How to Configure a Safe Personal WhatsApp Setup in OpenClaw
The safest OpenClaw WhatsApp setup starts conservative: use a dedicated number, allowlist only your own sender, keep group behavior restricted, and disable heartbeats until the setup is trustworthy.
How to configure a safe personal WhatsApp setup in OpenClaw
The official personal-assistant guide is clear about the safety baseline: use a dedicated WhatsApp number, always set channels.whatsapp.allowFrom, and keep heartbeats off until you trust the setup. That baseline is the right place to start.
Who this is for
- You want OpenClaw to act like an always-on assistant over WhatsApp.
- You want a personal setup, not a public bot.
- You want strong default safety before enabling autonomous behavior.
What you need before you start
- A working OpenClaw install.
- A second phone number for the assistant if possible.
- One trusted sender number you want to allow first.
Step-by-step setup
Step 1: Disable proactive heartbeats while you are still locking the setup down
| openclaw config set agents.defaults.heartbeat.every "0m" |
Expected result: heartbeats stay off while you finish safety controls and test the WhatsApp channel manually.
Step 2: Link the WhatsApp account
| openclaw channels login --channel whatsapp |
Expected result: the CLI shows a QR code that you scan with the assistant phone.
Step 3: Open the config file
| openclaw config file |
Expected result: OpenClaw prints the config path you should edit.
Step 4: Add a conservative WhatsApp policy
Edit that config file and add a block like this:
| { |
| "channels": { |
| "whatsapp": { |
| "dmPolicy": "allowlist", |
| "allowFrom": ["+15551234567"], |
| "groupPolicy": "allowlist", |
| "groupAllowFrom": ["120363403215116621@g.us"], |
| "groups": { |
| "*": { "requireMention": true } |
| } |
| } |
| } |
| } |
This keeps direct messages locked to your allowlist and forces group traffic into an allowlist-plus-mention model instead of open processing.
Step 5: Validate and restart
| openclaw config validate |
| openclaw gateway restart |
Expected result: validation succeeds and the gateway comes back with the WhatsApp policy loaded.
Step 6: Verify channel status
| openclaw channels status --probe |
Expected result: WhatsApp shows as linked and available.
Verify it worked
- A message from your allowlisted number is processed.
- A message from a non-allowlisted sender is not treated as normal input.
- Group messages require mention before the assistant responds.
Common problems and fixes
The account is linked but keeps disconnecting
Use the official WhatsApp troubleshooting commands:
| openclaw doctor |
| openclaw logs --follow |
Messages are ignored in groups
The WhatsApp docs say to check these in order: groupPolicy, groupAllowFrom, groups entries, and mention gating.
I want to use my personal number instead of a dedicated one
OpenClaw supports a personal-number mode, but the docs still recommend a dedicated number when possible because it produces cleaner safety and routing boundaries.
FAQ
Why start with dmPolicy: "allowlist" instead of pairing?
For a personal assistant, allowlist is the most predictable policy. Pairing is useful when you want a controlled approval flow for unknown senders, but allowlist is simpler and tighter for one-owner setups.
Should I enable heartbeats immediately?
No. The official personal-assistant guide recommends disabling heartbeats first and turning them on only after you trust the setup.
Can OpenClaw run on the same phone number I use every day?
It can, but the docs warn that this tends to blur who is really talking to the assistant. A dedicated number is the cleaner and safer operating model.
Official sources
Related OpenClaw guides
Follow the next most relevant setup guide without leaving the cluster.
Finish the OpenClaw onboarding wizard, configure the gateway, open the dashboard, and approve first device access when needed.
Tune the OpenClaw workspace files, configure web tools, and enable a safer sandbox profile without guessing config paths.
Turn on OpenClaw heartbeats, keep them quiet outside active hours, and verify they run without spamming you.