Asim Hayat

Posted on Mar 7

OpenClaw WhatsApp: How to Lock Your Bot to One Specific Group

#openclaw #tutorial #automation #beginners

The first time I added OpenClaw to a WhatsApp group, it replied to every single message. My friend sent "lol" and the bot wrote a three-paragraph response. Someone shared a meme and it started analyzing the image. My phone was blowing up.

Then people started DMing my number directly because OpenClaw uses your WhatsApp account, not a separate bot number. The bot was happily chatting with complete strangers.

I turned it off within 10 minutes.

The fix took another 10 minutes once I figured out the config. Here's exactly how to lock your OpenClaw bot so it only responds in one specific group, only when mentioned, and ignores everything else.

The Problem: OpenClaw Talks to Everyone

OpenClaw doesn't have its own WhatsApp number. It piggybacks on yours. That means every DM to your number hits the bot, every group you're in becomes a potential chat room, and the bot eats API tokens on messages you never wanted it to see.

If you're running Anthropic's API, that "lol" response probably cost you $0.02. Multiply that by 50 messages in an active group and you're burning through credits for nothing.

The config file that controls all of this lives at ~/.openclaw/openclaw.json. Every change requires a restart:

openclaw restart

Let's lock it down layer by layer.

Layer 1: Lock DMs With allowFrom

First, stop random people from chatting with your bot. The allowFrom field controls who can send DMs:

{
  "channels": {
    "whatsapp": {
      "allowFrom": ["+15551234567"]
    }
  }
}

Only numbers in this array can DM the bot. Everyone else gets ignored. No response, no error message, nothing. The bot just silently drops the message.

Use full international format with the + prefix. If you want to add a second person:

"allowFrom": ["+15551234567", "+15559876543"]

Quick tip: if you don't want to hardcode numbers, use dmPolicy: "pairing" instead. This makes unknown senders receive a pairing code that you have to approve before they can chat:

{
  "channels": {
    "whatsapp": {
      "dmPolicy": "pairing",
      "allowFrom": ["+15551234567"]
    }
  }
}

Pairing requests expire after 1 hour and are capped at 3 pending requests per channel, so nobody can flood your bot with approval requests.

Layer 2: Set Group Policy

Now for groups. OpenClaw has two independent filtering layers for groups, and this is where most people get confused.

groupPolicy controls who can trigger the bot in groups. The groups block controls which groups the bot responds in. They work together but they're configured separately.

Start with groupPolicy. You have two options:

"allowlist" means only senders listed in groupAllowFrom can trigger the bot in any group:

{
  "channels": {
    "whatsapp": {
      "groupPolicy": "allowlist",
      "groupAllowFrom": ["+15551234567"]
    }
  }
}

"open" means anyone in an allowed group can trigger the bot (with mention gating):

{
  "channels": {
    "whatsapp": {
      "groupPolicy": "open"
    }
  }
}

Which one should you use? If it's a personal bot and only you should trigger it, go with "allowlist" and put your number in groupAllowFrom. If it's a team or client bot where multiple people need access, use "open" and rely on group-level controls plus mention gating.

Layer 3: Target One Specific Group

This is the part everyone wants. You need the group's JID (Jabber ID), which looks like 120363407119785089@g.us.

To find your group JID, run this command and then send a message in the target group:

openclaw logs --follow

Watch the logs for a line like:

Inbound message 120363407119785089@g.us -> +15551234567 (group)

That long number before @g.us is your group JID. Copy it.

Now configure the groups block to only allow that specific group:

{
  "channels": {
    "whatsapp": {
      "dmPolicy": "pairing",
      "allowFrom": ["+15551234567"],
      "groupPolicy": "open",
      "groups": {
        "120363407119785089@g.us": {
          "requireMention": true
        }
      }
    }
  }
}

When the groups block exists and doesn't include a "*" wildcard, it acts as an allowlist. Only the groups listed here will get responses. Every other group is silently ignored.

Setting requireMention: true means someone has to @mention the bot or reply to one of its messages before it responds. Without this, the bot replies to every message in the group.

If you want the bot to reply to everything in that one group without needing a mention:

"120363407119785089@g.us": {
  "requireMention": false
}

Only do this for small, private groups. In a 50-person group with requireMention: false, your API bill will be ugly.

The Full Config: One Group, Locked Down

Here's the complete config that locks DMs, targets one group, and requires mentions:

{
  "channels": {
    "whatsapp": {
      "dmPolicy": "pairing",
      "allowFrom": ["+15551234567"],
      "groupPolicy": "open",
      "groups": {
        "120363407119785089@g.us": {
          "requireMention": true
        }
      },
      "ackReaction": {
        "emoji": "👀",
        "direct": true,
        "group": "mentions"
      },
      "sendReadReceipts": true
    }
  },
  "agents": {
    "list": [
      {
        "id": "main",
        "groupChat": {
          "mentionPatterns": ["@openclaw", "openclaw", "@bot"],
          "historyLimit": 50
        }
      }
    ]
  }
}

Let me break down the extras.

ackReaction makes the bot react with 👀 when it receives your message, so you know it's processing. In groups, it only reacts on mentions.

sendReadReceipts shows the blue ticks so you know the bot read the message.

mentionPatterns is the list of words that trigger the bot in groups. Add whatever your team will naturally type. Replying to a bot message also counts as a mention automatically.

historyLimit: 50 means the bot sees the last 50 messages in the group for context, even ones it didn't respond to. Useful for "catch up" questions like "summarize what everyone said."

Known Bug: groupPolicy "allowlist" Can Block Everything

Here's something that tripped me up and has caught others too. If you use groupPolicy: "allowlist" but leave groupAllowFrom empty, all group messages are blocked even if you've configured specific groups in the groups block.

This happens because OpenClaw checks groupAllowFrom first. If it's empty, the message is dropped before it ever reaches the group-level config.

There's an open GitHub issue (#6558) about this. The workaround is simple: use groupPolicy: "open" and let the groups block handle which groups are allowed. That's what I use in my config above.

If you specifically need sender-level filtering in groups where only certain people can trigger the bot, you need to set both:

{
  "groupPolicy": "allowlist",
  "groupAllowFrom": ["+15551234567", "+15559876543"],
  "groups": {
    "120363407119785089@g.us": {
      "requireMention": true
    }
  }
}

Testing It

After saving your config and running openclaw restart, test each layer:

1. DM test. Have a friend who is not in your allowFrom list DM your WhatsApp number. The bot should not respond.

2. Wrong group test. Send a message in a group that is not in your groups config. The bot should ignore it.

3. Right group, no mention. Send a normal message in the target group without mentioning the bot. If requireMention is true, the bot should stay quiet. The message still gets stored for context though.

4. Right group, with mention. Send "@openclaw what's the weather?" in the target group. The bot should respond.

5. Check logs. Run openclaw logs --follow and watch for:

Blocked group message (group not in allowlist)

Skipped (no mention)

These confirm each layer is working.

6. Run the doctor.

openclaw doctor

This surfaces risky or misconfigured DM policies and group settings. If anything looks off, it'll tell you.

Quick Reference

What you want	Config
Only I can DM the bot	`allowFrom: ["+1555..."]`
Unknown people get pairing flow	`dmPolicy: "pairing"`
Bot only active in one group	`groups: { "JID@g.us": { ... } }` (no `"*"` entry)
Bot requires @mention in group	`requireMention: true`
Anyone in the group can trigger	`groupPolicy: "open"`
Only specific people can trigger	`groupPolicy: "allowlist"` + `groupAllowFrom`
Bot reacts when processing	`ackReaction: { emoji: "👀" }`

What's Next

In the next article, I'll cover how to switch AI models in OpenClaw without losing your conversation history. Useful when you want Claude for complex tasks and Gemini Flash for quick replies to save on API costs.