diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index 1a1cdd2510b..f8a3cfcdb47 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -98,7 +98,7 @@ Use this when auditing access or deciding what to back up: - **Telegram bot token**: config/env or `channels.telegram.tokenFile` - **Discord bot token**: config/env (token file not yet supported) - **Slack tokens**: config/env (`channels.slack.*`) -- **Pairing allowlists**: `~/.openclaw/credentials/-allowFrom.json` +- **Pairing allowlists**: `~/.openclaw/credentials/-allowFrom.json` or `~/.openclaw/credentials/--allowFrom.json` - **Model auth profiles**: `~/.openclaw/agents//agent/auth-profiles.json` - **Legacy OAuth import**: `~/.openclaw/credentials/oauth.json` @@ -351,7 +351,7 @@ If you run multiple accounts on the same channel, use `per-account-channel-peer` OpenClaw has two separate “who can trigger me?” layers: - **DM allowlist** (`allowFrom` / `channels.discord.allowFrom` / `channels.slack.allowFrom`; legacy: `channels.discord.dm.allowFrom`, `channels.slack.dm.allowFrom`): who is allowed to talk to the bot in direct messages. - - When `dmPolicy="pairing"`, approvals are written to `~/.openclaw/credentials/-allowFrom.json` (merged with config allowlists). + - When `dmPolicy="pairing"`, approvals are written to `~/.openclaw/credentials/-allowFrom.json` or `~/.openclaw/credentials/--allowFrom.json` for account-scoped channels (merged with config allowlists). - **Group allowlist** (channel-specific): which groups/channels/guilds the bot will accept messages from at all. - Common patterns: - `channels.whatsapp.groups`, `channels.telegram.groups`, `channels.imessage.groups`: per-group defaults like `requireMention`; when set, it also acts as a group allowlist (include `"*"` to keep allow-all behavior).