Your OpenClaw bot has a configurable DM policy that controls who can send it direct messages. You can lock it down to just yourself, open it up for anyone, or require a pairing handshake for new users. This guide walks through each mode and how to switch between them.
For recovering from a lockout where your bot already ignores you, see How to Unlock DM Access. For group chat behavior, see How to Configure OpenClaw Group Chat Behavior.
DM Policy Modes
OpenClaw supports four values for dmPolicy:
| Policy | Behavior |
|---|---|
open | Anyone can DM the bot. Requires allowFrom: ["*"]. |
pairing | New senders get a one-time pairing code. You approve via /allowlist approve or the CLI. Approvals are stored and persist across restarts. |
allowlist | Only IDs listed in allowFrom can DM. Everyone else is silently ignored. |
disabled | All DMs are blocked with no exceptions. |
ClawCloud default: both Telegram and Discord channels start with dmPolicy: "open" and allowFrom: ["*"] so you can talk to your bot immediately after deploy.
OpenClaw default (self-hosted): dmPolicy: "pairing" — new senders must complete a pairing handshake before the bot responds.
Change Policy via Bot Chat (Managed Flow)
If you're on ClawCloud, the easiest way to change the DM policy is to tell your bot directly in Telegram or Discord:
Set my DM policy to pairing mode
Restrict DMs so only I can message you. My Telegram user ID is 123456789.
Open up DMs so anyone can message you
After giving the instruction, verify the bot understood:
What is your current DM policy?
/status
Check the Config tab in your ClawCloud dashboard for a live read-only view of the applied config.
Change Policy via CLI
Use the Console tab in the ClawCloud dashboard, or SSH to your droplet and run as the openclaw user.
Set to open
openclaw config set channels.telegram.dmPolicy open
openclaw config set channels.telegram.allowFrom '["*"]'
Set to pairing
openclaw config set channels.telegram.dmPolicy pairing
No allowFrom entry needed — pairing is handled automatically.
Set to allowlist (specific users only)
openclaw config set channels.telegram.dmPolicy allowlist
openclaw config set channels.telegram.allowFrom '["123456789", "987654321"]'
Replace the IDs with your actual user IDs (see below for how to find them).
Set to disabled
openclaw config set channels.telegram.dmPolicy disabled
After any change, restart and verify:
openclaw gateway restart
openclaw doctor
For Discord, replace channels.telegram with channels.discord in all commands above.
allowFrom Format
allowFrom is a JSON array of strings. The format varies by channel:
| Channel | ID format | Example |
|---|---|---|
| Telegram | Numeric user ID (integer as string) | ["123456789"] |
| Discord | Numeric user ID (Snowflake) | ["987654321098765432"] |
Telegram: Usernames (@handle) are not valid in config — they are silently ignored or rejected. You must use the numeric ID. telegram: and tg: prefixes are accepted and normalized automatically (e.g. telegram:123456789).
Note: dmPolicy: "allowlist" with an empty allowFrom array is rejected by config validation. You must include at least one sender ID before switching to allowlist mode.
Find your Telegram user ID:
/whoami
The bot replies with something like telegram:123456789. The numeric portion is the value to use in allowFrom. If you're locked out already, run openclaw logs --follow in the Console and read the from.id field from an incoming message.
Alternatively use @userinfobot on Telegram (third-party).
Find your Discord user ID:
Enable Developer Mode in Discord settings (User Settings → Advanced → Developer Mode), then right-click your username and select Copy User ID.
Using pairing Mode
pairing is the most secure default for personal bots. When a new user sends a DM:
- They receive a pairing code in the chat.
- You approve it from the CLI or by replying to the bot:
openclaw pairing list telegram
openclaw pairing approve telegram <code>
Approved senders are saved to ~/.openclaw/credentials/telegram-allowFrom.json. They persist across gateway restarts and don't need re-approval.
To revoke a previously approved sender:
openclaw config set channels.telegram.allowFrom '["remaining-id-1"]'
openclaw gateway restart
Combining dmPolicy and allowFrom
dmPolicy and allowFrom work together:
open+["*"]→ everyone allowed, no checks.allowlist+["123"]→ only user 123 allowed.pairing+["123"]→ user 123 bypasses pairing; others get a code.disabled→allowFromis ignored entirely.
After Changing the Policy
Always run openclaw doctor after a policy change to confirm there are no config errors:
openclaw doctor
Test by sending a DM from the affected channel. If the bot doesn't respond as expected, check the gateway logs:
openclaw logs
If you locked yourself out, see How to Unlock DM Access for recovery steps.
Deploy Your OpenClaw Bot