Daevix Docs

Using the CLI

Set Up OpenClaw with z.ai

Open as Markdown

Deploy an OpenClaw agent that uses z.ai as the LLM inference provider, routed transparently through the platform's LLM proxy.

This guide walks you through deploying an OpenClaw agent on Daevix that uses z.ai as its LLM inference provider. The platform’s network proxy transparently intercepts LLM traffic and routes it through the LLM proxy, which handles credential injection and audit logging.

The agent itself is configured to speak the Anthropic API protocol. The platform handles the rest - the agent never sees the real z.ai API key or knows it’s talking to z.ai instead of Anthropic.

Prerequisites

  • The dvx CLI installed and signed in - see the Quickstart.
  • The dvxir-openclaw agent template available to you.
  • A z.ai API key.
  • A Telegram bot token from @BotFather (if using Telegram).

How It Works

OpenClaw → api.anthropic.com → Netproxy → LLM Proxy → api.z.ai
                                                    ← response
                               Netproxy ← LLM Proxy
OpenClaw ←
  1. OpenClaw sends requests to api.anthropic.com using the standard Anthropic SDK
  2. The netproxy intercepts the TLS connection (MITM) and recognizes it as an LLM provider
  3. The netproxy forwards matching requests (POST /v1/messages) to the LLM proxy
  4. The LLM proxy replaces the agent’s dummy API key with the real z.ai key
  5. The LLM proxy forwards to api.z.ai/api/anthropic/v1/messages (z.ai’s Anthropic-compatible endpoint)
  6. The response flows back through the same path to the agent

Both hops are audit-logged with a shared correlation ID (request_id), so you can trace any request from the agent’s original call through to the upstream response.

Step 1: Create the agent

Create the agent from the dvxir-openclaw template on one of your enclaves (the enclave is the broker component in the CLI):

dvx broker list
dvx agent create openclaw-bot --template dvxir-openclaw --broker-id <id>

Step 2: Configure Network Policies

The netproxy uses default-deny for agent egress. You need to allow the hosts OpenClaw will connect to.

# Allow Telegram Bot API (if using Telegram)
dvx policy destination add-rule --action allow --host "api.telegram.org" --port 443

# Allow z.ai (required even though traffic is intercepted - the policy
# check happens before LLM routing)
dvx policy destination add-rule --action allow --host "api.z.ai" --port 443

These are org-level rules - they apply to all agents in the organization.

Step 3: Configure the LLM Proxy

Set the downstream URL to z.ai’s Anthropic-compatible endpoint and enable platform credential injection:

# Route LLM traffic to z.ai (org-level, one-time setup)
dvx config set llmproxy downstream_url --value "https://api.z.ai/api/anthropic"

# Inject platform-managed credentials instead of forwarding the agent's key
dvx config set llmproxy credential_mode --value "platform"

These settings apply to all agents in the organization. Per-agent overrides are also supported via the config API.

Step 4: Set the z.ai API Key

Store the z.ai API key as an agent secret. The LLM proxy retrieves this key at request time and injects it into the upstream request.

dvx agent secret set openclaw-bot "agent:llmproxy.llm.api_key" --value "<your-z.ai-api-key>"

To share a single key across all agents, set it at the org level instead:

dvx secret set "llmproxy:llm.api_key" --value "<your-z.ai-api-key>"

The proxy checks the agent-level secret first and falls back to the org-level secret.

Step 5: Configure OpenClaw

Once the agent is provisioned and running, SSH in to configure OpenClaw:

dvx agent ssh openclaw-bot

Inside the agent, configure OpenClaw to use the Anthropic provider with any API key (it will be replaced by the platform):

openclaw configure

When prompted:

  • Model: Select anthropic/claude-sonnet-4-6 (or your preferred model)
  • API key: Enter any value (e.g., placeholder) - the platform replaces it

Configure Telegram

If using Telegram as a channel:

openclaw channel add telegram

When prompted, enter the bot token from @BotFather.

Step 6: Verify

Send a message to your Telegram bot. Then check the audit logs to confirm the full flow:

# Network audit - shows what the agent requested
dvx audit network --since 5m --hostname api.anthropic.com

# LLM audit - shows where it was sent and what model responded
dvx audit llm --since 5m

Both records share a REQUEST column (truncated correlation ID). Use --json for the full request_id to join them:

# Network audit
ID   AGENT         REQUEST   HOSTNAME           METHOD  PATH          OUTCOME
820  openclaw-bot  a774a189  api.anthropic.com  POST    /v1/messages  completed

# LLM audit
ID  AGENT         REQUEST   DOWNSTREAM  MODEL              IN   OUT  STATUS
8   openclaw-bot  a774a189  api.z.ai    claude-sonnet-4-6  245  13   200

Troubleshooting

“Upstream request failed” (502)

The netproxy couldn’t forward to the LLM proxy. The netproxy and LLM proxy run on the managed enclave, so a persistent 502 is usually platform-side - confirm the failure with dvx audit network --since 5m and contact Daevix support if it continues.

“no LLM API credential configured”

The LLM proxy couldn’t find an API key. Verify:

  • credential_mode is set to platform: dvx config list --service llmproxy
  • The agent secret exists: dvx agent secret list openclaw-bot
  • Or an org-level secret exists: dvx secret list

Agent traffic blocked

The destination policy is blocking egress. Check blocked requests:

dvx audit network --outcome denied --since 1h

Add allow rules for any missing hosts.

“authentication_error: invalid x-api-key”

The z.ai API key is invalid or expired. Rotate it:

dvx agent secret set openclaw-bot "agent:llmproxy.llm.api_key" --value "<new-key>"

Model mismatch in audit logs

The LLM audit may show a different model name than what the agent requested (e.g., glm-4.7 instead of claude-sonnet-4-6). This is expected - z.ai maps Anthropic model names to their own model fleet. The model field in the audit log reflects what z.ai actually used.