ArmorIQ Plugin Setup

Enable the ArmorIQ plugin and configure policy-based intent verification for your OpenClaw agent.

What ArmorIQ Does

The ArmorIQ plugin provides:

Intent Token Verification: Cryptographic proof that each tool call was planned
Policy Enforcement: Allow/block tools based on configurable policies
Step-by-Step Verification: Each action verified before execution
Audit Trail: Complete logging of all verified actions
Natural Language Policy Management: Create/update policies via chat

Plugin Setup Steps

Verify Plugin Files

Check that the ArmorIQ plugin exists in your installation:

ls -la extensions/armoriq/

Expected files:

extensions/armoriq/
├── index.ts                 # Plugin entry point
├── src/
│   └── iap-verfication.service.ts  # IAP service
├── openclaw.plugin.json     # Plugin metadata
└── package.json            # Dependencies

Check Plugin Metadata

View the plugin configuration schema:

cat extensions/armoriq/openclaw.plugin.json

{
  "name": "armoriq",
  "version": "2026.2.2",
  "description": "ArmorIQ intent verification plugin",
  "main": "index.ts",
  "hooks": [
    "before_tool_call",
    "after_tool_call",
    "on_plan_created"
  ]
}

Enable Plugin in Config

Ensure the ArmorIQ plugin is enabled in ~/.openclaw/openclaw.json:

{
  "plugins": {
    "enabled": true,
    "entries": {
      "armoriq": {
        "enabled": true
      }
    }
  }
}

Both plugins.enabled and plugins.entries.armoriq.enabled must be true.

Configure ArmorIQ Settings

Add the full ArmorIQ configuration:

{
  "plugins": {
    "enabled": true,
    "entries": {
      "armoriq": {
        "enabled": true,
        "policyUpdateEnabled": true,
        "policyUpdateAllowList": [
          "YOUR_TELEGRAM_USER_ID",
          "@your_telegram_username",
          "your_telegram_username",
          "telegram:YOUR_TELEGRAM_USER_ID"
        ],
        "apiKey": "ak_live_...",
        "userId": "test-user-001",
        "agentId": "openclaw-agent-001",
        "contextId": "default",
        "endpoints": {
          "iap": "https://customer-iap.armoriq.ai",
          "backend": "https://customer-api.armoriq.ai"
        }
      }
    }
  }
}

Configure Policy Allowlist

The policyUpdateAllowList controls who can manage policies via chat.

Add your Telegram user ID and username:

{
  "policyUpdateAllowList": [
    "YOUR_USER_ID",            // Numeric user ID (e.g., 6193457473)
    "@your_username",          // Username with @
    "your_username",           // Username without @
    "telegram:YOUR_USER_ID",   // Prefixed format
    "agent:main:main",         // Agent access
    "main"                     // Default context
  ]
}

How to find your Telegram User ID:

Message @userinfobot
Send /start
Copy the numeric ID from the response

Verify Endpoints

The ArmorIQ plugin connects to two production services:

Endpoint	URL	Purpose
IAP	`https://customer-iap.armoriq.ai`	Issues intent tokens with cryptographic proofs and verifies tool calls
Backend	`https://customer-api.armoriq.ai`	Manages policies, API keys, and audit logs

Verification happens directly in the plugin using the IAP service. No proxy is required.

Do not change these URLs unless you're using a custom ArmorIQ deployment.

Configuration Reference

Full Plugin Config

{
  "plugins": {
    "enabled": true,
    "entries": {
      "armoriq": {
        "enabled": true,
        "policyUpdateEnabled": true,
        "policyUpdateAllowList": ["user-id", "@username"],
        "apiKey": "ak_live_...",
        "userId": "unique-user-id",
        "agentId": "unique-agent-id",
        "contextId": "default",
        "endpoints": {
          "iap": "https://customer-iap.armoriq.ai",
          "backend": "https://customer-api.armoriq.ai"
        }
      }
    }
  }
}

Config Field Reference

Field	Type	Required	Description
`enabled`	boolean	Yes	Enable/disable the plugin
`policyUpdateEnabled`	boolean	Yes	Allow policy management via chat
`policyUpdateAllowList`	string[]	Yes	Users allowed to manage policies
`apiKey`	string	Yes	ArmorIQ API key (`ak_live_...`)
`userId`	string	Yes	Unique identifier for this user context
`agentId`	string	Yes	Unique identifier for this agent
`contextId`	string	No	Context scope (default: "default")
`endpoints.iap`	string	Yes	IAP service URL (issues tokens & verifies steps)
`endpoints.backend`	string	Yes	Backend API URL (policies & audit)

Policy Management

Policy Commands

Once configured, you can manage policies via Telegram:

Command	Description
`Policy list`	Show all active policies
`Policy get policy1`	Get details of a policy
`Policy new: block write_file for payment data`	Create a new policy
`Policy update policy1: allow write_file`	Update a policy
`Policy delete policy1`	Delete a policy
`Policy reset`	Reset all policies to default
`Policy prioritize policy1 2`	Move policy to position 2 (reorder priority)
`Policy help`	Show all available policy commands

Example Policy Commands

List current policies:

Policy list

Create a blocking policy:

Policy new: block upload_file for payment data

Create an allow policy:

Policy new: allow write_file to aiqdemo/

Update policy:

Policy update policy1: allow read_file for all

Delete policy:

Policy delete policy1

Reorder policy priority:

Policy prioritize policy1 1

This moves policy1 to position 1 (highest priority, evaluated first).

Verify Plugin Startup

After configuration, check that the plugin initializes correctly:

# Start gateway and check logs
node scripts/run-node.mjs --dev gateway &

# Check for ArmorIQ initialization
grep -E "ArmorIQ|armoriq" /tmp/openclaw/openclaw-*.log

Expected log output:

ArmorIQ SDK initialized: mode=production, user=test-user-001, 
  agent=openclaw-agent-001, iap=https://customer-iap.armoriq.ai,
  backend=https://customer-api.armoriq.ai, api_key=***
[plugins] IAP Verification Service initialized - Base URL: https://customer-api.armoriq.ai
[plugins] CSRG Verification URL: https://customer-iap.armoriq.ai
[plugins] CSRG /verify/action is ENABLED for cryptographic verification