The core server component of OpenClaw that manages agent communication, channel connections, and tool execution. The gateway is what makes OpenClaw an always-on agent rather than a one-shot chatbot.
The OpenClaw gateway is the runtime engine. It maintains persistent connections to messaging channels (WhatsApp, Telegram, Discord, Slack), processes incoming messages, routes them to the configured LLM, executes tool calls via MCP, and sends responses back.
Unlike a chatbot that responds to one message at a time, the gateway maintains state — conversation history, active tasks, scheduled actions, and channel health. It runs continuously as a Docker container.
The gateway also handles multi-agent coordination when configured, routing tasks between specialized agents and maintaining supervision hierarchies.
The gateway is the attack surface. Every exposed OpenClaw instance on Shodan has an unsecured gateway. The gateway holds your API keys, has filesystem access, and can execute shell commands. Securing the gateway is not optional — it is the entire security story for OpenClaw deployments.
Clawctl runs each gateway in an isolated container with a per-tenant Docker socket proxy. The gateway cannot access the host system. API keys are injected as encrypted environment variables, never stored in config files. Egress filtering limits which domains the gateway can reach. Health checks monitor the gateway and auto-restart on failure.
Try Clawctl — 60 Second DeployIt is the always-on server that connects your AI agent to messaging channels, processes messages through your LLM, executes tools, and maintains conversation state.
No. Out of the box, the gateway exposes its admin interface and API without authentication. This is why 42,665 instances were found exposed. Clawctl adds security controls around the gateway.
Yes. Each OpenClaw instance runs its own gateway. Clawctl manages multiple isolated gateways for multi-tenant deployments.
Agent Gateway Protocol
The communication protocol between the OpenClaw gateway and connected channels, handling message normalization, delivery guarantees, and channel-specific features.
Tenant Isolation
The complete separation of resources, data, and credentials between different customers (tenants) on a shared platform.
Docker Sandbox
A Docker container configured with restricted permissions that isolates an AI agent from the host system and other containers.
Egress Filtering
Network-level control that restricts which external domains an AI agent can communicate with, preventing data exfiltration.