OpenClaw checks permissions in 3 layers, evaluated in order. Let me walk you through each one:
1. Identity. Who is making the request? The daemon maps each incoming message to a known identity (Telegram user ID, Discord user ID, etc.). Unknown identities are rejected.
2. Scope. What is the request trying to do? Each tool has a scope string. Your assigned role determines which scopes you can access.
3. Model. Does the AI agree the action is safe? Even if identity and scope pass, the model can refuse based on AGENTS.md rules.
This "identity-first" order means the model is the last line of defense, not the only one. A stolen API key without a valid identity gets nowhere.