Security Hub
Everything you need to secure your OpenClaw deployment. Self-hosted means you control your data — this guide shows you how to protect it.
OpenClaw is designed with security-first principles: open source code you can audit, data that stays on your server, and no external dependencies beyond the AI APIs you choose.
Complete these 6 steps in under 20 minutes to lock down your deployment.
Set a 64+ character API token
2 min
Enable HTTPS with Let's Encrypt
5 min
Close unused firewall ports
3 min
Enable fail2ban for SSH
5 min
Set up automatic security updates
3 min
Enable 2FA on your VPS account
2 min
Generate strong tokens, rotate regularly, and never expose them in logs or configs.
Enable TLS with Let's Encrypt, secure WebSocket connections, and certificate management.
Firewall rules, SSH security, fail2ban, and automatic security updates.
How OpenClaw handles your data, what's stored locally, and privacy-first architecture.
Rate limiting, input validation, and protection against common attack vectors.
Why self-hosted means you control your data. No cloud dependency, full auditability.
Key point: OpenClaw itself does not collect, transmit, or store any data on external servers. You control all data retention and can delete everything at any time.
Every line of code is open source. Audit it yourself or hire a security researcher. No hidden telemetry or data collection.
Your data lives on your server, in your jurisdiction. Subject to your local laws, not a cloud provider's terms of service.
Move your instance anytime. Export your data, migrate to another server, or shut it down. You're never locked into a platform.
OpenClaw is designed with security in mind, but proper deployment requires you to follow security best practices. The most critical step is setting a strong API token before exposing your instance to the internet. Our security checklist walks you through the essential steps.
All your data stays on your server. OpenClaw is fully self-hosted — messages, credentials, and automation configs never leave your VPS. The only external connections are to the AI provider APIs you configure (Anthropic, OpenAI, etc.).
Yes! OpenClaw is open source. You can review every line of code on GitHub. There are no hidden telemetry, no backdoors, and no data collection. Transparency is core to the project.
Immediately rotate your token by generating a new one and updating your configuration. Anyone with your API token can interact with your OpenClaw instance, so treat it like a password. Enable rate limiting and IP allowlisting for additional protection.
No. Our 10-step security checklist takes under an hour and requires no prior security experience. The most important steps are setting a strong token, enabling HTTPS, and closing unused ports — all covered in the checklist.
Unlike cloud services (ChatGPT, Claude.ai), OpenClaw runs on your infrastructure. Your messages and data are processed on your server, not sent to a third-party platform. You control retention, access, and backup policies.
Follow our 10-step security checklist to lock down your deployment in under an hour.
