Description

channels.discord.token currently only accepts a plain string. Passing an object like { "source": "env", "id": "DISCORD_BOT_TOKEN" } results in:

channels.discord.token: Invalid input: expected string, received object

This forces users to store the Discord bot token as plaintext in openclaw.json, which is a security concern — especially if the config file is committed to a repo or shared.

Expected Behavior

channels.discord.token should support the same SecretRef format used by other token fields (e.g., provider API keys), allowing tokens to be stored in environment variables or .env files:

{
  "channels": {
    "discord": {
      "token": { "source": "env", "id": "DISCORD_BOT_TOKEN" }
    }
  }
}

Current Workaround

Store the token as a plain string directly in openclaw.json.

Impact

Multiple users in our team hit this issue independently — each time resulting in a gateway crash and requiring manual recovery. A consistent SecretRef interface across all token fields would prevent this.

Environment

• OpenClaw 2026.2.26
• WSL2 Ubuntu