Skip to main content

Integration Guide

OpenClaw + WHMCS

Connect OpenClaw to WHMCS securely in under 15 minutes

Estimated time: 15 minutes · Transport: STDIO · Security: Read-only recommended

See use cases & examples|All integration guides

Quick Reference

Min Version
OpenClaw 2026.1.29+ (post-CVE patch)
Transport
STDIO via local bridge
Public URL
Not required
Node.js
Required
AI Models
Claude, GPT-4, DeepSeek
Concurrent Tools
Unlimited (autonomous agent)
Avg Response Time
2-5 seconds for simple queries, 10-30 seconds for autonomous multi-step tasks

Security: Read this before connecting OpenClaw

OpenClaw runs with full system access and no authentication by default. CVE-2026-25253 (patched in version 2026.1.29) allowed remote code execution on 135,000+ exposed instances. Always use a read-only MCP Server API key for initial setup. Grant write access only to specific tools when needed.

Prerequisites

  • WHMCS 8.0 or higher with admin access
  • MCP Server addon installed and activated (installation guide)
  • OpenClaw version 2026.1.29 or later (patches CVE-2026-25253)
  • Node.js installed (for npx, which bridges STDIO to SSE)

Step 1: Generate a Read-Only API Key

  1. Go to your WHMCS admin panel
  2. Navigate to Addons > MCP Server
  3. Click Generate New API Key
  4. Set permissions to read-only (query tools only, no create/update/delete)
  5. Copy the API key and save it securely. You will need it in step 3.

Important: Start with a read-only API key for OpenClaw. Because the agent operates autonomously, restrict write access until you understand the agent's behavior with your data. You can always create a second key with broader permissions later.

Step 2: Open OpenClaw Configuration

Open the OpenClaw configuration file on your system:

macOS
~/.openclaw/openclaw.json
Linux
~/.openclaw/openclaw.json
Windows
%USERPROFILE%\.openclaw\openclaw.json

If the file does not exist, create it. The file uses standard JSON format.

Step 3: Add the WHMCS MCP Server Config

Add the following configuration to your openclaw.json (replace the URL and API key with your own):

{
  "mcpServers": {
    "whmcs": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://your-whmcs.com/modules/addons/mx_mcp/mcp.php",
        "--header",
        "Authorization:Bearer YOUR_BEARER_TOKEN"
      ]
    }
  }
}

Tip: Replace your-whmcs.com with your WHMCS domain and your-api-key-here with the read-only API key from step 1.

Step 4: Test the Connection

  1. Restart OpenClaw
  2. Type: Get WHMCS system status
  3. If the connection is working, you should see system information from your WHMCS installation

Success! If you see WHMCS system info, the connection is working. Try more queries like “List all active clients” or “Show overdue invoices”.

Security Best Practices for OpenClaw

API Key Permissions

  • Start with a read-only API key (query tools only)
  • Create separate API keys for each agent (for audit trail)
  • Disable write tools in MCP Server settings for initial setup
  • Review MCP Server logs regularly (Addons > MCP Server > Logs)

Monitoring

  • Review MCP Server audit logs regularly for unusual request patterns
  • OpenClaw can chain 10-15+ tool calls in a single task. Monitor for excessive usage.
  • For rate limiting, configure your web server (nginx, Apache) or firewall

Version Safety

  • Always run OpenClaw 2026.1.29 or later (patches CVE-2026-25253)
  • Do not expose OpenClaw to the public internet
  • Do not install skills from ClawHub without reviewing the source code
  • 341 malicious skills were found on ClawHub as of February 2026

Troubleshooting

“MCP server not found”

  • Restart OpenClaw completely after editing openclaw.json
  • Ensure the JSON in openclaw.json is valid (no trailing commas, proper quotes)
  • Make sure Node.js is installed and npx is available in your PATH
  • Check that the mcpServers key is at the top level of openclaw.json

“Connection refused” or timeout

  • Ensure your WHMCS URL is accessible from your machine
  • Check that the MCP Server addon is activated in WHMCS
  • Ensure your API key is valid and has not been revoked
  • Check if your WHMCS has HTTPS enabled (required for remote connections)

“Permission denied”

  • Verify API key permissions match your needs (read-only vs specific tools)
  • Go to Addons > MCP Server in WHMCS and check API key permissions
  • Check MCP Server logs in WHMCS admin > Addons > MCP Server > Logs
  • If using a read-only key, write operations (create, update, delete) will be blocked by design

OpenClaw chains too many requests

  • This is normal. OpenClaw is an autonomous agent and may chain 10-15+ MCP calls per task.
  • Monitor audit logs for request volume and patterns
  • Use specific, scoped prompts instead of open-ended ones to reduce tool call chains
  • Monitor the MCP Server logs to understand agent behavior patterns

Upgrading from v1.1.x?

If you set up the MCP Server before v1.3.0, the authentication method changed. Here is what is different and how to update your config.

Previous method (v1.1.x)

Still works. In v1.3.0, authentication changed from API Keys to Bearer tokens, and the endpoint changed from sse.php to mcp.php. If you are still on v1.1.x, this is how it was configured:

{
  "mcpServers": {
    "whmcs": {
      "command": "npx",
      "args": ["-y", "@anthropic/mcp-remote",
        "https://your-whmcs.com/modules/addons/mx_mcp/mcp/sse.php"],
      "env": { "MCP_API_KEY": "your-api-key-here" }
    }
  }
}

To upgrade: update the config to use mcp-remote (not @anthropic/mcp-remote), change sse.php to mcp.php, and replace the MCP_API_KEY env var with a --header Authorization:Bearer YOUR_TOKEN arg.

Next Steps

Use cases & examples

See what you can do with OpenClaw + WHMCS

API tools reference

Explore all 46 available MCP tools

Add MX Metrics

Pull revenue analytics into OpenClaw

Other integrations

Claude, n8n, Cursor, LM Studio, ChatGPT