Clawctl
Security Check

Gateway Authentication: Your First Line of Defense

The gateway is the control plane for your entire OpenClaw deployment. Without authentication, anyone who can reach the gateway port can issue commands, read conversations, and trigger tool execution.

Why It Matters

An unauthenticated gateway on a network interface is equivalent to leaving your server's SSH port open with no password. Attackers on the same network — or the internet, if port-forwarded — gain full control of your AI agent. This is the most critical security check.

How to Fix

Set gateway.auth.mode to "token" or "password" and provide a strong, random credential. For remote access, prefer SSH tunneling or Tailscale over direct network exposure.

openclaw.json
{
  "gateway": {
    "auth": {
      "mode": "token",
      "token": "$secret:gateway-token"
    },
    "bind": "loopback"
  }
}

Check your config for this vulnerability

The free scanner tests this and 11 other security checks.

Skip the hardening

Clawctl manages all 12 security checks automatically. Enterprise defaults, zero config.