This site contains affiliate links. If you purchase through them I may earn a commission at no extra cost to you. Full disclosure.
Archive / OpenClaw / Setup
The short answer: your OpenClaw .env is the single source of truth for the gateway's identity, security, and connectivity. Get it right once and deployments stay boring. Miss a variable or expose secrets and you'll chase ghosts later.
"Boring env files lead to boring deployments. If your .env differs between servers, you already have drift."
These must be present for OpenClaw to start. Use this as a baseline template:
# Listen on localhost only; reverse proxy will expose publicly
GATEWAY_LISTEN=127.0.0.1:8080
APP_PORT=8080
# Secrets — generate strong random values
JWT_SECRET=$(openssl rand -hex 32)
SESSION_SECRET=$(openssl rand -hex 32)
# Database (example SQLite for small deployments)
DATABASE_URL=sqlite:/var/lib/openclaw/openclaw.db
# For Postgres: DATABASE_URL=postgresql://user:pass@localhost:5432/openclaw
# Logging
LOG_LEVEL=info
LOG_FILE=/var/log/openclaw/openclaw.log
# Optional: Admin credentials if using auth
ADMIN_USER=admin
ADMIN_PASSWORD=change-me-immediately
# Optional: S3-compatible storage for uploads
S3_ENDPOINT=https://s3.us-east-1.amazonaws.com
S3_BUCKET=my-openclaw-uploads
S3_ACCESS_KEY=...
S3_SECRET_KEY=...
# Optional: SMTP for notifications
SMTP_HOST=smtp.example.com
SMTP_PORT=587
[email protected]
SMTP_PASS=...
Never bind OpenClaw directly to 0.0.0.0 in production. Keep it local and use a reverse proxy (nginx, Caddy) to handle TLS and public exposure.
# Correct
GATEWAY_LISTEN=127.0.0.1:8080
# Avoid in production
# GATEWAY_LISTEN=0.0.0.0:8080
Pick a port that's not already used. 8080, 3000, and 4567 are common defaults. Avoid 80/443 on the gateway; let the proxy handle those.
These must be cryptographically random and at least 32 bytes. Never reuse them across environments. Use openssl rand -hex 32 to generate.
JWT_SECRET=$(openssl rand -hex 32)
SESSION_SECRET=$(openssl rand -hex 32)
If the ADMIN_USER/ADMIN_PASSWORD variables are set, change the password immediately from the default. Consider using an external auth provider instead.
Some OpenClaw builds support rate limiting. Enable it if you're internet-facing:
RATE_LIMIT_ENABLED=true
RATE_LIMIT_MAX=100 per IP per minute
SQLite is fine for single-node, low-to-moderate write workloads. If you anticipate higher concurrency or want easier backups, use Postgres.
# SQLite
DATABASE_URL=sqlite:/var/lib/openclaw/openclaw.db
# Postgres
DATABASE_URL=postgresql://openclaw:strongpass@localhost:5432/openclaw
For anything beyond trivial uploads, use S3-compatible storage. Configure:
S3_ENDPOINT=https://s3.us-east-1.amazonaws.com
S3_BUCKET=my-openclaw-uploads
S3_REGION=us-east-1
S3_ACCESS_KEY=AKIA...
S3_SECRET_KEY=...
S3_PATH_STYLE=true # if using non-AWS S3-compatible service
Any webhook or external service (SMTP, Slack, webhook endpoints) needs its own credentials here. Keep them out of version control by using a template and real values only on the server.
SMTP_HOST=smtp.example.com
SMTP_PORT=587
[email protected]
SMTP_PASS=...
SLACK_WEBHOOK_URL=https://hooks.slack.com/services/...
Before you systemctl start openclaw, source the env file to catch syntax errors and check required variables:
# Quick syntax check
set -a
source .env
set +a
echo "Env loaded OK"
Also verify types:
# Confirm numeric ports
echo "APP_PORT=$APP_PORT"
# Confirm required secrets are present and long enough
[ ${#JWT_SECRET} -ge 32 ] || { echo "JWT_SECRET too short"; exit 1; }
[ ${#SESSION_SECRET} -ge 32 ] || { echo "SESSION_SECRET too short"; exit 1; }
.env.example with the same keys, different placeholder values. Treat that as your schema..env must be in .gitignore. If you accidentally commit, rotate the secrets and scrub from git history..env should be 600 (read/write owner only).Take your current OpenClaw server and extract its .env into a git-ignored file. Compare against the checklist above. Fill any gaps, fix permissions (chmod 600 .env), and reload. If your gateway is behind a reverse proxy, ensure GATEWAY_LISTEN=127.0.0.1:8080 and that the proxy forwards to that port.
Need a reliable VPS to practice this? Hostinger's plans give you full root access to set up OpenClaw correctly.
The most important are: GATEWAY_LISTEN=127.0.0.1:8080 (local bind), APP_PORT if you expose a port, JWT secret for auth, database connection strings, and any external API keys you rely on. Missing or wrong values here will prevent gateway startup or cause runtime errors.
For small deployments, a gitignored .env file is fine. For production with multiple users or compliance needs, use a secrets manager (HashiCorp Vault, AWS Secrets Manager, or at least sops-encrypted files). Never commit real secrets to the repository.
Use the OpenClaw CLI or a quick env-lint script. Check that required variables are set and that values look plausible (JWT length, valid URLs, numeric ports). A one-liner: set -a; source .env; set +a; echo ok will catch syntax errors.
Having different .env files across environments and not tracking the differences. If dev has A and prod has B, you have drift. Keep the same variable names everywhere; only values differ. Use a .env.example as a contract and version control the template.
When you have more than one person with access, need audit logs, rotate keys automatically, or deploy to multiple servers where distributing .env securely becomes a problem. Start simple, then upgrade when your processes justify the complexity.
Get a server where you can control the environment. Follow the env file checklist and keep your OpenClaw deployment boring and reliable.
See Hostinger VPS plans — straightforward pricing, full root access.