Documentation / OpenClaw login

OpenClaw: first login & web dashboard

Use this after your OpenClaw VPS is running and you have the server IP from your email or Dashboard → Servers.

← Documentation overview

What you need

  • Your server public IPv4 (from the “server ready” email or Dashboard → Servers).
  • The private SSH key that matches the public key you added in the dashboard before the server was created.
  • A terminal on your computer: PowerShell (Windows), Terminal (macOS), or your Linux shell.

1. SSH into the server

Replace YOUR_SERVER_IP with your IPv4. If you use a non-default login name, it is still usually agentic unless your operator told you otherwise.

ssh agentic@YOUR_SERVER_IP

If your key is not the default, point SSH at the private key file (example paths):

ssh -i ~/.ssh/id_ed25519 agentic@YOUR_SERVER_IP

Windows: try ssh -i $env:USERPROFILE\.ssh\id_ed25519 agentic@YOUR_SERVER_IP in PowerShell.

If an IP was reused from a previous server, clear the old host key first: ssh-keygen -R YOUR_SERVER_IP. More options (Windows paths, custom SSH port): Stale host key. For generating or selecting a non-default key file: Custom key file.

2. (Optional) Quick health check on the server

After a few minutes, OpenClaw’s gateway should answer on port 18789. On the server run:

curl -sS -o /dev/null -w "%{http_code}\n" http://127.0.0.1:18789/healthz

A line showing 200 means the gateway is up. If you see errors, check sudo docker logs --tail 50 openclaw-gateway (may need cd /opt/openclaw for compose commands).

3. Start onboarding in the terminal (do this before the browser)

OpenClaw is configured through an interactive onboard in your SSH session on the server. Run this before you set up an SSH tunnel or open the Control UI in a browser—follow the prompts until onboard finishes (providers, API keys, channels, etc.).

Have provider keys ready first if you can; see LLM setup (OpenClaw) for where to create them.

  1. Navigate to the OpenClaw directory:
    cd /opt/openclaw
  2. Run the onboarding wizard:
    cd /opt/openclaw
sudo docker compose run --rm --no-deps --entrypoint node openclaw-gateway \
  dist/index.js onboard --mode local --no-install-daemon

For more CLI usage, see the OpenClaw Docker install docs.

4. Cloud firewall

If you use a cloud provider firewall, allow inbound TCP 18789 (and 18790 if you use bridge features) from your IP or as your security model allows. Otherwise your browser or tunnel may not reach the gateway.

5. Open the Control UI in your browser (SSH tunnel)

The Control UI needs a secure context for device login: HTTPS or http://127.0.0.1 / http://localhost. Opening http://YOUR_PUBLIC_IP:18789 directly often shows a message about device identity or HTTPS / localhost — that is expected.

Fix: create an SSH tunnel on your own computer, then use the browser on that same computer at http://127.0.0.1:18789.

macOS / Linux

Leave this terminal open while you use the dashboard (-N means “no remote shell”, tunnel only):

ssh -N -L 18789:127.0.0.1:18789 -i ~/.ssh/id_ed25519 agentic@YOUR_SERVER_IP

Windows PowerShell

ssh -N -L 18789:127.0.0.1:18789 -i $env:USERPROFILE\.ssh\id_ed25519 agentic@YOUR_SERVER_IP

Omit -i … if your key is already loaded in ssh-agent or set in ~/.ssh/config.

Then open: http://127.0.0.1:18789 (not https:// for this local address).

Later: HTTPS without a tunnel

For a bookmarkable URL, put a reverse proxy (Caddy, nginx, Traefik) with a real certificate in front of the gateway on a domain. Until then, the SSH tunnel is the simplest secure approach.

Troubleshooting (short)

  • Permission denied (publickey): use the same key pair you registered in the dashboard; check -i path.
  • Connection refused / timeout on 18789: firewall, or gateway not running — sudo docker compose ps in /opt/openclaw.
  • Docker compose warns about “home” variable: the file must use real paths like /home/agentic/.openclaw, not the literal text ${home}.