OpenClaw Setup Paths

If you are choosing where to run OpenClaw, use this page first. It covers local, VPS, Railway, and DigitalOcean with practical trade-offs and security controls.

Need architecture and threat model context first? Read the OpenClaw security deep dive .

Local Machine

Best for first setup and low-risk automation. Lowest blast radius if isolated well.

  • Fastest start
  • No public exposure by default
  • Great for debugging and learning

VPS (Generic)

Best for always-on runtime when you need stable background execution.

  • Persistent availability
  • Full control of network and OS
  • Requires active hardening

Railway

Good for quick managed deployment, but check runtime limits and secret handling carefully.

  • Fast deploy workflow
  • Managed infra reduces ops load
  • Platform constraints to evaluate

DigitalOcean

Good middle ground with solid control and predictable pricing on droplets.

  • Straightforward VPS model
  • Easy firewall and VPC controls
  • You still own patching and security

Decision Matrix

Option Time to Start Ops Load Security Control Best Use
Local Very fast Low High (local only) Learning, prototypes, safe workflows
VPS Medium Medium to high Very high Always-on personal or team runtime
Railway Fast Low to medium Medium Quick managed deployment
DigitalOcean Medium Medium High Stable VPS with explicit control

Recommended Setup Sequence

  1. Start local with loopback-only access.
  2. Add only low-risk tools and no third-party skills.
  3. Move to VPS after logging, backups, and token hygiene are in place.
  4. Use VPN or SSH tunnel for dashboard access.
  5. Expand capabilities only after policy checks and isolation are in place.

Security Guardrails for Every Setup

  • Never expose admin dashboard publicly.
  • Use dedicated API keys with low permissions.
  • Treat third-party skills as executable code and review before install.
  • Separate OpenClaw runtime from sensitive file systems.
  • Log every tool call and keep a simple incident rollback plan.

Secure Local Install and Channel Connection Playbook

Use this sequence if you want to run OpenClaw on your own PC first, then connect Telegram or WhatsApp without opening an unsafe control plane.

Phase 1: Secure local baseline

  1. Use a dedicated OS user and dedicated workspace folder for OpenClaw.
  2. Install from official OpenClaw docs only, then run dashboard-only for first validation.
  3. Keep the gateway bound to 127.0.0.1 and do not bind to 0.0.0.0.
  4. Set a dashboard auth token and store it as an environment secret, not in Git.
  5. Enable only low-risk tools first (read-only files, no unrestricted shell).
  6. Only after local validation, add one chat connector at a time.

Install on local PC (official quick path)

Use one of the official install paths below, then validate the local dashboard before enabling channels. 

# Prereq
node --version   # Node 22+

# Option A (OpenClaw official installer, macOS/Linux)
curl -fsSL --proto '=https' --tlsv1.2 https://openclaw.ai/install.sh | bash

# Option B (npm global install)
npm install -g openclaw@latest

# Onboard + install daemon service
openclaw onboard --install-daemon

# Verify gateway and open dashboard
openclaw gateway status
openclaw dashboard

If dashboard auth prompts appear, use your configured gateway token and keep access local-only.

Minimal secure env baseline (example):

OPENCLAW_GATEWAY_HOST=127.0.0.1
OPENCLAW_GATEWAY_PORT=18789
OPENCLAW_GATEWAY_TOKEN=replace-with-long-random-secret

Keep variable names aligned with your installed OpenClaw version and docs.

Phase 2: Connect Telegram safely

  1. Create a bot in BotFather and get the bot token.
  2. Add token in your local secret store or env file excluded from version control.
  3. Connect Telegram in OpenClaw dashboard or CLI channel setup.
  4. Restrict allowed chats or user IDs before enabling automation.
  5. Test text-only workflows first, then enable limited tool actions.
# Telegram token example
export TELEGRAM_BOT_TOKEN="replace-with-your-botfather-token"
openclaw gateway status

Phase 3: Connect WhatsApp safely

  1. Use an official WhatsApp Business API path (Meta Cloud API or approved provider).
  2. Use a dedicated phone number for bot traffic, not your primary personal number.
  3. Store API token and webhook secret outside repo and rotate on schedule.
  4. If webhooks require internet reachability, expose only webhook endpoint, never dashboard UI.
  5. Start with read-only and notification tasks before any command-style automation.
# WhatsApp QR login (OpenClaw web channel)
openclaw channels login
openclaw gateway --port 18789

Telegram default posture

  • Fastest channel onboarding
  • Good for personal automation and alerts
  • Use chat allowlist to reduce abuse surface

WhatsApp default posture

  • Better for business-facing workflows
  • Webhook security and token hygiene are mandatory
  • Use staged rollout before enabling privileged tools

Next Read

For architecture, data flow, and threat model details, read: OpenClaw for Builders: Architecture, Data Flow, and Security Guardrails .

Further Reading and Deploy Links

For latest setup instructions and ecosystem updates, use these official and community links: