Security Best Practices

Updated: 3/2/2026Official

Security Best Practices

Follow these guidelines to secure your OpenClaw gateway deployment.

API Key Management

Secure Your Keys

  • Never commit API keys to version control
  • Use environment variables for production
  • Rotate keys regularly
  • Use separate keys for different environments

Environment Variables

# .env file
ANTHROPIC_API_KEY=your-key-here
OPENAI_API_KEY=your-key-here

Authentication

Enable Authentication

OpenClaw supports multiple authentication methods:

  1. API Key Authentication
  2. OAuth 2.0
  3. JWT Tokens

Configure in your settings file:

{
  "auth": {
    "enabled": true,
    "type": "apiKey",
    "secret": "your-secret-key"
  }
}

Network Security

Use HTTPS

Always use HTTPS in production:

{
  "gateway": {
    "http": {
      "enabled": false,
      "tls": {
        "enabled": true,
        "cert": "/path/to/cert.pem",
        "key": "/path/to/key.pem"
      }
    }
  }
}

Firewall Rules

Open only necessary ports:

  • 18789 (gateway)
  • 3000 (optional web UI)

Rate Limiting

Configure rate limiting to prevent abuse:

{
  "gateway": {
    "rateLimit": {
      "enabled": true,
      "windowMs": 60000,
      "max": 100
    }
  }
}

Need Help with OpenClaw?

Stuck on something? Join our community and get help from other OpenClaw users