Security Best Practices
Secure your OpenClaw deployment with tokens, allowlists, and safety controls.
Overview
OpenClaw provides multiple layers of security to protect your deployment. Since it's self-hosted, you maintain full control over access and data.
Access Control
Allowlists
Restrict which users can interact with your agents:
{
"channels": {
"whatsapp": {
"allowFrom": ["+15555550123", "+15555550456"]
},
"telegram": {
"dmPolicy": "allowlist",
"allowFrom": ["tg:123456789"]
}
}
}Pairing
New users must be approved before chatting:
# List pending pairing requests
openclaw pairing list
# Approve a request
openclaw pairing approve <CODE>
# Reject a request
openclaw pairing reject <CODE>API Key Security
Environment Variables
Never hardcode API keys in config files. Use environment variables:
export OPENAI_API_KEY="sk-..."
export ANTHROPIC_API_KEY="sk-ant-..."
export TELEGRAM_BOT_TOKEN="123:abc..."File Permissions
Secure your config file:
chmod 600 ~/.openclaw/openclaw.jsonNetwork Security
Bind to Localhost
By default, the Gateway binds to 127.0.0.1:
{
"gateway": {
"host": "127.0.0.1",
"port": 18789
}
}Remote Access
Use Tailscale or SSH tunnels for remote access instead of exposing the Gateway publicly.
Group Chat Safety
Mention Requirements
Require @mention to activate the agent in groups:
{
"channels": {
"telegram": {
"groups": {
"*": {
"requireMention": true
}
}
}
},
"messages": {
"groupChat": {
"mentionPatterns": ["@openclaw"]
}
}
}Best Practices Checklist
- ✅ Use allowlists or pairing for all channels
- ✅ Store API keys in environment variables
- ✅ Bind Gateway to localhost
- ✅ Use SSH/Tailscale for remote access
- ✅ Require mentions in group chats
- ✅ Set appropriate file permissions
- ✅ Regularly update OpenClaw
Next Steps
- Gateway Configuration — Network settings
- AI Agent — Agent configuration
- Quick Start — Initial setup