Documentation / NemoClaw login

NemoClaw: first login & setup

Use this after your NemoClaw VPS is running and you have the server IP from your email or Dashboard → Servers. You will run interactive setup on the server (the installer usually asks for NVIDIA first; you can skip and pick other cloud LLM providers like OpenClaw) and use SSH tunnels to open the browser Control UI—unlike OpenClaw’s single-hop flow.

← Documentation overview

What you need

  • Your server public IPv4 (from the “server ready” email or Dashboard → Servers).
  • The private SSH key that matches the public key you added in the dashboard before the server was created.
  • For hosted LLMs, NemoClaw is the same idea as OpenClaw (OpenAI, Anthropic, Google, and other providers the installer lists). The installer usually prompts for an NVIDIA API key first; you can skip that step and choose another provider instead. What differs from OpenClaw is SSH tunnels for the browser Control UI—see §4.
  • A terminal on your computer: PowerShell (Windows), Terminal (macOS), or your Linux shell.
  • Memory: New NemoClaw VMs from AgenticHosting get a 4 GiB swap file at /swapfile during first boot (fewer OOMs during install; you may still see low-RAM notices). Check with swapon --show or free -h.

API keys during interactive setup

/opt/nemoclaw/complete-setup.shruns NemoClaw's installer. In practice it leads with an NVIDIA API key prompt. If you skip or decline that, the flow continues and lets you pick other cloud LLM providers (not limited to one vendor—same general options as OpenClaw). Exact wording and menu order can change with the upstream script; follow what your terminal shows. Have any key you plan to paste ready before you start if the portal only shows the secret once.

NVIDIA (usually shown first)

  1. Sign up or log in at developer.nvidia.com.
  2. Open the developer portal and go to the API Keys section (wording may vary slightly in the UI).
  3. Create a new API key. A free tier is typically enough for testing.
  4. Copy the key immediately — many portals show the secret only once, with no way to view it again later.

NVIDIA keys often start with nvapi-. Exact format can change — if validation fails, create a fresh key in the portal and compare.

Other providers (after skipping NVIDIA)

Use the same provider consoles as OpenClaw—OpenAI, Anthropic, Google, and any others the installer offers. Console links are listed under LLM setup → OpenClaw → Provider API keys.

  • Productionworkloads may need a paid tier or higher limits — check your provider's current plans.
  • Keep it secret — treat it like a password (see security notice below).

Security notice

Never paste API keys from the installer into public forums, GitHub repositories, unencrypted chat, or support tickets unless it is absolutely necessary. AgenticHosting support does not need your provider keys to help with access or billing.

  • Prefer entering keys only in the installer prompt on your VPS over SSH, or via environment variables if the installer documents that.
  • Rotate keys periodically and revoke any key you believe is compromised.
  • Monitor usage in each provider's console (NVIDIA, OpenAI, Anthropic, Google, etc.).

1. SSH into the server

Replace YOUR_SERVER_IP with your IPv4. Login user is usually agentic unless your operator told you otherwise.

ssh agentic@YOUR_SERVER_IP

If your key is not the default, point SSH at the private key file:

ssh -i ~/.ssh/id_ed25519 agentic@YOUR_SERVER_IP

Windows (PowerShell): ssh -i $env:USERPROFILE\.ssh\id_ed25519 agentic@YOUR_SERVER_IP

Full walkthrough for ssh-keygen -f, ssh -i, and ~/.ssh/config: SSH key setup — custom key file.

Host key changed (strict checking)

If SSH reports Host key verification failed or points to an Offending … key in …/known_hosts, the machine at that IP likely has a new host key (new server, reinstall, or IP reassigned). Remove the old entry, then connect again and confirm the new fingerprint when prompted.

ssh-keygen -R YOUR_SERVER_IP

Non-default SSH port: ssh-keygen -R "[YOUR_SERVER_IP]:PORT"

Windows: OpenSSH uses %USERPROFILE%\.ssh\known_hosts (e.g. C:\Users\YourName\.ssh\known_hosts). ssh-keygen -R updates that file; or delete the single line the error names (e.g. line 14).

Only trust a new key if you expect the server to have changed; otherwise stop and verify out-of-band (possible impersonation).

Same topic in the general SSH guide: Stale host key.

2. Wait for the background install

On first boot, your server runs an automatic background NemoClaw install (Docker pulls, scripts). It may take several minutes. Check status:

  • /opt/nemoclaw/health-check.sh — quick status
  • /var/log/nemoclaw-install.log — full log
  • /opt/nemoclaw/nemoclaw-install-monitor.sh — follow the log

When non-interactive install finished successfully, the file /opt/nemoclaw/.installed exists. Then run interactive setup (next section).

3. Run interactive setup

From an interactive SSH session (normal ssh … shell — not a one-liner pipe unless you have verified the script accepts stdin), run:

/opt/nemoclaw/complete-setup.sh

The installer usually starts with NVIDIA; you can skip and continue with another provider. The following is an illustrative flow—follow your actual prompts (we plan to add screenshots of the live installer here).

$ /opt/nemoclaw/complete-setup.sh

[NVIDIA API key — exact wording varies]
Enter your NVIDIA API key (or skip / no to use another provider): █

... if you skip, installer continues with OpenAI / Anthropic / Google / other options ...

Enter your <provider> API key: █
(paste your key — input is usually hidden)
Press Enter

[INFO] Validating key...
[OK] Key accepted
[INFO] Continuing setup...
...

Provider console links: LLM setup → OpenClaw → Provider API keys. More NemoClaw-specific notes: LLM setup (NemoClaw).

4. Open the Control UI (browser)

Why you need port forwarding

The installer may show a link like http://127.0.0.1:18789/#token=…. Here 127.0.0.1 means inside the isolated environment where OpenClaw runs (the OpenShell sandbox)—not your laptop. Your browser on your PC cannot reach that address until you create SSH port forwards (tunnels).

Typical NemoClaw path (two hops):

  1. On the server (as root), forward sandbox 127.0.0.1:18789to the server's own loopback. Leave this SSH session running (e.g. in tmux).
  2. On your PC, forward your local 127.0.0.1:18789 to that forward on the server. Leave this session open too.
  3. Open http://127.0.0.1:18789/#token=… in your browser — use http, not https, for this token UI.

One-hop shortcut: if the control UI is listening directly on the server, a single ssh -L from your PC is enough. The helper script below tells you which case applies.

OpenShell gateway (port 8080): sometimes you use the host gateway instead, with https:// and client certificates (mTLS). That is a different path from the raw OpenClaw token link. The root path / may return 404 even when the gateway is fine—follow the printed steps for your situation.

Copy-paste commands (on the server)

Run this on the server; it prints sections tailored to your login user agentic and what is listening:

sudo /opt/nemoclaw/print-ui-access.sh

It always includes Section A (sandbox token UI and two-hop SSH). If port 18789 is on the server itself, it adds a one-hop shortcut. If port 8080 is up, Section B covers importing certificates and tunneling the HTTPS gateway. You can optionally run sudo /opt/nemoclaw/write-openshell-sandbox-ssh-config.sh YOUR_SANDBOX first to write the OpenShell SSH config file, then use the ssh -F … -L … line it prints.

Treat URLs with #token= like passwords—do not share them or commit them to Git. If print-ui-access.sh is missing, contact support.

5. Troubleshooting

SSH and browser

  • Port 18789 connection refused before you set up tunnels: this is normal—the UI is not on your PC yet. Follow sudo /opt/nemoclaw/print-ui-access.sh (Section A). If the script says 18789 is on the server, one ssh -L from your PC is enough.
  • Token URL uses http vs https: the OpenClaw token UI on 127.0.0.1:18789 is typically http:// (localhost secure context). The OpenShell gateway on 8080 is https:// with mTLS — follow Section B in print-ui-access.sh, not the raw HTTP URL pattern for that path.
  • Docker permission denied: on the VPS, log out and back in after being added to the docker group, or run newgrp docker in your current shell (also referenced in Section B of the print script).
  • Permission denied (publickey): use the same key pair you registered in the dashboard; check -i path.
  • Host key verification failed / offending key in known_hosts: see Host key changed above (ssh-keygen -R, Windows known_hosts path).
  • Installer asks to create swap, then a password prompt: On new AgenticHosting servers, swap should already exist at /swapfile — confirm with swapon --show. If you still see it (older server or interrupted first boot), answer no to optional swap and add swap manually as root, or run /opt/nemoclaw/complete-setup.sh from a session where sudo works without a password (AgenticHosting sets NOPASSWD for the SSH user). Ignore stray Changing password for root prompts unless you intentionally ran passwdCtrl+C and re-run the setup step.
  • Install stuck: read /var/log/nemoclaw-install.log and /opt/nemoclaw/health-check.sh.

Interactive setup / API key

  • Invalid API key: no leading/trailing spaces; copy again from the provider console. NVIDIA keys often use prefix nvapi-; other vendors use their own prefixes (e.g. sk-ant-, sk-proj-)—compare to what that provider shows when you create a key.
  • Rate limited:free tiers can have usage limits — wait and retry, or review your provider's plan/limit messages; production may need a higher tier.
  • Account not verified: check email for a verification link for whichever provider you chose (NVIDIA, OpenAI, Anthropic, Google, etc.).
  • Key lost: create a new key in the provider portal; old secrets usually cannot be recovered, and the old key may be deactivated when you rotate.

Optional: key storage check (on the server)

To see whether common key prefixes appear under /opt/nemoclaw (results depend on how the installer stores credentials):

grep -rE "nvapi-|sk-ant-|sk-proj-" /opt/nemoclaw/ 2>/dev/null || true

If you see unexpected plaintext secrets, rotate the key in the provider console and consider tightening file permissions per that vendor's documentation.