
}'
What happens now?
Every tool call your agent makes will now be verified against its permission token before execution. You can: