🛡️ Security Guide

Your AI has access to your files, your memory notes, and potentially your business data. If a stranger could message it, they could ask it to read your files, change your settings, or waste your API credits. The allowlist prevents all of that.

Think of it like the lock on your front door. Your AI is inside your house — the allowlist decides who has a key.

OpenClaw uses allowlists at the channel level. In your config.yaml:

Each channel type has its own allowlist format:

• WhatsApp: allowedNumbers (phone numbers)
• Telegram: allowedUsers (usernames or chat IDs)
• Discord: allowedUsers, allowedRoles, allowedChannels
• Signal: allowedNumbers (phone numbers)
• Webchat: Token or password authentication

If the allowlist is empty and allowGroups is false, nobody can reach your AI through that channel.

An approval gate is like a checkpoint. When your AI wants to do something potentially risky — like sending a message to a client or running a system command — it stops and asks you first.

You'll see something like: "I'd like to send this email to john@example.com. Here's what it says: [preview]. Should I go ahead?"

You say yes or no. That's it. The AI never does anything risky without checking with you first.

OpenClaw has granular permission controls in config.yaml:

Security modes:

• deny — AI cannot run any shell commands (strictest)
• allowlist — only pre-approved commands (recommended)
• full — AI can run anything (only if you know what you're doing)

You can also control individual tools — disable file deletion, disable outbound messages, disable browser automation, etc.

Every API key comes with its own usage and billing. Some providers give you free credits to start, others charge from message one. You need to know what yours costs.

Model costs vary dramatically:

Most small business owners on API keys spend $20–60/month. That's less than most SaaS tools — and this is a full AI assistant. But it can spike if you're not watching.

Step 1: Set limits at the provider level

• Anthropic: console.anthropic.com → Settings → Spending Limits
• OpenAI: platform.openai.com → Settings → Billing → Usage Limits

Step 2: Disable auto-reload

Some providers auto-charge your card when credits run out. Turn this OFF. You want to know when credits are low, not get silently billed.

Step 3: Tell your AI to be cost-conscious

Add rules to your AGENTS.md or SOUL.md file:

Step 4: Set up automated guardrails

Ask your AI to create cost-monitoring automations:

When you send a message, here's what goes to the AI provider (Anthropic, OpenAI, etc.):

• ✅ Your message
• ✅ Recent conversation history (so the AI has context)
• ✅ Your system prompt (SOUL.md, AGENTS.md — your AI's personality and rules)
• ✅ Any files you've asked it to read in the current conversation

What is NOT sent:

• ❌ Your entire file system
• ❌ Your API keys or passwords
• ❌ Files the AI isn't actively reading
• ❌ Previous conversations (unless in memory files)

Both Anthropic and OpenAI state in their API terms that API data is not used for training and is not stored permanently.

If you set up a VPS (cloud server), some services may run there — but your core workspace and memory files still live on your Mac Mini unless you choose to move them.

In your config.yaml:

Auth modes:

• token — auto-generated long random string (most secure, recommended)
• password — human-readable password you set
• none — NEVER use this (anyone can access your AI)

How to rotate your token:

What it is: The chat interface that runs in your web browser. This is your primary way to talk to your AI.

Who it's for: You. It runs on your Mac Mini at localhost:18789.

Security: Protected by your token or password. Nobody can access it without that token in the URL.

Setup: Already done — it comes with OpenClaw. Nothing to configure.

Best practices:

• Bookmark the URL with your token so you don't lose it
• Don't share the URL (it contains your access token)
• If you set up remote access, use HTTPS

What it is: Connect your personal WhatsApp so you can text your AI just like texting a friend. It uses WhatsApp Web — the same technology as using WhatsApp on your computer.

Who it's for: Anyone who wants to message their AI from their phone, anywhere.

How it works: Your AI shows you a QR code. You scan it with your phone's WhatsApp app (just like connecting WhatsApp Web). That's it — now you can text your AI from WhatsApp.

⚠️ Important: This uses YOUR personal WhatsApp account. Your AI messages itself through your account. This is NOT the WhatsApp Business API — no business account needed, no approval process, no fees.

Security:

• Set an allowlist — only specific phone numbers can talk to your AI
• Without an allowlist, anyone who has the linked number could message it
• Group chats can be enabled or disabled separately

If something feels wrong: Unlink the WhatsApp Web session from your phone's WhatsApp settings (Settings → Linked Devices → remove it). This instantly disconnects your AI from WhatsApp.

What it is: Create a free Telegram bot that connects to your AI. Anyone you allow can message the bot to talk to your AI.

Who it's for: Teams, families, or anyone who wants a dedicated AI chat that's separate from personal messaging.

How it works:

1. Open Telegram and message @BotFather
2. Type /newbot and follow the prompts
3. You'll get a bot token — a long string of letters and numbers
4. Give that token to your AI, and it connects automatically

Security:

• Set an allowlist of Telegram usernames or chat IDs
• Your bot token is like a password — never share it publicly
• If your token is compromised, revoke it via @BotFather and generate a new one
• Store your bot token in the Key Vault

What it is: Create a Discord bot that lives in your server. Team members can chat with it in channels or DMs.

Who it's for: Teams already using Discord, gaming communities, or anyone who wants AI in a group setting.

How it works:

1. Go to discord.com/developers and create a new application
2. Add a bot to it and copy the bot token
3. Invite the bot to your server
4. Give the token to your AI

Security:

• Control access via Discord roles — only certain roles can talk to the bot
• Restrict to specific channels so the bot doesn't respond everywhere
• Bot token is sensitive — store in Key Vault, never share
• You can revoke and regenerate the token anytime from Discord Developer Portal

What it is: Connect Signal for end-to-end encrypted messaging with your AI.

Who it's for: Privacy-conscious users who want the most secure messaging channel available.

Security: Signal is end-to-end encrypted by default. Combined with OpenClaw's local-first architecture, this is the most private way to communicate with your AI.

Setup: Requires Signal CLI or signal-cli. Your AI can walk you through it.

• Allowlist by phone number
• All messages encrypted in transit
• Great choice if you handle sensitive business data

What it is: Add your AI to your Slack workspace as a bot.

Who it's for: Businesses already using Slack for team communication.

Security:

• Control via Slack's built-in permissions — which channels, which users
• Bot token stored in Key Vault
• Workspace admins control bot access

What it is: Send and receive iMessages through your AI, using your Mac's Messages app.

Who it's for: Mac users who want to use iMessage as their AI channel. Great if everyone in your world uses iPhones.

Security:

• Only works on Mac (requires Messages.app)
• Uses your Apple ID — same security as your regular iMessages
• Allowlist by phone number or Apple ID
• End-to-end encrypted (Apple's encryption)

You'd want remote access if:

• You want to open your AI dashboard from your office (not just home)
• You want team members to access dashboards you've built
• You want a custom domain like ai.mybusiness.com

You do NOT need remote access for:

• WhatsApp/Telegram messaging — those work from anywhere already
• Using your AI from your phone — connect via WhatsApp instead
• Basic AI tasks — everything works locally

Option 1: Tailscale (easiest, recommended)

Tailscale creates a private VPN between your devices. Free for personal use.

• Install Tailscale on your Mac Mini and phone/laptop
• Access your AI via Tailscale IP — no ports exposed to the internet
• No domain needed, no SSL certificates to manage

Option 2: VPS + SSH Tunnel

Rent a cloud server ($6-48/mo) and create an encrypted tunnel:

• Cloud server acts as a relay — your Mac Mini connects to it
• Add a custom domain and HTTPS certificate
• More setup required, but professional result

Critical rules for remote access:

• Always use HTTPS — never expose plain HTTP to the internet
• Never expose port 18789 directly — use a reverse proxy (Caddy/Nginx)
• Use SSH keys, not passwords for server access
• Enable fail2ban on any internet-facing server
• Keep your server updated — automatic security updates recommended

Check for updates every week or two. Your AI can do this automatically if you set up a cron job for it. Updates usually take less than a minute and your AI restarts itself.

Before updating:

• Save a backup of your workspace (Section 11)
• Make sure nothing critical is running
• Updates restart the gateway — active conversations will resume

Don't trust us — verify:

• Read the source code: github.com/openclaw/openclaw
• Monitor network traffic: Use Little Snitch (Mac) or Wireshark to see every connection your Mac Mini makes
• Check what's installed: which openclaw && openclaw status
• Audit your config: cat ~/.openclaw/config.yaml — it's a plain text file, nothing hidden

Network calls your AI makes:

That's it. No mystery connections. No telemetry. No analytics.

The simple version: Back up the entire ~/.openclaw/ folder and you've got everything.

The easiest way? Just tell your AI:

That's it. Your AI creates a zip file with today's date. Save it somewhere safe.

Other options:

• USB drive: Copy the zip to a USB stick and put it in a drawer
• iCloud/Google Drive: Drop the zip in a cloud folder
• Time Machine: If you use Apple's built-in backup, you're already covered

Automated nightly backup (cron job):

Version control with Git:

Push to private GitHub repo (off-site backup):