OpenClaw checks permissions in layers, evaluated in order. Let me walk you through each one:
Identity. Who are you? The daemon maps each incoming message to a known identity (Telegram user ID, Discord user ID, etc.). Unknown identities get rejected.
Scope. What is the request trying to do? Each tool has a scope string. Your assigned role determines which scopes you can access.
Model. Does the AI agree your action is safe? Even if identity and scope pass, the model can refuse based on AGENTS.md rules.
This "identity-first" order means you get layers of defense, not just one. A stolen API key without a valid identity gets nowhere.