OpenClaw Matrix Integration: Decentralized AI Agent Messaging

If you've been running your AI agent on Slack or Discord, you've been renting. Matrix gives you ownership. Your homeserver, your data, your federation rules — and now your AI agent lives there too.

OpenClaw's Matrix plugin supports DMs, rooms, threads, reactions, polls, media, and full end-to-end encryption. This guide walks through everything: from initial setup to production-hardened configs with E2EE, multi-account routing, and inter-agent communication.

Why Matrix for AI Agents?

Matrix is the only major messaging protocol that's federated, open-source, and end-to-end encrypted by default. For AI agent operators, that matters for three reasons:

• Data sovereignty. Your agent conversations stay on your homeserver. No third-party platform scanning your prompts or responses.
• Federation. Your agent can interact with users across different Matrix homeservers — no single point of control.
• Self-hosted infrastructure. Run Synapse or Conduit on your own hardware. Pair it with OpenClaw on the same box or network. Zero external dependencies.

If you're already running a self-hosted OpenClaw on a VPS, adding Matrix keeps your entire AI stack under your control.

Prerequisites

Before you start:

• OpenClaw installed and running (what is OpenClaw?)
• A Matrix account on any homeserver (matrix.org, your own Synapse, Element, etc.)
• An access token or password for that account

Matrix is a plugin channel — it's not bundled with core OpenClaw. You'll install it first.

Step 1: Install the Matrix Plugin

openclaw plugins install @openclaw/matrix

That's it. The plugin hooks into OpenClaw's channel system automatically. You can also install from a local checkout if you're developing on the plugin itself.

Step 2: Configure Your Matrix Connection

You have two auth options: access token (recommended) or password.

Token-Based Auth (Recommended)

Grab your access token from your Matrix client (Element → Settings → Help & About → Access Token) and configure:

{
  channels: {
    matrix: {
      enabled: true,
      homeserver: "https://matrix.example.org",
      accessToken: "syt_xxx",
      dm: { policy: "pairing" },
    },
  },
}

Password-Based Auth

If you prefer password login, OpenClaw will authenticate and cache the token automatically:

{
  channels: {
    matrix: {
      enabled: true,
      homeserver: "https://matrix.example.org",
      userId: "@bot:example.org",
      password: "your-password-here",
      deviceName: "OpenClaw Gateway",
      dm: { policy: "pairing" },
    },
  },
}

Interactive Setup

Don't want to edit JSON manually? Use the interactive wizard:

openclaw channels add
# Follow the interactive wizard — it asks for:
# - Homeserver URL
# - Auth method (access token or password)
# - User ID (if password auth)
# - Device name
# - E2EE toggle
# - Room access config

The wizard handles normalization, env var detection, and DM allowlist setup. It accepts full Matrix IDs like @user:server directly for allowlists.

You can also use environment variables instead of config values: MATRIX_HOMESERVER, MATRIX_ACCESS_TOKEN, MATRIX_USER_ID, and MATRIX_PASSWORD.

Step 3: Set Up Access Control

Access control is critical — you don't want random Matrix users burning your API credits. Here's a production config with DM pairing, room allowlists, and E2EE:

{
  channels: {
    matrix: {
      enabled: true,
      homeserver: "https://matrix.example.org",
      accessToken: "syt_xxx",
      encryption: true,

      dm: {
        policy: "allowlist",
        allowFrom: ["@admin:example.org"],
      },

      groupPolicy: "allowlist",
      groupAllowFrom: ["@admin:example.org"],
      groups: {
        "!roomid:example.org": {
          requireMention: true,
        },
      },

      autoJoin: "allowlist",
      autoJoinAllowlist: ["!roomid:example.org"],
      threadReplies: "inbound",
    },
  },
}

Key points:

• dm.policy: "allowlist" — only approved Matrix IDs can DM your agent
• groupPolicy: "allowlist" — only approved users can trigger the agent in rooms
• requireMention: true — in rooms, the agent only responds when explicitly mentioned
• autoJoin: "allowlist" — the agent auto-joins only pre-approved rooms
• threadReplies: "inbound" — replies inside threads when the message came from a thread

For a simpler start, use pairing mode for DMs — users request access, you approve:

# List pending pairing requests
openclaw pairing list matrix

# Approve a specific user
openclaw pairing approve matrix <CODE>

If someone messages your agent before approval, OpenClaw reuses the same pending pairing code and sends a reminder instead of minting new codes.

End-to-End Encryption

This is where Matrix shines for AI agent operations. Set encryption: true and your agent's conversations are encrypted end-to-end — even the homeserver admin can't read them.

OpenClaw uses the official matrix-js-sdk Rust crypto path. After enabling encryption, you need to bootstrap cross-signing and verify the device:

# Check verification status
openclaw matrix verify status

# Bootstrap cross-signing
openclaw matrix verify bootstrap

# Verify with recovery key
openclaw matrix verify device "<your-recovery-key>"

# Check room-key backup health
openclaw matrix verify backup status

The bootstrap command handles the full setup: secret storage, cross-signing key upload, device signing, and room-key backup creation. If your homeserver requires interactive auth for cross-signing uploads, OpenClaw tries multiple auth methods automatically (including password auth when configured).

On startup with encryption: true, OpenClaw automatically requests self-verification if the device is unverified. You'll see verification lifecycle notices (emoji SAS, decimal codes) posted directly in the DM verification room.

Tip: Run openclaw matrix verify status --verbose to see full diagnostics including local trust, cross-signing verification, and owner signing status. OpenClaw treats a device as fully verified only when it's verified through cross-signing — local trust alone isn't enough.

Multi-Account Setup

Need separate personas? An assistant account for user interactions and an alerts account for ops notifications? OpenClaw supports multiple Matrix accounts under one gateway:

{
  channels: {
    matrix: {
      enabled: true,
      defaultAccount: "assistant",
      dm: { policy: "pairing" },
      accounts: {
        assistant: {
          homeserver: "https://matrix.example.org",
          accessToken: "syt_assistant_xxx",
          encryption: true,
        },
        alerts: {
          homeserver: "https://matrix.example.org",
          accessToken: "syt_alerts_xxx",
          dm: {
            policy: "allowlist",
            allowFrom: ["@ops:example.org"],
          },
        },
      },
    },
  },
}

Top-level channels.matrix values act as defaults — named accounts override what they need to. Set defaultAccount so OpenClaw knows which account to prefer for implicit routing and CLI operations.

For CLI commands targeting a specific account, pass --account <id>:

openclaw matrix verify status --account alerts

This is powerful for multi-agent team setups — each agent gets its own Matrix identity while sharing one gateway.

Bot-to-Bot Communication

By default, OpenClaw ignores messages from other configured Matrix accounts to prevent loops. But if you want inter-agent communication (e.g., an orchestrator agent coordinating with worker agents), enable it deliberately:

{
  channels: {
    matrix: {
      allowBots: "mentions",
      groups: {
        "!teamroom:example.org": {
          requireMention: true,
        },
      },
    },
  },
}

The "mentions" mode is the safe choice — agents only process messages from other agents when explicitly mentioned. Use strict room allowlists and mention requirements to keep bot-to-bot traffic controlled.

Threads and Session Binding

Matrix threads work natively with OpenClaw's session routing. Three thread modes:

• threadReplies: "off" — all replies go top-level
• threadReplies: "inbound" — replies stay in-thread when the message was threaded (recommended)
• threadReplies: "always" — always replies in a thread rooted at the triggering message

Thread bindings work for Matrix too — /focus, /unfocus, /agents, and thread-bound /acp spawn all function in Matrix rooms and DMs. You can even turn a Matrix room or thread into a durable ACP coding workspace with /acp spawn codex --bind here.

Private/LAN Homeservers

Running Synapse on your local network or Tailscale? OpenClaw blocks private homeservers by default (SSRF protection), but you can opt in:

{
  channels: {
    matrix: {
      homeserver: "http://matrix-synapse:8008",
      allowPrivateNetwork: true,
      accessToken: "syt_internal_xxx",
    },
  },
}

This is perfect for air-gapped or fully self-hosted setups where both OpenClaw and your Matrix homeserver run on the same machine or local network. Prefer https:// whenever possible, even locally.

Device and DM Hygiene

Over time, old OpenClaw-managed Matrix devices accumulate and complicate E2EE trust. Keep things clean:

# List old devices
openclaw matrix devices list

# Clean up stale ones
openclaw matrix devices prune-stale

If DM routing gets out of sync (stale m.direct mappings pointing at old rooms), repair it:

# Inspect DM mapping for a user
openclaw matrix direct inspect --user-id @alice:example.org

# Repair broken DM routing
openclaw matrix direct repair --user-id @alice:example.org

The repair flow picks the healthiest 1:1 DM room and rewrites the mapping. It doesn't delete old rooms — just fixes where new messages route.

Reactions and Acknowledgments

Matrix supports full reaction workflows. Your agent can react to messages, list reactions, and remove its own reactions. Inbound reaction notifications are supported too — by default, OpenClaw forwards reactions on bot-authored messages.

Ack reactions (the emoji your agent sends to confirm it received a message) follow the standard OpenClaw resolution: channel-level override → global messages.ackReaction → agent identity emoji fallback.

Verify Everything Works

After configuration, restart and verify:

# Restart gateway to pick up changes
openclaw gateway restart

# Verify channel is connected
openclaw channels status --probe

# Check Matrix-specific status
openclaw matrix verify status

Then open your Matrix client, start a DM with your agent (or invite it to a room), and send a message. If you're using pairing mode, you'll need to approve the request first with openclaw pairing approve matrix <CODE>.

Troubleshooting

Common issues and fixes:

• Agent not responding in rooms: Check requireMention — if true, you need to @-mention the agent. Also verify groupPolicy and groupAllowFrom include your user ID.
• E2EE messages not decrypting: Run openclaw matrix verify bootstrap --verbose to repair cross-signing state. Check backup health with openclaw matrix verify backup status.
• DM going to wrong room: Use openclaw matrix direct repair --user-id @user:server to fix stale DM mappings.
• Private homeserver blocked: Add allowPrivateNetwork: true to the account config.
• Multiple accounts conflicting: Set defaultAccount and use --account <id> for CLI commands.

For general OpenClaw debugging, check our troubleshooting guide.

What Makes This Different

Most AI agent platforms lock you into their messaging layer. OpenClaw on Matrix gives you:

• Full data ownership — conversations never leave your infrastructure
• Real E2EE — not just TLS in transit, but actual end-to-end encryption with cross-signing verification
• Federation — your agent can interact across homeservers without centralized control
• Multi-account flexibility — different personas, different access policies, one gateway
• Inter-agent coordination — bot-to-bot communication with proper mention gating

If privacy and infrastructure ownership matter to you, Matrix is the channel to run.

---

Ready to go deeper? The OpenClaw Playbook ($9.99) includes the complete Matrix setup with advanced patterns — multi-homeserver federation, encrypted agent teams, room-based workflow routing, and production hardening configs you can deploy tonight.