Agent gateways sit between unreliable clients and expensive side effects. In 2026, production OpenClaw clusters treat idempotency keys as first-class headers or JSON fields so retries, websocket reconnects, and orchestrator-level at-least-once delivery cannot double-charge customers or fork filesystem mutations. Pair dedupe with JSON Schema validation, keep stores coherent during rolling nginx drains, align throttles with 429 Retry-After budgets, and tune hangs via read timeout diagnostics as you read the operational detail below.
Client contract and header grammar
Pick a single canonical transport: either Idempotency-Key: <uuid> for HTTP-style tool bridges or a JSON field idempotency_key for gRPC-style payloads. Reject keys shorter than 16 bytes of entropy after base64url decoding; keys below that threshold are trivially guessable and invite cross-tenant probing. Upper bound practical wire size at 128 ASCII characters so logs and load balancers stay predictable.
Normalize by trimming whitespace, lowercasing only if you explicitly document case insensitivity, and rejecting keys containing control characters. Hash the normalized key with SHA-256 before using it as a Redis field name so unusually long client strings cannot blow keyspace budgets while you still retain a stable identifier for metrics labels.
Bind every idempotent operation to a tuple of (tenant_id, route_id, key_hash, schema_version). Schema version bumps should intentionally break dedupe for the same textual key so you never replay a response shaped by outdated validators. That interaction is why teams ship gateway validation described in the schema article before tightening dedupe semantics.
Storage layout and atomic claims
Use an atomic claim pattern: first request executes SET idempo:{tenant}:{hash} NX EX <ttl_seconds> with EX reflecting your chosen window. Successful SET means this worker owns the slot and may stream upstream work. Contending workers that receive NIL should read the stored replay envelope and return it directly without touching side effects.
Store three artifacts: the HTTP status or tool exit code, a minimal header map safe to replay, and a BLAKE3 or SHA-256 checksum of the serialized body. When bodies exceed 1 MiB, spill to object storage keyed by the checksum and keep only the pointer inside Redis to protect memory.
# Pseudo-Lua for OpenResty / nginx + Redis
local key = "idempo:" .. tenant .. ":" .. ngx.var.idem_hash
local ok = redis:set(key .. ":claim", worker_pid, "NX", "EX", 172800)
if ok == ngx.null then
return replay_from_redis(key)
end
proxy_pass http://openclaw_upstream;The snippet illustrates ordering: claim first, execute second, publish replay third. Never publish partial responses; if upstream fails after side effects began, mark the key with a failure sentinel so clients know retries require a fresh key.
Decision matrix: local vs shared store
| Topology | Pros | Risks | When to choose |
|---|---|---|---|
| In-process LRU | Sub-millisecond lookups | Split-brain across pods | Single-tenant dev laptops only |
| Redis cluster | Linearizable claims with TTL | Hot keys under viral agents | Default for multi-instance gateways |
| SQL advisory locks | Strong audit trail | Higher latency and lock churn | Regulated finance with existing RDBMS |
| etcd / Consul | Session leases integrate with service mesh | Operational complexity | Mesh-heavy enterprises already on those planes |
For OpenClaw gateways colocated with model routers, Redis remains the pragmatic middle ground because Lua scripts can combine claim, compare-and-swap, and publish in one round trip. Keep per-tenant key sharding so a celebrity tenant cannot exhaust a single hash slot during a product launch spike.
TTL windows and legal expectations
Default mutable-route TTL at 172800 seconds, which is forty-eight hours, matching many public payment APIs. If your orchestration includes nightly reconciliation jobs that may legitimately retry on the third day, extend to 259200 seconds, seventy-two hours, but widen observability dashboards accordingly so slow leaks in Redis memory do not surprise finance.
Document TTL in customer-facing SLAs; auditors compare marketing copy to actual EX values. Pair TTL with a nightly sweeper that archives replay metadata to cold storage when compliance requires seven-year retention but hot RAM cannot hold that duration.
When TTL expires, the next retry must be treated as a brand-new operation. Communicate that boundary to SDK authors so they rotate keys whenever users explicitly click “retry as new payment” rather than “resume.”
Replay envelopes and checksum discipline
Replays should return byte-identical payloads whenever feasible. If your stack gzips responses at the edge, store the pre-compressed canonical JSON so gzip nondeterminism does not break checksum verification in CI. Include a dedupe_hit: true diagnostic flag in an internal header for support engineers while stripping it before responses leave the trust zone.
For streaming tool outputs, chunk sequence numbers into the envelope so partial streams cannot be mistaken for completed work. If a client disconnects mid-stream, the gateway should mark the idempotency record as in_progress until a terminal chunk arrives; subsequent callers with the same key either join the stream or receive a 409 conflict with guidance to wait.
Checksum mismatches between workers indicate memory corruption or versioning bugs; emit a Sev-2 page when mismatch rate exceeds 0.01% of replays for more than ten minutes.
nginx and upstream coordination
Terminate TLS at nginx, inject normalized Idempotency-Key headers, and forward a hashed derivative to OpenClaw workers via a trusted internal header. During drains, keep the Redis endpoint stable so half-open connections from sleepy mobile clients still dedupe correctly when they finally flush buffered bytes to the new upstream pool.
Configure proxy read timeouts slightly higher than your gateway’s internal idempotent upstream budget so nginx does not clip slow-but-valid work; align those knobs with the hang diagnostics article to avoid double faulting. If you use limit_req, exempt internal replay responses from burst counters so legitimate dedupe hits do not starve interactive sessions.
Rollout checklist
- Inventory every mutating route and tag it
requires_idempotency=truein your service catalog. - Ship SDK changes that mint UUIDv4 keys by default and refuse manual keys shorter than 22 base64url characters.
- Enable Redis cluster with three primary shards minimum in production and enable AOF with everysec fsync for durability.
- Backfill integration tests that send twenty concurrent duplicates and assert exactly one upstream mutation counter increment.
- Run a game day where operators drain 50% of pods while duplicate traffic continues, validating shared-store semantics.
- Document client-visible error codes for stale keys, mismatched bodies, and tenant drift.
- Verify observability: dedupe hit ratio, claim latency p99, Redis evicted keys per minute.
Telemetry, cardinality, and SLOs
Emit counters idempo_claim_total, idempo_replay_total, and idempo_conflict_total with bounded label cardinality by hashing tenant identifiers into low-cardinality buckets. Track claim latency separately from upstream latency so Redis regressions do not hide inside model latency spikes.
Set SLOs: claim plus replay path under 2 ms p95 at the gateway edge, upstream replay under whatever budget your tool contracts require. Alert when replay share exceeds 35% of traffic for longer than thirty minutes because that often signals a broken client loop rather than healthy dedupe.
Log structured JSON with correlation IDs but never log raw keys; store only key_hash fields. Pair logs with traces so on-call engineers can jump from a spike in idempo_conflict_total to the exact worker that mishandled schema version negotiation.
Failure modes under partition
If Redis becomes unavailable, decide explicitly between fail-open and fail-closed. Financial gateways should fail-closed with a 503 and exponential backoff instructions, while internal dev sandboxes may fail-open with loud banners. Never silently drop dedupe; ambiguous behavior is worse than a controlled outage.
When Redis fails partial writes after upstream success, rely on a compensating transaction journal keyed by the same hash so recovery workers can rebuild envelopes during maintenance windows. Practice that recovery monthly on a rented Mac mini so engineers internalize the launchd units and path layouts used in production.
Client-side retry budgets should cap at five attempts with jittered backoff capped at 32 seconds unless providers return explicit Retry-After headers, in which case honor the longer value to avoid thundering herds.
FAQ
Do GET requests need idempotency keys?
Usually no, but cached mutations disguised as GET should be banned; require POST for anything that moves money or deletes data.
Can the same key apply to different routes?
No—always include route identifiers in the storage tuple to prevent accidental cross-route replays.
How do mobile offline queues interact?
Assign keys when actions enter the queue, not when they flush, so duplicate flushes dedupe correctly.
Apple Silicon Mac mini hosts give OpenClaw operators a quiet, always-on environment where Redis, nginx, and the gateway binary behave identically to production racks but without customer blast radius. macOS launchd timers, Keychain access groups, and file vault defaults mirror what security teams audit on bare metal, which shrinks the gap between staging heuristics and real partitions. Renting a cloud Mac mini for a few days costs about $16.9 per day on MacHTML, cheap compared to an incident bridge where Redis TTL misconfigurations double-charge customers during a traffic spike.
Use that cloud host to replay captured duplicate bursts, validate Lua scripts, and rehearse Redis failovers while your laptop sleeps. When dedupe logic ships, the same machine can run nginx config diffs and openssl s_client checks so TLS front doors stay aligned with the gateway’s assumptions.
Rehearse gateway dedupe on a cloud Mac
Spin up a Mac mini, mirror Redis and nginx, then hammer your OpenClaw gateway with duplicate fixtures before you widen TTL in production.