status: unresolved SecretRef for Telegram botToken while doctor reports Telegram OK

[elvio-devaware]

Summary

openclaw status fails with:

channels.telegram.botToken: unresolved SecretRef "env:default:TELEGRAM_BOT_TOKEN"

…even when the Telegram channel is healthy and openclaw doctor reports Telegram: ok.

Environment

• OpenClaw: 2026.3.2 (85377a2)
• Host: Linux (systemd user service)
• Channel config includes:
  • channels.telegram.enabled: true
  • channels.telegram.botToken: "${TELEGRAM_BOT_TOKEN}"
• TELEGRAM_BOT_TOKEN exists in ~/.openclaw/.env and matches Telegram token format.

Repro

1. Set Telegram token via env SecretRef (${TELEGRAM_BOT_TOKEN})
2. Ensure gateway is running and Telegram is connected
3. Run:
   • openclaw doctor ✅ shows Telegram: ok (@...bot)
   • openclaw gateway status ✅ healthy
   • openclaw status ❌ fails with unresolved SecretRef error

Observed behavior

status appears to resolve SecretRef on a path that does not use the active resolved runtime snapshot, causing a false unresolved error for an active, healthy channel.

Expected behavior

openclaw status should either:

1. Use the active runtime snapshot (same effective data path as doctor), or
2. Fall back gracefully when runtime already has resolved secrets.

Notes

• openclaw secrets reload does not change outcome.
• openclaw secrets audit reports unresolved=0.
• This makes status unreliable as a health command in this configuration.

[samersaibot]

Adding a consolidated macOS restart repro + diagnostics from a real operator environment (on behalf of @samerGMTM22, who repeatedly hit this in production use).

Environment

• OpenClaw: 2026.3.2
• OS: macOS 26.3 (arm64)
• Channel: Telegram
• Token configured via SecretRef:
  • channels.telegram.botToken = { source: "env", provider: "runtime", id: "TELEGRAM_BOT_TOKEN" }

Observed behavior

After restart, openclaw status (plain) fails with unresolved SecretRef for Telegram bot token, while other runtime/channel checks are healthy.

Failing path

• openclaw status
• Error: channels.telegram.botToken: unresolved SecretRef "env:runtime:TELEGRAM_BOT_TOKEN"

Healthy paths at same time

• openclaw gateway health => OK
• openclaw channels status --probe => Telegram OK
• openclaw secrets audit --check => unresolved=0
• openclaw status --all => works

This appears to be a status-path-specific SecretRef resolution inconsistency (false negative), not an actual Telegram channel/runtime outage.

Additional diagnostics we confirmed

1. Token quoting can independently cause Telegram API 404 loops if env value is wrapped in literal quotes ("...").
2. Canonical env source setup matters for reboot consistency (avoid launchctl drift/overrides and keep one canonical source).
3. Even after runtime/channel health is restored, plain status can continue to false-fail on this version.

Why this matters

Operators use openclaw status as first-line health command. A false unresolved SecretRef error after reboot looks like a hard outage and triggers unnecessary recovery actions.

Request

Please make status use the same effective SecretRef resolution context as the healthy paths (gateway/channel probe/audit) or gracefully degrade when runtime snapshot is healthy.

Happy to provide sanitized log snippets if needed.

[newcodebook]

This smells like a status-path-only false negative (SecretRef resolution not consulting the active runtime snapshot), especially since:

• doctor / channels status --probe are OK
• secrets audit shows unresolved=0
• status --all works

Operationally, the safest workaround right now is to treat these as your “truth sources” until the bug is fixed:

1. Use status --all (or status --deep) for scripted/CI health checks:

openclaw status --all
# or
openclaw status --deep

2. For Telegram specifically:

openclaw channels status --probe

If you must make plain openclaw status succeed today, the only reliable workaround is to avoid SecretRef on the code path it’s failing to resolve (for example, temporarily pinning the token in a secrets backend that status can read consistently), but I’d keep that as a last resort since your runtime is already healthy.

Further reading (CoClaw):

• https://coclaw.com/guides/openclaw-configuration
• https://coclaw.com/openclaw-config-generator

[samersaibot]

Closing as resolved on our side after applying the Mac Studio restart fix and re-validating behavior. Everything is stable now in our setup. Thank you.

[samersaibot]

Resolved with our fix on Mac Studio; happy to reopen if reproducible on current versions.

[Sid-Qin]

Submitted a fix in #34726.

Root cause: openclaw status reads channel token config before SecretRefs are resolved (resolution happens in the gateway process). The strict normalizeSecretInputString throws on unresolved SecretRef objects, crashing status. Meanwhile openclaw doctor probes the running gateway where secrets are already resolved, so it reports OK.

Fix: Added normalizeSecretInputStringTolerant that returns undefined instead of throwing for unresolved SecretRefs. Used it in Telegram/Discord/Slack token resolution so status degrades gracefully — shows "none" or falls back to env vars instead of crashing.

[elmhp]

Confirming this on OpenClaw v2026.3.2 with a clean SecretRef migration.

What I tested

1) Top-level Telegram SecretRef

"channels": {
  "telegram": {
    "enabled": true,
    "botToken": {
      "source": "file",
      "provider": "local_file",
      "id": "/telegram/botToken"
    }
  }
}

2) Account-level Telegram SecretRef

"channels": {
  "telegram": {
    "enabled": true,
    "accounts": {
      "default": {
        "botToken": {
          "source": "file",
          "provider": "local_file",
          "id": "/telegram/botToken"
        }
      }
    }
  }
}

Commands + results

• openclaw config validate ✅
• openclaw secrets reload --json --expect-final --timeout 60000 ✅
• openclaw secrets audit ✅ (plaintext=0, unresolved=0)
• openclaw status --json ❌

Error for top-level:
channels.telegram.botToken: unresolved SecretRef "file:local_file:/telegram/botToken"

Error for account-level:
channels.telegram.accounts.default.botToken: unresolved SecretRef "file:local_file:/telegram/botToken"

Workaround that works

Using:

"channels": {
  "telegram": {
    "enabled": true,
    "tokenFile": "/home/<user>/.openclaw/credentials/telegram-bot-token.txt"
  }
}

Then openclaw status --json succeeds and Telegram starts normally.

Notes

• Gateway service is on v2026.3.2 and uses dist/index.js.
• This looks like inconsistency between SecretRef resolution paths (secrets audit/reload vs status/telegram resolver).

[joshavant]

Thanks for the report and the work here. This was addressed as part of a broader fix in #37023, which consolidated the related read-only SecretRef/status handling work into one implementation.

I’m closing this out as superseded by #37023 so the follow-up history stays in one place.