Network hub
This hub links the core docs for how OpenClaw connects, pairs, and secures devices across localhost, LAN, and tailnet.Core model
Most operations flow through the Gateway (openclaw gateway), a single long-running process that owns channel connections and the WebSocket control plane.
- Loopback first: the Gateway WS defaults to
ws://127.0.0.1:18789. Tokens are required for non-loopback binds. - One Gateway per host is recommended. For isolation, run multiple gateways with isolated profiles and ports (Multiple Gateways).
- Canvas host is served on the same port as the Gateway (
/__openclaw__/canvas/,/__openclaw__/a2ui/), protected by Gateway auth when bound beyond loopback. - Remote access is typically SSH tunnel or Tailscale VPN (Remote Access).
Pairing + identity
- Pairing overview (DM + nodes)
- Gateway-owned node pairing
- Devices CLI (pairing + token rotation)
- Pairing CLI (DM approvals)
- Local connections (loopback or the gateway host’s own tailnet address) can be auto‑approved for pairing to keep same‑host UX smooth.
- Non‑local tailnet/LAN clients still require explicit pairing approval.