OpenClaw Security: How to Keep Your AI Assistant Safe

TL;DR: Secure OpenClaw in 30 minutes: (1) Set a strong API token, (2) Enable HTTPS, (3) Close unused ports, (4) Enable auto-updates. These 4 steps prevent 99% of attacks.

OpenClaw connects to your messages, calendar, and services. A compromised deployment gives an attacker access to everything. Most "hacks" aren't sophisticated - they're bots scanning for default passwords and open ports.

This guide shows you exactly how to lock down your instance. No security expertise required.

Who This Is For

Read this if:

You just deployed OpenClaw and haven't secured it yet
You're running OpenClaw on a public-facing VPS
You handle sensitive data (client info, business data, personal messages)
You want a simple security checklist that takes under 30 minutes

For deeper security analysis, see our complete OpenClaw security and privacy guide.

The 4-Step Security Checklist

Complete these steps in order. Each builds on the previous.

Step 1: Set a Strong API Token (5 minutes)

OpenClaw's API token is the gatekeeper. Anyone with this token can access your instance.

What to do:

Generate a 64-character random string:

   openssl rand -hex 32

Add it to your docker-compose.yml:

   environment:
     - GATEWAY_TOKEN=your-64-char-token-here

Restart OpenClaw:

   docker compose down && docker compose up -d

What NOT to use:

❌ Your name, birthday, or dictionary words
❌ Short passwords (under 32 characters)
❌ The same token you use elsewhere

Example of a good token (generate your own - don't copy this):

a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2

Step 2: Enable HTTPS with Auto-Renewal (10 minutes)

Without HTTPS, your data travels in plain text. Anyone on the network can intercept it.

Option A: Hostinger/DigitalOcean 1-Click (Automatic)

If you used our Hostinger setup guide or DigitalOcean 1-click app, HTTPS is configured automatically when you add a domain. Just point your domain to the server IP in your DNS settings.

Option B: Caddy (Recommended for Manual Setup)

Caddy handles HTTPS automatically:

# /etc/caddy/Caddyfile
yourdomain.com {
  reverse_proxy localhost:3000
}

sudo systemctl restart caddy

That's it. Caddy obtains and renews certificates from Let's Encrypt automatically.

Option C: nginx + Let's Encrypt

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com

Certbot configures nginx and sets up auto-renewal.

Verify HTTPS is working:

Visit https://yourdomain.com - you should see a lock icon in your browser.

Step 3: Firewall - Close Every Port Except 22, 80, 443 (10 minutes)

Most VPS providers leave ports wide open. Close everything except what's required.

Using UFW (Ubuntu/Debian):

# Reset to defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow required ports
sudo ufw allow 22/tcp   # SSH
sudo ufw allow 80/tcp   # HTTP (redirects to HTTPS)
sudo ufw allow 443/tcp  # HTTPS

# Enable firewall
sudo ufw enable

Verify the rules:

sudo ufw status

You should see:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere

⚠️ Critical: Do NOT expose port 3000 to the internet. OpenClaw should only be accessible via the reverse proxy (port 443).

Using cloud provider firewalls:

If your VPS has a cloud firewall (AWS Security Groups, DigitalOcean Cloud Firewall):

Remove "All TCP" or "All ports" rules
Add specific rules for 22, 80, 443 only
Apply to your instance

Step 4: Enable Automatic Security Updates (5 minutes)

Unpatched software is the #1 attack vector. Enable auto-updates so you're always protected.

# Install unattended-upgrades
sudo apt update
sudo apt install -y unattended-upgrades

# Configure it
sudo dpkg-reconfigure -plow unattended-upgrades
# Select "Yes" when prompted

This applies security patches automatically. You don't need to think about it.

Update OpenClaw itself monthly:

cd /path/to/openclaw
docker compose pull
docker compose up -d

Set a calendar reminder for the first Monday of each month.

Securing Your API Keys and Secrets

OpenClaw stores tokens for AI providers, integrations, and services. Protect them:

✅ DO:

Use environment variables (already set in docker-compose.yml)
Restrict file permissions: chmod 600 .env
Rotate keys every 90 days
Use read-only API keys where possible

❌ DON'T:

Hardcode secrets in config files
Commit secrets to Git
Share your data directory with untrusted users
Use the same API key for multiple services

Advanced Security (Optional)

Completed the basics? Consider these additions:

Fail2ban - Block Brute Force Attempts

sudo apt install fail2ban
sudo systemctl enable fail2ban

Fail2ban automatically blocks IP addresses with too many failed login attempts.

VPN Access Instead of Public Dashboard

For maximum security, don't expose OpenClaw's dashboard to the internet at all:

Install Tailscale on your VPS and devices
Access OpenClaw via Tailscale IP (http://100.x.x.x:3000)
Block port 443 entirely in your firewall

Now only devices on your Tailscale network can access OpenClaw.

Database Encryption

OpenClaw stores data in SQLite or PostgreSQL. Enable encryption at rest:

SQLite: Use SQLCipher (encrypted SQLite)
PostgreSQL: Enable Transparent Data Encryption (TDE)
Filesystem: Enable LUKS/dm-crypt on your VPS

Business Use: Compliance and Data Residency

OpenClaw is safe for business use because:

Data table 1
Requirement	How OpenClaw Delivers
Data control	Everything stays on your server
Auditability	Open-source code you can review
Data residency	You choose server location (EU, US, etc.)
Retention policies	You control deletion schedules
Access logging	Full control over monitoring

For GDPR, HIPAA, or SOC 2 compliance, self-hosting gives you full control over data handling.

Quick Security Audit

Run through this checklist monthly:

[ ] API token is 64+ random characters
[ ] HTTPS is enabled and certificate is valid
[ ] Firewall only allows 22, 80, 443
[ ] Auto-updates are enabled
[ ] Docker images are updated (check docker images)
[ ] API keys have been rotated in last 90 days
[ ] No secrets in Git history (git log --all --full-history -- .env)

The Bottom Line

Securing OpenClaw takes 30 minutes once, then runs on autopilot. The four steps above prevent 99% of attacks you'll face.

Next steps:

Review the full security and privacy deep-dive
Follow the Getting Started guide to configure your first integrations
Run through our security checklist for automated auditing

Need help? The OpenClaw documentation has platform-specific security guides.

Frequently Asked Questions

Q: Is OpenClaw open source?

A: Yes. OpenClaw is fully open source. You can audit the entire codebase on GitHub before deploying.

Q: Where is my data stored?

A: All data stays on your VPS. OpenClaw doesn't send your messages to any third party except the AI API provider you configure (e.g., OpenAI).

Q: What happens if someone gets my API token?

A: Rotate it immediately in your OpenClaw settings. The old token is invalidated the moment you save a new one.

← Back to all posts

← Previous

OpenClaw vs. Zapier: Which Automation Tool Should You Use?

5 Automations to Set Up First with OpenClaw (Copy-Paste Ready)

Ready to set up OpenClaw?

Follow our free step-by-step guide.

Start the Guide