Environment Variables

Environment variables

RemoteClaw pulls environment variables from multiple sources. The rule is never override existing values.

Precedence (highest → lowest)

Process environment (what the Gateway process already has from the parent shell/daemon).
.env in the current working directory (dotenv default; does not override).
Global .env at ~/.remoteclaw/.env (aka $REMOTECLAW_STATE_DIR/.env; does not override).
Config env block in ~/.remoteclaw/remoteclaw.json (applied only if missing).
Optional login-shell import (env.shellEnv.enabled or REMOTECLAW_LOAD_SHELL_ENV=1), applied only for missing expected keys.

If the config file is missing entirely, step 4 is skipped; shell import still runs if enabled.

Config `env` block

Two equivalent ways to set inline env vars (both are non-overriding):

{
  env: {
    OPENROUTER_API_KEY: "sk-or-...",
    vars: {
      GROQ_API_KEY: "gsk-...",
    },
  },
}

Shell env import

env.shellEnv runs your login shell and imports only missing expected keys:

{
  env: {
    shellEnv: {
      enabled: true,
      timeoutMs: 15000,
    },
  },
}

Env var equivalents:

REMOTECLAW_LOAD_SHELL_ENV=1
REMOTECLAW_SHELL_ENV_TIMEOUT_MS=15000

Runtime-injected env vars

RemoteClaw also injects context markers into spawned child processes:

REMOTECLAW_SHELL=exec: set for commands run through the exec tool.
REMOTECLAW_SHELL=acp: set for ACP runtime backend process spawns (for example acpx).
REMOTECLAW_SHELL=acp-client: set for remoteclaw acp client when it spawns the ACP bridge process.
REMOTECLAW_SHELL=tui-local: set for local TUI ! shell commands.

These are runtime markers (not required user config). They can be used in shell/profile logic to apply context-specific rules.

UI env vars

REMOTECLAW_THEME=light: force the light TUI palette when your terminal has a light background.
REMOTECLAW_THEME=dark: force the dark TUI palette.
COLORFGBG: if your terminal exports it, RemoteClaw uses the background color hint to auto-pick the TUI palette.

Env var substitution in config

You can reference env vars directly in config string values using ${VAR_NAME} syntax:

{
  models: {
    providers: {
      "vercel-gateway": {
        apiKey: "${VERCEL_GATEWAY_API_KEY}",
      },
    },
  },
}

See Configuration: Env var substitution for full details.

Secret refs vs `${ENV}` strings

RemoteClaw supports two env-driven patterns:

${VAR} string substitution in config values.
SecretRef objects ({ source: "env", provider: "default", id: "VAR" }) for fields that support secrets references.

Both resolve from process env at activation time. SecretRef details are documented in Secrets Management.

Variable	Purpose
`REMOTECLAW_HOME`	Override the home directory used for all internal path resolution (`~/.remoteclaw/`, agent dirs, sessions, credentials). Useful when running RemoteClaw as a dedicated service user.
`REMOTECLAW_STATE_DIR`	Override the state directory (default `~/.remoteclaw`).
`REMOTECLAW_CONFIG_PATH`	Override the config file path (default `~/.remoteclaw/remoteclaw.json`).

Logging

Variable	Purpose
`REMOTECLAW_LOG_LEVEL`	Override log level for both file and console (e.g. `debug`, `trace`). Takes precedence over `logging.level` and `logging.consoleLevel` in config. Invalid values are ignored with a warning.

`REMOTECLAW_HOME`

When set, REMOTECLAW_HOME replaces the system home directory ($HOME / os.homedir()) for all internal path resolution. This enables full filesystem isolation for headless service accounts.

Precedence: REMOTECLAW_HOME > $HOME > USERPROFILE > os.homedir()

Example (macOS LaunchDaemon):

<key>EnvironmentVariables</key>
<dict>
  <key>REMOTECLAW_HOME</key>
  <string>/Users/kira</string>
</dict>

REMOTECLAW_HOME can also be set to a tilde path (e.g. ~/svc), which gets expanded using $HOME before use.

nvm users: web_fetch TLS failures

If Node.js was installed via nvm (not the system package manager), the built-in fetch() uses nvm’s bundled CA store, which may be missing modern root CAs (ISRG Root X1/X2 for Let’s Encrypt, DigiCert Global Root G2, etc.). This causes web_fetch to fail with "fetch failed" on most HTTPS sites.

On Linux, RemoteClaw automatically detects nvm and applies the fix in the actual startup environment:

remoteclaw gateway install writes NODE_EXTRA_CA_CERTS into the systemd service environment
the remoteclaw CLI entrypoint re-execs itself with NODE_EXTRA_CA_CERTS set before Node startup

Manual fix (for older versions or direct node ... launches):

Export the variable before starting RemoteClaw:

export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
remoteclaw gateway run

Do not rely on writing only to ~/.remoteclaw/.env for this variable; Node reads NODE_EXTRA_CA_CERTS at process startup.