OpenClaw Agent Setup: Complete Configuration Guide for Production [2026]

Setup Overview and Order of Operations

Setting up an OpenClaw agent for production is a 10-step process. The order matters. Connecting messaging channels before securing your instance or setting usage limits is a common mistake that leads to security vulnerabilities and surprise API bills. Follow this sequence and you will have a rock-solid production agent.

Here is the complete order:

1. VPS Provisioning — get a server running
2. Docker and Reverse Proxy — install the container runtime and SSL
3. Deploying OpenClaw — pull the image and start the container
4. Model Configuration — connect your AI model
5. Writing the Agent Persona — define how your agent behaves
6. Security Hardening — gateway token, firewall, access controls
7. Connecting Messaging Channels — WhatsApp, Telegram, etc.
8. Installing Skills — extend capabilities from ClawHub
9. Memory Configuration — set up persistent agent memory
10. Monitoring and Alerting — ensure uptime and catch issues

Total time: 2-4 hours depending on your experience level with Docker and Linux. If you have never used Docker before, add an extra hour for learning the basics.

Step 1: VPS Provisioning

You need a Linux server accessible via SSH. For production OpenClaw, the recommended specifications are:

Recommended VPS providers by region:

• Europe: Hetzner CX22 ($3.79/month) — best value. 2 vCPU, 4GB RAM, 40GB SSD.
• North America: Contabo VPS S ($5.49/month) — 4 vCPU, 8GB RAM, 50GB SSD. Overprovisions nicely for growth.
• Global: DigitalOcean Basic ($6/month) — most beginner-friendly UI. Excellent documentation.
• Free: Oracle Cloud Always Free — 1 CPU, 1GB RAM. Fine for personal use, tight for production.

After provisioning, SSH into your server and run initial setup:

sudo apt update && sudo apt upgrade -y
sudo apt install -y curl git ufw

Configure the firewall:

sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

This allows SSH (22), HTTP (80), and HTTPS (443) while blocking everything else. Port 3008 (OpenClaw's default) is intentionally not exposed — you will access it through a reverse proxy on port 443.

Step 2: Docker and Reverse Proxy

Install Docker:

curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
newgrp docker

Verify:

docker --version && docker compose version

Configure Docker log rotation to prevent disk exhaustion:

sudo tee /etc/docker/daemon.json > /dev/null <<'EOF'
{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  }
}
EOF
sudo systemctl restart docker

Install Caddy as a reverse proxy for automatic SSL:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update && sudo apt install -y caddy

Configure Caddy. Edit /etc/caddy/Caddyfile:

your-domain.com {
  reverse_proxy localhost:3008
}

Replace your-domain.com with your actual domain. Point your domain's DNS A record to your server's IP address before this step. Caddy automatically provisions a Let's Encrypt SSL certificate.

sudo systemctl restart caddy

Step 3: Deploying OpenClaw

Create a directory for your deployment:

mkdir -p ~/openclaw && cd ~/openclaw

Create a docker-compose.yml:

version: "3.8"
services:
  openclaw:
    image: openclaw/openclaw:3.23
    container_name: openclaw
    restart: always
    ports:
      - "127.0.0.1:3008:3008"
    volumes:
      - ./data:/app/data
    env_file:
      - .env

Note: the port binding is 127.0.0.1:3008:3008, which only exposes the port to localhost. External access goes through Caddy on port 443. This prevents direct access to OpenClaw without SSL.

Create a .env file for your configuration (we will fill in the values in subsequent steps):

# Gateway security
OPENCLAW_GATEWAY_TOKEN=

# AI Model
OPENCLAW_MODEL_PROVIDER=
OPENCLAW_MODEL_NAME=

# Cost controls
OPENCLAW_DAILY_TOKEN_LIMIT=

# Channels (added later)
# Skills (added later)
# Memory (added later)

Pull the image and start the container:

docker compose pull
docker compose up -d

Verify OpenClaw is running:

docker logs openclaw --tail 20

You should see the startup sequence. The web UI will be accessible at https://your-domain.com after the DNS and SSL are configured.

Step 4: Model Configuration

Choose your AI model. For a production agent, we recommend starting with Claude Sonnet 4 for quality or DeepSeek V3 for budget. See our model selection guide for a full comparison.

Add model configuration to your .env file:

For Claude Sonnet 4:

OPENCLAW_MODEL_PROVIDER=anthropic
OPENCLAW_MODEL_NAME=claude-sonnet-4-20250514
ANTHROPIC_API_KEY=sk-ant-api03-your-key-here

For DeepSeek V3 (budget option):

OPENCLAW_MODEL_PROVIDER=deepseek
OPENCLAW_MODEL_NAME=deepseek-chat
DEEPSEEK_API_KEY=your-key-here

For production resilience, add a fallback model from a different provider:

OPENCLAW_FALLBACK_1_PROVIDER=openai
OPENCLAW_FALLBACK_1_MODEL=gpt-4o-mini
OPENAI_API_KEY=sk-your-key-here

Restart to apply:

docker compose down && docker compose up -d

Test the model by sending a test message through the web UI. If the model responds, your API key and configuration are correct.

Step 5: Writing the Agent Persona

The persona prompt defines your agent's identity, behavior, tone, and boundaries. A well-written persona is the difference between a generic chatbot and a useful assistant.

Set the persona via environment variable or through the web UI. For environment variable configuration, add to .env:

OPENCLAW_PERSONA_PROMPT=You are [Agent Name], an AI assistant for [Your Name/Company]. Your role is to [primary purpose]. You communicate in a [tone] manner. You can help with [list capabilities]. You cannot [list boundaries]. Always [key behaviors]. Never [restrictions].

For longer personas, use a file. Create data/persona.md and set:

OPENCLAW_PERSONA_FILE=/app/data/persona.md

A production persona should include:

• Identity: Name, role, who it works for
• Primary purpose: The main job this agent does
• Tone: Professional, casual, formal, friendly
• Capabilities: What it can do (linked to installed skills)
• Boundaries: What it should not do (refuse requests outside scope)
• Response format: Length preferences, formatting rules
• Escalation: When to hand off to a human and how

Spend time on this step. The persona is the single biggest factor in agent quality. A detailed, well-structured persona with clear instructions produces dramatically better results than a vague one-liner.

Step 6: Security Hardening

Security must be configured before you connect any messaging channels. Once a channel is live, your agent is reachable from the outside world.

Gateway token: Generate a strong token and add it to .env:

OPENCLAW_GATEWAY_TOKEN=$(openssl rand -hex 32)

Copy the generated value into your .env file. This token protects the web UI and API. Anyone with this token has full admin access to your agent.

API usage limits: Set a daily token limit to prevent runaway costs:

OPENCLAW_DAILY_TOKEN_LIMIT=100000

Start conservative (100K tokens is about 200-400 messages depending on model and conversation length). You can always increase it after observing actual usage for a week.

Rate limiting: Limit how many messages any single user can send per minute:

OPENCLAW_RATE_LIMIT_PER_USER=10
OPENCLAW_RATE_LIMIT_WINDOW=60

This allows 10 messages per 60 seconds per user. Prevents abuse and limits the impact of echo loops.

Skills allowlist: If you plan to install skills, restrict which ones can be installed:

OPENCLAW_SKILLS_ALLOWLIST=publisher:openclaw-official,publisher:remote-openclaw

Disable unused features: If you are not using browser automation, disable Puppeteer to reduce attack surface:

OPENCLAW_PUPPETEER_ENABLED=false

Secure the .env file: Restrict file permissions so only your user can read it:

chmod 600 .env

Apply all security settings and restart:

docker compose down && docker compose up -d

Step 7: Connecting Messaging Channels

Now that your agent is secured, you can connect messaging channels. Start with one channel, test thoroughly, then add more.

WhatsApp (most popular):

OPENCLAW_WHATSAPP_ENABLED=true
OPENCLAW_WHATSAPP_IGNORE_SELF=true

Restart OpenClaw, then scan the QR code displayed in the web UI (or logs) with your WhatsApp phone. The IGNORE_SELF setting prevents the echo loop bug in group chats. See our WhatsApp echo fix guide for details.

Telegram:

OPENCLAW_TELEGRAM_ENABLED=true
OPENCLAW_TELEGRAM_TOKEN=your-bot-token
OPENCLAW_TELEGRAM_MODE=webhook
OPENCLAW_TELEGRAM_WEBHOOK_URL=https://your-domain.com/api/channels/telegram/webhook
OPENCLAW_TELEGRAM_WEBHOOK_SECRET=your-random-secret
OPENCLAW_TELEGRAM_ALLOW_FROM=your-user-id

Always set ALLOW_FROM to restrict who can message your Telegram bot. See our allowFrom guide for details.

Discord:

OPENCLAW_DISCORD_ENABLED=true
OPENCLAW_DISCORD_TOKEN=your-discord-bot-token
OPENCLAW_DISCORD_ALLOWED_CHANNELS=channel-id-1,channel-id-2

Email:

OPENCLAW_EMAIL_ENABLED=true
OPENCLAW_EMAIL_IMAP_HOST=imap.gmail.com
OPENCLAW_EMAIL_IMAP_PORT=993
OPENCLAW_EMAIL_SMTP_HOST=smtp.gmail.com
OPENCLAW_EMAIL_SMTP_PORT=587
OPENCLAW_EMAIL_USER=your-email@gmail.com
OPENCLAW_EMAIL_PASSWORD=your-app-password

For Gmail, use an app password (not your regular password). Enable 2FA on your Google account first, then generate an app password in your Google Account security settings.

After connecting each channel, test by sending a message through that channel and verifying your agent responds correctly. Check the logs for any errors:

docker logs openclaw --tail 50

Step 8: Installing Skills

Skills extend your agent's capabilities beyond basic conversation. They are Markdown files that add tools, integrations, and specialized behaviors.

Search for skills from the CLI:

docker exec openclaw openclaw skills search calendar

Install a skill:

docker exec openclaw openclaw skills install google-calendar

Popular production skills:

• google-calendar — read and create calendar events
• web-search — search the web and return results
• email-send — send emails on behalf of the agent
• notion-sync — read and write Notion databases
• crm-contact — manage CRM contacts
• url-reader — extract content from web pages

After installing skills, update your agent persona to reference the new capabilities. The agent needs to know it has access to these tools and when to use them. Add instructions like: "You have access to the Google Calendar skill. When users ask about scheduling, check their calendar first."

For a curated list of vetted production skills, the Remote OpenClaw Skool community maintains a monthly-updated security-reviewed list.

Step 9: Memory Configuration

OpenClaw's memory system gives your agent persistent knowledge across conversations. Without memory, your agent forgets everything between sessions. With memory, it can recall user preferences, past interactions, ongoing projects, and accumulated knowledge.

Enable memory:

OPENCLAW_MEMORY_ENABLED=true
OPENCLAW_MEMORY_PROVIDER=local

The local memory provider stores memory entries as JSON files in the data/memory/ directory. For small to medium deployments (under 10,000 memory entries), this is sufficient. For larger deployments, consider a vector database like Qdrant or Weaviate.

Configure memory behavior:

# Maximum number of memory entries to include in context
OPENCLAW_MEMORY_MAX_CONTEXT=10

# Automatically save important facts from conversations
OPENCLAW_MEMORY_AUTO_SAVE=true

# Memory retention period (0 = forever)
OPENCLAW_MEMORY_RETENTION_DAYS=0

Auto-save mode analyzes conversations and automatically extracts and stores important facts, preferences, and decisions. This is the recommended mode for most deployments — your agent builds knowledge over time without manual intervention.

You can also manually add memory entries through the web UI or API. This is useful for bootstrapping your agent with initial knowledge about your business, clients, or processes.

Memory quality improves with your persona prompt. Include instructions like: "When you learn a new fact about a user (their name, preferences, project details), save it to memory. When a user asks about something you have discussed before, check your memory first."

Step 10: Monitoring and Alerting

A production agent needs monitoring. You need to know when it goes down, when it is behaving unexpectedly, and when costs are trending higher than expected.

Basic monitoring: Docker health checks. The restart: always policy in your Docker Compose handles container crashes. Docker automatically restarts the container if it exits. For an additional layer, add a health check:

services:
  openclaw:
    # ... existing config ...
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3008/health"]
      interval: 30s
      timeout: 10s
      retries: 3

Standard monitoring: External uptime checks. Use UptimeRobot (free for 50 monitors) or self-hosted Uptime Kuma to ping your OpenClaw health endpoint from outside your network. This catches issues that Docker health checks miss, like network outages or DNS problems.

Set up a monitor for: https://your-domain.com/health

Configure email or SMS alerts for downtime. Check interval: 5 minutes is sufficient for most deployments.

Cost monitoring: Set up usage alerts with your AI model providers:

• Anthropic: Dashboard > Usage > set monthly budget alert
• OpenAI: Settings > Usage limits > set hard and soft limits
• DeepSeek: Dashboard > set balance alert threshold

Combine this with OpenClaw's OPENCLAW_DAILY_TOKEN_LIMIT for defense in depth. The provider alerts catch spending that exceeds your expectations. OpenClaw's limit prevents your agent from exceeding a daily budget even if one conversation consumes unusual amounts of tokens.

Advanced monitoring: Log aggregation and alerting. For operators who want full observability, forward OpenClaw logs to a centralized logging service. Enable structured JSON logging:

OPENCLAW_LOG_FORMAT=json
OPENCLAW_LOG_LEVEL=info

Forward logs to services like Grafana Loki, Datadog, or a simple ELK stack. Set up alerts for specific log patterns: error rates exceeding thresholds, rate limit hits, authentication failures, and skill execution errors.

OpenClaw also exposes a metrics endpoint at /metrics (when enabled with OPENCLAW_METRICS_ENABLED=true) that provides Prometheus-compatible metrics including message counts, response times, model usage, and memory operations.

Ongoing Maintenance

A production agent needs regular maintenance. Here is a recommended maintenance schedule:

Weekly:

• Check API usage and costs via provider dashboards
• Review OpenClaw logs for errors or unusual patterns
• Verify all channels are connected and responding

Monthly:

• Update OpenClaw to the latest patch release: docker compose pull && docker compose up -d
• Prune old conversation data: docker exec openclaw openclaw data prune --older-than 30d
• Run docker system prune to clean up unused images
• Review and update the agent persona based on observed behavior
• Check disk usage: df -h and du -sh ~/openclaw/data/

Quarterly:

• Review security: rotate gateway token, review channel access controls
• Evaluate model performance and cost — consider switching models if better options are available
• Update your VPS operating system: sudo apt update && sudo apt upgrade -y
• Review installed skills — remove unused ones, check for updates to installed ones
• Test your backup and recovery process (you do have one, right?)

Backup strategy: The critical data is in the data/ directory. Back it up regularly:

# Simple backup to a compressed archive
tar -czf ~/openclaw-backup-$(date +%Y%m%d).tar.gz ~/openclaw/data/

For automated backups, set up a daily cron job that creates the archive and copies it to an offsite location (S3, Backblaze B2, or another server). The data/ directory typically grows to 1-5GB over time, so compressed daily backups are manageable.

If disaster strikes, recovery is straightforward: provision a new VPS, install Docker, copy your docker-compose.yml and .env, restore the data/ directory from backup, and start the container. Your agent resumes with all its memory, conversation history, and configuration intact.

Frequently Asked Questions

How long does it take to set up an OpenClaw agent for production?

A basic production setup takes 1-2 hours for someone comfortable with Docker and Linux. Adding skills, memory, security hardening, and monitoring takes an additional 1-2 hours. Total: 2-4 hours for a complete production deployment.

What is the minimum VPS specification for a production OpenClaw agent?

Minimum: 1 vCPU, 2GB RAM, 25GB SSD. Recommended: 2 vCPU, 4GB RAM, 40GB SSD. If running Ollama for local models alongside OpenClaw, you need at least 4GB RAM (8GB recommended).

What should I configure before connecting channels to my OpenClaw agent?

Before connecting any messaging channel: (1) Set a strong gateway token. (2) Configure your AI model and verify it works. (3) Write your agent persona prompt. (4) Set API usage limits. (5) Configure the skills allowlist. These steps prevent security issues and runaway costs.

How do I monitor my OpenClaw agent in production?

Three levels: (1) Basic — Docker health checks with restart policies. (2) Standard — external uptime monitoring pinging your health endpoint. (3) Advanced — log aggregation, API cost tracking, and custom alerting through webhooks for error rates and response times.