跳转到主要内容
This hub links the core docs for how OpenClaw connects, pairs, and secures devices across localhost, LAN, and tailnet.

Core model

Most operations flow through the Gateway (openclaw gateway), a single long-running process that owns channel connections and the WebSocket control plane.
  • Loopback first: the Gateway WS defaults to ws://127.0.0.1:18789. Non-loopback binds refuse to start without a valid gateway auth path: shared-secret token/password auth, or a correctly configured non-loopback trusted-proxy deployment.
  • One Gateway per host is recommended. For isolation, run multiple gateways with isolated profiles and ports (Multiple Gateways).
  • Canvas host is served on the same port as the Gateway (/__openclaw__/canvas/, /__openclaw__/a2ui/), protected by Gateway auth when bound beyond loopback.
  • Remote access is typically an SSH tunnel or Tailscale VPN (Remote Access).
Key references:

Pairing + identity

Local trust:
  • Direct local loopback connects (no forwarded/proxy headers) can be auto-approved for pairing to keep same-host UX smooth.
  • OpenClaw also has a narrow backend/container-local self-connect path for trusted shared-secret helper flows.
  • Tailnet and LAN clients, including same-host tailnet binds, still require explicit pairing approval.

Discovery + transports

Nodes + transports

Security