Signal is the hardest channel to connect to OpenClaw. Unlike Telegram (which gives you a bot API and token in two minutes) or WhatsApp (which uses a QR code scan), Signal has no official bot framework. You need to install signal-cli, a third-party command-line tool that speaks the Signal protocol, and wire it into OpenClaw’s gateway as a bridge.
The upside is worth the extra work for the right use case. Every message between you and your AI agent travels through the Signal Protocol with end-to-end encryption. No other OpenClaw channel offers that level of privacy. If you handle sensitive data, work in a regulated industry, or just refuse to let a messaging platform read your AI conversations, Signal is the only channel that keeps your interactions genuinely private.
Budget 30 to 60 minutes for first-time setup. This guide walks through the full process: installing signal-cli, registering a phone number, configuring OpenClaw, and testing the connection. We also cover the tradeoffs against Telegram and WhatsApp so you can decide whether Signal’s privacy advantages justify the extra complexity.
Before You Start
You need four things in place before configuring the Signal channel:
-
OpenClaw installed and running on a Linux machine or VPS. If you have not done this yet, follow our OpenClaw setup guide first. Signal integration requires a running OpenClaw gateway, not just the CLI.
-
Java Runtime Environment (JRE) 17 or later installed on the same machine. signal-cli is a Java application. Check your version with
java -version. If you do not have Java, install it withsudo apt install openjdk-21-jre-headlesson Ubuntu/Debian. -
A phone number for the bot. You have two options: use a dedicated number (recommended for production) or link your personal Signal account as a secondary device. We cover both paths below.
-
Terminal access to the server. Signal registration involves SMS verification codes and QR code scanning. You will need an interactive terminal session during setup.
If you want the agent running 24/7, deploy on a VPS. Our Hostinger deployment guide covers VPS setup from scratch.
Step 1: Install signal-cli
signal-cli is the bridge that lets OpenClaw communicate with Signal’s servers. Download the latest release from the signal-cli GitHub repository.
Native build (faster startup, recommended):
VERSION=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/AsamK/signal-cli/releases/latest | sed -e 's/^.*\/v//')
curl -L -O "https://github.com/AsamK/signal-cli/releases/download/v${VERSION}/signal-cli-${VERSION}-Linux-native.tar.gz"
sudo tar xf "signal-cli-${VERSION}-Linux-native.tar.gz" -C /opt
sudo ln -sf /opt/signal-cli /usr/local/bin/
JVM build (wider compatibility):
VERSION=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/AsamK/signal-cli/releases/latest | sed -e 's/^.*\/v//')
curl -L -O "https://github.com/AsamK/signal-cli/releases/download/v${VERSION}/signal-cli-${VERSION}.tar.gz"
sudo tar xf "signal-cli-${VERSION}.tar.gz" -C /opt
sudo ln -sf "/opt/signal-cli-${VERSION}/bin/signal-cli" /usr/local/bin/
Verify the installation:
signal-cli --version
One operational detail that matters: the native build starts in under a second, while the JVM build takes 3 to 8 seconds for cold starts. If you use the JVM build and auto-spawn mode, your first message after a period of inactivity will have a noticeable delay. We cover how to avoid this with daemon mode in the performance section below.
Step 2: Register or Link a Phone Number
You have two paths. Choose based on whether you want a dedicated bot number or want to use your existing Signal account.
Path A: Link Your Personal Signal Account (QR Code)
This is the faster option. OpenClaw operates as a secondary device on your existing Signal account, similar to how Signal Desktop works.
signal-cli link -n "OpenClaw"
This prints a QR code in your terminal. On your phone:
- Open Signal
- Go to Settings then Linked Devices
- Tap Link New Device
- Scan the terminal QR code
After linking, signal-cli can send and receive messages using your account. The agent shares your phone number and identity.
Tradeoff: This approach is simpler but means the AI agent is you as far as other Signal users can see. Messages from the agent appear to come from your personal number.
Path B: Register a Dedicated Bot Number (SMS)
For production use or if you want the agent to have its own identity, register a separate number.
You need a phone number that can receive SMS. Options include a prepaid SIM, Google Voice, Twilio, or any VoIP service that supports SMS delivery. Some VoIP providers block Signal verification, so have a backup option ready.
signal-cli -a +15551234567 register
If Signal requires a captcha (it usually does on servers):
- Open
https://signalcaptchas.org/registration/generate.htmlin a browser - Complete the captcha challenge
- Copy the
signalcaptcha://URL from the result - Run the registration from the same IP address:
signal-cli -a +15551234567 register --captcha 'signalcaptcha://signal-recaptcha-v2.your-token-here'
When the SMS arrives with your verification code:
signal-cli -a +15551234567 verify 123456
Critical warning: Registering a phone number with signal-cli will de-authenticate any existing Signal app session on that number. Do not register your primary personal number this way unless you intend to stop using Signal on your phone. Use Path A (link) if you want to keep your phone app running.
Step 3: Configure OpenClaw
Open your openclaw.json configuration file. The default location is ~/.openclaw/openclaw.json.
Add the Signal channel block inside the channels section:
{
channels: {
signal: {
enabled: true,
account: "+15551234567",
cliPath: "signal-cli",
dmPolicy: "pairing",
allowFrom: [],
},
},
}
Replace +15551234567 with the phone number you registered or linked in Step 2.
Here is what each setting controls:
| Setting | Value | What It Does |
|---|---|---|
enabled | true | Activates the Signal channel |
account | "+15551234567" | The bot’s phone number in E.164 format |
cliPath | "signal-cli" | Path to the signal-cli binary |
dmPolicy | "pairing" | Unknown senders get a pairing code; messages ignored until approved |
allowFrom | [] | Phone numbers or UUIDs permitted to DM the agent |
We recommend starting with dmPolicy: "pairing" rather than "allowlist". The pairing flow lets new users send a message, receive a one-time code, and get approved via the CLI. This is more flexible during testing than manually adding numbers to an allowlist.
Restart the gateway to apply the configuration:
openclaw gateway restart
Verify the channel is active:
openclaw channels status --probe
You should see Signal listed as connected. If not, run openclaw doctor for diagnostics.
Step 4: Approve Pairing and Test
Send a message from your phone’s Signal app to the bot’s number (or to yourself if you used Path A). Type anything:
“Hello, are you there?”
If you set dmPolicy: "pairing", the agent will reply with a pairing code instead of a normal response. This is expected. Copy the code and approve it from your terminal:
openclaw pairing list signal
openclaw pairing approve signal YOUR_PAIRING_CODE
Pairing codes expire after one hour. After approval, send another message. This time the agent should respond normally.
Test a few different interaction types:
- Text: “What can you help me with?”
- Follow-up: Ask a question that references the previous answer to verify conversation context is working
- Media: Send an image and ask “Describe what you see” (requires a vision-capable model like GPT-5 or Claude Opus 4.6)
If the agent does not respond at all, check the troubleshooting section below.
Running signal-cli as a Daemon (Recommended)
By default, OpenClaw spawns signal-cli on demand. This works but creates a cold start delay: the JVM build takes 3 to 8 seconds to start, which means your first message after idle time gets a slow response.
The fix is running signal-cli as a persistent daemon and pointing OpenClaw to it:
Start the daemon:
signal-cli -a +15551234567 daemon --http 127.0.0.1:8080
Or create a systemd service for automatic startup:
[Unit]
Description=signal-cli daemon
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/signal-cli -a +15551234567 daemon --http 127.0.0.1:8080
Restart=on-failure
RestartSec=10
[Install]
WantedBy=default.target
Update your OpenClaw configuration to connect to the daemon:
{
channels: {
signal: {
enabled: true,
account: "+15551234567",
httpUrl: "http://127.0.0.1:8080",
autoStart: false,
},
},
}
Setting autoStart: false tells OpenClaw not to spawn its own signal-cli process. Instead, it connects to the daemon you started separately. Response time for the first message drops from seconds to milliseconds.
Configuring Group Access
Signal group support in OpenClaw is more granular than most guides explain. Here is how to set it up properly.
Update your configuration:
{
channels: {
signal: {
enabled: true,
account: "+15551234567",
cliPath: "signal-cli",
dmPolicy: "pairing",
allowFrom: ["+15551234567"],
groupPolicy: "allowlist",
groupAllowFrom: ["+15551234567", "+15559876543"],
},
},
}
In groups, the agent only responds when mentioned by name or when someone replies directly to one of its messages. The groupAllowFrom list controls which group members can trigger the agent. People not on the list are ignored even if they mention it.
For per-group overrides (different tools or policies per group), use the groups configuration block:
{
channels: {
signal: {
groups: {
"*": {
requireMention: true,
},
},
},
},
}
After updating, restart the gateway:
openclaw gateway restart
Signal vs Telegram vs WhatsApp for OpenClaw
This is the section most setup guides skip. Here is an honest comparison based on running all three channels.
| Factor | Signal | Telegram | |
|---|---|---|---|
| Setup time | 30-60 minutes | 5 minutes | 10 minutes |
| Encryption | End-to-end (Signal Protocol) | Server-side only for bots | End-to-end (Signal Protocol) |
| Bot identity | Shares your number (link) or dedicated number | Dedicated bot username | Shares your number |
| Bot API | None (requires signal-cli bridge) | Official Bot API | None (uses linked device protocol) |
| Group support | Works, requires mention | Full featured with admin controls | Works, requires mention |
| Max group size | 1,000 | 200,000 | 1,024 |
| Maintenance | Must keep signal-cli updated | Minimal | Periodic QR re-scan |
Choose Signal when:
- End-to-end encryption is a requirement, not a nice-to-have
- You work in healthcare, legal, finance, or any domain where message privacy is non-negotiable
- You want your AI interactions to be genuinely private from the messaging platform itself
- You are comfortable with more complex setup and ongoing maintenance
Choose Telegram when:
- You want the fastest, simplest setup
- You need a dedicated bot identity with its own username
- You want rich group features (threads, admin controls, large groups)
- Encryption of bot messages is not a priority
Choose WhatsApp when:
- The people you want to share the agent with already use WhatsApp
- You need voice note input (most natural on WhatsApp)
- You want end-to-end encryption with easier setup than Signal
You can run all three simultaneously. Many users keep Telegram for daily power use, Signal for sensitive conversations, and WhatsApp for sharing the agent with family or clients.
Security: What Signal Access Means
Signal’s privacy model is the reason to choose this channel, but the setup introduces nuances worth understanding.
End-to-end encryption is preserved between devices. Messages between your phone and the bot travel through the Signal Protocol. No one, including Signal’s servers, can read them in transit.
The AI model does see your messages in plaintext. Once OpenClaw receives a decrypted message, it sends the text to your configured LLM (GPT-5, Claude Opus, Gemini) for processing. The encryption protects the transport layer, not the AI inference step. If this matters to you, consider running a local model through Ollama instead of a cloud API.
signal-cli stores cryptographic keys locally. The key material lives at ~/.local/share/signal-cli/data/ by default. Back up this directory before server migrations. Losing it means re-registering the account.
Secondary device access grants broad permissions. If you used Path A (link), OpenClaw can read messages from all your Signal conversations, not just ones directed at the agent. It only responds to authorized senders, but it reads everything for context. Keep this in mind if you have sensitive Signal conversations you do not want processed by an AI model.
Recommendations:
- Use a dedicated bot number (Path B) for production deployments
- Store API keys in
.envfiles, never in workspace files - Run
openclaw doctorperiodically to verify channel health - Back up
~/.local/share/signal-cli/data/regularly
Troubleshooting
| Symptom | Likely Cause | Fix |
|---|---|---|
| QR code does not appear during linking | signal-cli not installed or not in PATH | Run which signal-cli and verify installation |
| QR code appears but scanning fails | Code expired (they last about 60 seconds) | Re-run signal-cli link -n "OpenClaw" |
| Captcha required during registration | Server-side registration detected | Complete captcha at signalcaptchas.org and pass the token |
| SMS verification code never arrives | VoIP number blocked by Signal | Try a different number or use voice verification with --voice flag |
| No response after pairing | Gateway not running or channel not enabled | Run openclaw gateway and check openclaw channels status --probe |
| Agent does not reply to DMs | Sender not in allowlist and pairing not approved | Run openclaw pairing list signal and approve pending codes |
| Slow first response after idle | JVM cold start (signal-cli not running as daemon) | Switch to daemon mode as described above |
| ”Failed to send message” errors | signal-cli version mismatch with Signal servers | Update signal-cli to the latest release |
| Group messages ignored | groupPolicy set to "disabled" | Update to "allowlist" and configure groupAllowFrom |
Signal missing from openclaw doctor output | channels.signal.enabled is false or missing | Verify your configuration and restart the gateway |
For deeper diagnostics:
openclaw status
openclaw logs --follow
pgrep -af signal-cli
Frequently Asked Questions
Can I use my personal Signal number or do I need a separate one?
Both options work but they serve different purposes. Linking your personal account (Path A) is faster and lets you keep using Signal on your phone simultaneously. Registering a dedicated number (Path B) gives the agent its own identity but de-authenticates any existing Signal session on that number. For personal use, Path A is simpler. For production or team deployments, Path B avoids confusion about who is sending messages.
Do VoIP numbers like Google Voice work for Signal registration?
Most VoIP numbers work, but some providers block SMS from Signal’s verification service. Google Voice, Twilio, and most prepaid SIM cards are reliable options. If SMS verification fails, try the --voice flag to receive a phone call with the code instead. Have a backup number ready in case your first choice does not work.
How does Signal privacy compare to Telegram for an AI agent?
Signal encrypts messages end-to-end using the Signal Protocol. When you message your OpenClaw agent on Signal, not even Signal’s servers can read the content. Telegram bots use server-side encryption only, which means Telegram can read bot messages. You pay for that privacy in setup time: Telegram gives you a bot token in two minutes, while Signal requires installing signal-cli and handling registration manually.
Can I run Signal and Telegram channels at the same time?
Yes. Add both signal and telegram blocks to the channels section of your openclaw.json. OpenClaw handles each channel independently with its own access controls and conversation history. Messages from Signal and Telegram do not cross over.
Is my data still encrypted when OpenClaw processes my messages?
The Signal Protocol encrypts messages in transit between your phone and the server running signal-cli. Once OpenClaw receives the decrypted message, it sends the text to your configured AI model (GPT-5, Claude Opus, etc.) over HTTPS. The AI provider processes your message in plaintext. For maximum privacy, pair Signal with a locally-hosted model through Ollama so your messages never leave your server.
Key Takeaways
- Signal is the most private OpenClaw channel but requires installing signal-cli as a bridge since Signal has no official bot API
- Choose Path A (QR link) for quick personal setup or Path B (dedicated number) for production deployments
- Run signal-cli as a daemon to eliminate cold start delays on first messages
- Signal provides end-to-end encryption for the transport layer, but your AI model still sees messages in plaintext at inference time
- Start with
dmPolicy: "pairing"and expand access gradually once you verify the setup works
SFAI Labs
