Path C

OpenClaw Path

Separate from the UI and CLI paths. Use this only if you want to run your own agent infrastructure and are ready to manage isolation, auth, and network hardening.

High-risk route. This topic is moving fast. Verify OpenClaw docs before every deploy, every upgrade, and every internet exposure change. Read The Lethal Trifecta before setup, and do not connect OpenClaw to accounts, systems, or data you care about. This guide was updated February 4, 2026.

Managed Alternative

Don't Want To Run It Yourself?

Skip the infrastructure headaches. z0.ai gives you the same agentic capabilities without managing servers, security patches, or network hardening.

Try z0.ai Instead

00 Read Before Setup

Suitability Check

Know What You Are Taking On

Self-hosting gives control but adds real operational burden: patching, token security, network policy, and incident response.

Required Advanced

Use a separate machine or VM; do not run this next to sensitive personal/work data.
Best practice: use a dedicated old computer/laptop/MacBook/Mac mini just for OpenClaw.
Treat all model/tool credentials as production secrets.
Plan rollback before your first public endpoint.

Open OpenClaw Docs

SB NET

Security Reality

Assume Breach, Design Isolation

OpenClaw documents that sandboxing is a helpful control but not a perfect security boundary. Build layered controls from day one.

Required

Sandboxing Guidance Gateway Security

01 Where To Run It

Cloud VM

DigitalOcean (Good First VPS)

Simple droplet-based setup with predictable networking. Keep OpenClaw private first, then publish only after auth and logging are proven.

Recommended

DigitalOcean OpenClaw Tutorial Use Referral (Support Us)

Edge Access

Cloudflare (Access + Tunnel)

Use Cloudflare as a zero-trust front door. Expose dashboard/API through Access policy instead of raw public ports.

Recommended

Cloudflare moltworker Guide

Other Options

Other Common Hosting Targets

Other current OpenClaw deployment docs include Northflank, Railway, and Hetzner. Pick based on your ops maturity and budget.

Optional

Railway (Support Us) Railway Guide Northflank Guide Hetzner Guide

02 Baseline Setup Flow

Install

Run Basic Install

Start with the official install script in an isolated environment, then continue setup only after the install succeeds.

Required first run

OpenClaw CLI

curl -fsSL https://openclaw.ai/install.sh | bash

Getting Started

WIZ

Configure

Run The Onboarding Wizard

The recommended way to configure OpenClaw. One guided flow sets up your Gateway, model providers, channels, daemon, and skills.

Required

OpenClaw CLI

openclaw onboard

Model/Auth: configure Anthropic, OpenAI, or other providers.
Gateway: port, bind address, auth mode, Tailscale exposure.
Channels: WhatsApp, Telegram, Discord, Signal, iMessage, and more.
Daemon: installs LaunchAgent (macOS) or systemd unit (Linux).

Onboarding Wizard Docs Full Reference

03 Operational Guardrails

AUTH SEC

Hardening

Lock Auth And Secrets Early

Do not expose non-loopback endpoints without authentication. Keep provider keys in a secret store, never in shell history or dotfiles.

Required

Enable auth before binding on LAN/public interfaces.
Use short-lived tokens where possible.
Rotate keys after setup tests.

Security Checklist Model Provider Setup

OPS LOG

Required Ongoing

Change Management And Drift Control

This ecosystem is volatile. Pin versions, track changelogs, and use staged rollouts. Never apply docs snippets directly to production.

Required

Review OpenClaw release notes before each upgrade.
Re-run security checks after every config change.
Keep backups and tested rollback scripts.

Remote Gateway Setup Back To Guided Setup