OpenClaw security checklist

How to lock down a self-hosted OpenClaw gateway.

A self-hosted agent gateway is a powerful thing to leave on the open internet. Exposed instances get found, and an agent with tools and keys is a bigger prize than a plain web app. This checklist covers the settings that matter most before you go live.

Direct answer

How do I secure a self-hosted OpenClaw gateway?

Do not expose it directly to the internet. Bind the gateway to loopback or a private network like Tailscale, require authentication in front of it, store keys as least-privilege secrets outside your code, keep the runtime updated, and limit what the agent can reach so a mistake or compromise has a small blast radius.

Biggest risk
An agent gateway open to the internet
First fix
Bind to loopback or a private network
Key handling
Least-privilege secrets, never in code
Goal
A small blast radius if something slips

Self-hosted gateway hardening checklist

AreaDo thisWhy it matters
NetworkBind to loopback; reach it over Tailscale or a VPN.Keeps the agent off the public internet.
AuthRequire a token or an authenticated proxy.Stops anyone from driving your agent.
SecretsLeast-privilege keys in a secret store.Limits the damage if one credential leaks.
UpdatesPatch the runtime on a schedule.Closes known holes before they are used.
Blast radiusNon-root user, spend caps, human review.Keeps a single mistake small.

Do not bind it to a public interface

The most common mistake is running the gateway on 0.0.0.0 and reaching it by public IP. Security researchers routinely find self-hosted agent gateways exposed with no authentication, which puts an agent holding tools and credentials one scan away from strangers. Bind it to localhost, and reach it over a private network instead.

  • Bind the gateway to 127.0.0.1, not 0.0.0.0.
  • Reach it over Tailscale, a VPN, or an SSH tunnel, not a public port.
  • If it must be public, put it behind a reverse proxy that enforces auth and TLS.

Require authentication in front of the agent

An agent endpoint with no auth is an open door. Put authentication in front of it so only you, or your own systems, can send it instructions.

  • Require a token or an authenticated proxy for every request.
  • Do not treat an obscure URL or port as a secret.
  • Rotate the credential if it is ever shared, logged, or leaked.

Handle keys and secrets carefully

An agent's model keys, tokens, and integration credentials are the real target. Treat them as least-privilege secrets that live outside your code and can be rotated on their own.

  • Store secrets in the environment or a secret store, never in the repo or the prompt.
  • Give each integration the narrowest scope it can work with.
  • Use separate credentials per agent so one leak does not unlock everything.

Keep it updated and limit the blast radius

Agents move fast and so do their dependencies. Patch the runtime, and assume any single agent could misbehave, so nothing it can reach is catastrophic on its own.

  • Update the runtime and dependencies on a schedule, not just after an incident.
  • Run the agent as a non-root user with only the file and network access it needs.
  • Set spend limits and human review on any action that touches money or customers.

Where managed hosting fits

If keeping all of this current is not how you want to spend your time, managed hosting does it by default. Qoren runs OpenClaw and Hermes in isolated environments with authentication, secret storage, updates, and hard spend caps handled for you, so the secure path is the default one.

Related guides

Frequently asked questions

An agent is not a static site. It holds keys, can use tools, and can take actions. If its gateway is reachable without authentication, anyone who finds it can make it act with your credentials, which is why exposed instances are a documented and recurring problem.

Run OpenClaw or Hermes without managing infrastructure.

Deploy a managed agent environment, configure the runtime, and keep the agent online without Docker, VPS setup, or server maintenance.

Get started