Overview
The LogLife plugin registers six HTTP routes on the OpenClaw gateway:| Endpoint | Method | Purpose |
|---|---|---|
/loglife/sessions | GET | Look up session data by phone, session ID, or key |
/loglife/verify/send | POST | Send a 6-digit verification code via WhatsApp |
/loglife/verify/check | POST | Validate a verification code |
/loglife/register | POST | Register a new user in the multi-user configuration |
/loglife/unregister | POST | Remove a user from the multi-user configuration |
/loglife/users | GET | List currently registered users (monitoring/testing) |
Authentication
All endpoints require a Bearer token in theAuthorization header:
~/.openclaw/openclaw.json under plugins.entries.loglife.config.apiKey. Generate one with:
Architecture
The API runs inside the OpenClaw gateway process — there is no separate service. The LogLife dashboard (hosted on Vercel) calls these endpoints through its own Next.js API routes, which add the Bearer token server-side. End users never interact with the plugin API directly.User registration flow
In V1, registration happens before code verification:- Dashboard calls
/loglife/registerwith the user’s phone number - Plugin adds the user to the multi-user config and updates gateway config
- Dashboard calls
/loglife/verify/sendwith the same phone number - Plugin sends a 6-digit code via WhatsApp
- User enters the code on the dashboard
- Dashboard calls
/loglife/verify/checkto validate the code - The user can now send messages to the bot via WhatsApp
Security model
- Bearer token auth on every request (timing-safe comparison)
- Clerk auth on the Next.js proxy layer (only logged-in users)
- Rate limiting on verification code sends (1 per phone per 60s)
- Single-use codes deleted immediately after successful verification
- 5-minute TTL on verification codes
- Idempotent registration — registering an already-registered phone returns success without duplicating
- Idempotent unregistration — unregistering an unknown phone returns
removed: false