Network

Network hub: gateway surfaces, pairing, discovery, and security

This hub links the core docs for how OpenClaw connects, pairs, and secures devices across localhost, LAN, and tailnet.

Core model

Most operations flow through the Gateway (openclaw gateway), a single long-running process that owns channel connections and the WebSocket control plane.

  • Loopback first: the Gateway WS defaults to ws://127.0.0.1:18789. Non-loopback binds require a valid gateway auth path: shared-secret token/password auth, or a correctly configured non-loopback trusted-proxy deployment.
  • One Gateway per host is recommended. For isolation, run multiple gateways with isolated profiles and ports (Multiple Gateways.
  • Canvas host is served on the same port as the Gateway (/__openclaw__/canvas/, /__openclaw__/a2ui/), protected by Gateway auth when bound beyond loopback.
  • Remote access is typically SSH tunnel or Tailscale VPN (Remote Access.

Key references:

  • [Gateway architecture](/docs/openclaw-docs/concepts/architecture
  • [Gateway protocol](/docs/openclaw-docs/gateway/protocol
  • [Gateway runbook](/docs/openclaw-docs/gateway
  • [Web surfaces + bind modes](/docs/openclaw-docs/web

Pairing + identity

  • [Pairing overview (DM + nodes)](/docs/openclaw-docs/channels/pairing
  • [Gateway-owned node pairing](/docs/openclaw-docs/gateway/pairing
  • [Devices CLI (pairing + token rotation)](/docs/openclaw-docs/cli/devices
  • [Pairing CLI (DM approvals)](/docs/openclaw-docs/cli/pairing

Local trust:

  • Direct local loopback connects can be auto-approved for pairing to keep same-host UX smooth.
  • OpenClaw also has a narrow backend/container-local self-connect path for trusted shared-secret helper flows.
  • Tailnet and LAN clients, including same-host tailnet binds, still require explicit pairing approval.

Discovery + transports

  • [Discovery and transports](/docs/openclaw-docs/gateway/discovery
  • [Bonjour / mDNS](/docs/openclaw-docs/gateway/bonjour
  • [Remote access (SSH)](/docs/openclaw-docs/gateway/remote
  • [Tailscale](/docs/openclaw-docs/gateway/tailscale

Nodes + transports

  • [Nodes overview](/docs/openclaw-docs/nodes
  • [Bridge protocol (legacy nodes, historical)](/docs/openclaw-docs/gateway/bridge-protocol
  • [Node runbook: iOS](/docs/openclaw-docs/platforms/ios
  • [Node runbook: Android](/docs/openclaw-docs/platforms/android

Security

  • [Security overview](/docs/openclaw-docs/gateway/security
  • [Gateway config reference](/docs/openclaw-docs/gateway/configuration
  • [Troubleshooting](/docs/openclaw-docs/gateway/troubleshooting
  • [Doctor](/docs/openclaw-docs/gateway/doctor
  • [Gateway runbook](/docs/openclaw-docs/gateway
  • [Remote access](/docs/openclaw-docs/gateway/remote