https://<vm-name>.exe.xyz.
This guide assumes exe.dev’s default exeuntu image. Map packages accordingly on other distros.
What you need
- exe.dev account
ssh exe.devaccess to exe.dev VMs (optional, for manual setup)
Beginner quick path
- Open https://exe.new/openclaw
- Fill in your auth key/token as needed
- Click “Agent” next to your VM and wait for Shelley to finish provisioning
- Open
https://<vm-name>.exe.xyz/and authenticate with the configured shared secret (token auth by default; password auth also works if you switchgateway.auth.mode) - Approve pending device pairing requests with
openclaw devices approve <requestId>
Automated install with Shelley
Shelley, exe.dev’s agent, can install OpenClaw from a prompt:Manual installation
Configure nginx to proxy to port 8000
Edit Overwrite forwarding headers instead of preserving client-supplied chains. OpenClaw trusts forwarded IP metadata only from explicitly configured proxies, and append-style
/etc/nginx/sites-enabled/default:X-Forwarded-For chains are treated as a hardening risk.Access OpenClaw and approve devices
Open
https://<vm-name>.exe.xyz/ (see the Control UI output from onboarding). If it prompts for auth, paste the configured shared secret from the VM.This guide uses token auth by default, so retrieve gateway.auth.token with openclaw config get gateway.auth.token, or generate a new one with openclaw doctor --n. If you switched the gateway to password auth, use gateway.auth.password / OPENCLAW_GATEWAY_PASSWORD instead.Approve devices with openclaw devices list and openclaw devices approve <requestId>. When in doubt, use Shelley from your browser.Remote channel setup
For remote hosts, prefer oneconfig patch call over many SSH calls to config set. Keep real tokens in the VM environment or ~/.openclaw/.env, and put only SecretRefs in openclaw.json. See Secrets management for the full SecretRef contract.
On the VM, make the service environment contain the secrets it needs:
--replace-path when a nested allowlist should become exactly the patch value, for example replacing a Discord channel allowlist:
Remote access
exe.dev handles authentication for remote access. By default, HTTP traffic from port 8000 is forwarded tohttps://<vm-name>.exe.xyz with email auth.