OpenClaw Deployment: The Definitive Production-Ready Guide

Three production deployments I've maintained have taught me the same lesson: the difference between a demo and a production system is not the code — it's the operational layer around it. OpenClaw itself is solid. What breaks is everything you didn't set up: process supervision, TLS, log rotation, firewall rules, and environment isolation.

Why Production Deployment Differs From Local Setup

On your laptop, OpenClaw runs fine with npm start. The process dies when you close the terminal. The gateway has no TLS. Your API keys are in a .env file that nobody else can access. None of that is acceptable for a production deployment serving real users or real automation pipelines.

Production requires four things that development doesn't: process supervision (auto-restart on crash and on reboot), TLS termination (HTTPS between clients and your gateway), network isolation (the gateway port is not public), and secret management (API keys are environment variables, not files on disk).

Sound familiar? These are the same requirements for any Node.js service. OpenClaw follows the same operational patterns. The good news: the toolchain is mature and the setup takes under 30 minutes once you know the steps.

Server Provisioning and Prerequisites

Any VPS running Ubuntu 22.04 LTS works. The minimum spec for a single-agent deployment with moderate LLM call volume is 2 vCPU and 2 GB RAM. For multi-agent setups with parallel tool calls, start at 4 GB RAM. Storage is minimal — 20 GB covers the OS, OpenClaw, and months of log files.

We'll need these tools on the server. Here's everything to install before touching OpenClaw:

# Update system packages
sudo apt update && sudo apt upgrade -y

# Install Node.js 20 LTS via NodeSource
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs

# Verify versions
node --version   # Should be v20.x.x
npm --version    # Should be 10.x.x

# Install PM2 globally
sudo npm install -g pm2

# Install Nginx
sudo apt install -y nginx

# Install Certbot for Let's Encrypt TLS
sudo apt install -y certbot python3-certbot-nginx

# Install UFW firewall
sudo apt install -y ufw

Before going further — point your domain's A record at this server's IP. Certbot needs to verify the domain to issue a certificate. Give DNS up to 30 minutes to propagate before running Certbot.

Step-by-Step OpenClaw Deployment

We'll install OpenClaw in /opt/openclaw, run it as a dedicated system user, and manage it with PM2. Here's the exact sequence:

# Create a dedicated user (no login shell, no home directory)
sudo useradd --system --no-create-home --shell /usr/sbin/nologin openclaw

# Create installation directory
sudo mkdir -p /opt/openclaw
sudo chown openclaw:openclaw /opt/openclaw

# Clone or copy your OpenClaw config into place
cd /opt/openclaw
sudo -u openclaw git clone https://github.com/your-org/openclaw-config.git .

# Install dependencies as the openclaw user
sudo -u openclaw npm install --production

# Create the environment file
sudo nano /opt/openclaw/.env

The .env file holds your secrets. Never commit this to version control:

GATEWAY_TOKEN=your-long-random-gateway-secret
OPENAI_API_KEY=sk-...
ANTHROPIC_API_KEY=sk-ant-...
NODE_ENV=production
PORT=8080
LOG_LEVEL=info

Now create the PM2 ecosystem file to define how OpenClaw starts:

# /opt/openclaw/ecosystem.config.js
module.exports = {
  apps: [{
    name: 'openclaw',
    script: 'src/index.js',
    cwd: '/opt/openclaw',
    user: 'openclaw',
    instances: 1,
    autorestart: true,
    watch: false,
    max_memory_restart: '1G',
    env: {
      NODE_ENV: 'production'
    },
    log_date_format: 'YYYY-MM-DD HH:mm:ss',
    error_file: '/var/log/openclaw/error.log',
    out_file: '/var/log/openclaw/out.log',
    merge_logs: true
  }]
};

# Create log directory
sudo mkdir -p /var/log/openclaw
sudo chown openclaw:openclaw /var/log/openclaw

# Start OpenClaw via PM2
sudo pm2 start /opt/openclaw/ecosystem.config.js

# Save the process list
sudo pm2 save

# Generate and install the startup script
sudo pm2 startup systemd -u openclaw --hp /opt/openclaw
# Run the command PM2 prints — it looks like:
# sudo env PATH=$PATH:/usr/bin pm2 startup systemd -u openclaw ...

OpenClaw is now running and will restart automatically on crash or reboot. We'll get to the exact config in a moment — but first you need Nginx in place before TLS makes sense.

Nginx Reverse Proxy Configuration

# /etc/nginx/sites-available/openclaw
server {
    listen 80;
    server_name your-domain.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 300s;
        proxy_connect_timeout 75s;
    }
}

# Enable site
sudo ln -s /etc/nginx/sites-available/openclaw /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

# Obtain TLS certificate
sudo certbot --nginx -d your-domain.com

Certbot modifies your Nginx config to add the HTTPS server block and redirect HTTP to HTTPS. After this step, your gateway is accessible at https://your-domain.com.

Configuration and Hardening

With the gateway running, lock down the server. Three steps cover 90% of your attack surface:

# Configure UFW firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp   # SSH
sudo ufw allow 80/tcp   # HTTP (Nginx)
sudo ufw allow 443/tcp  # HTTPS (Nginx)
# Do NOT open port 8080 — only Nginx should reach it
sudo ufw enable

# Verify port 8080 is NOT publicly accessible
sudo ufw status
# Should show only 22, 80, 443

Set up PM2 log rotation to prevent disk exhaustion:

# Install PM2 log rotate module
sudo pm2 install pm2-logrotate

# Configure rotation: keep 14 days, rotate at 10MB
sudo pm2 set pm2-logrotate:max_size 10M
sudo pm2 set pm2-logrotate:retain 14
sudo pm2 set pm2-logrotate:compress true

Finally, configure automatic security updates so the OS patches itself without manual intervention:

sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

As of early 2025, this combination — PM2 + Nginx + UFW + unattended-upgrades — is the baseline production stack used by the majority of OpenClaw deployments in the community. It handles agent crashes, server reboots, traffic spikes, and common attack patterns without additional tooling.

Common Deployment Mistakes

• Skipping pm2 startup — This is the most common mistake. Your agents run fine until the server reboots, then nothing comes back. Run pm2 startup and pm2 save before considering the deployment done.
• Running as root — Creating a dedicated openclaw system user limits the blast radius of any compromise. Root processes have access to everything on the server. Agent code should not.
• Exposing port 8080 publicly — The gateway should only be reachable through Nginx. Port 8080 open to the internet bypasses TLS and exposes your gateway token in plaintext.
• Hardcoding API keys in config files — Use environment variables loaded from a root-readable .env file, not YAML configs that end up in version control. Rotate any key that has ever touched a git history.
• Not setting max_memory_restart in PM2 — Agents with memory leaks or runaway tool calls can exhaust server RAM and kill other processes. Set a memory ceiling — 1 GB is a reasonable starting point — and let PM2 restart the process before it destabilizes the host.

Frequently Asked Questions

What are the minimum server requirements for OpenClaw in production?

OpenClaw runs on 1 vCPU and 1 GB RAM for light workloads, but 2 vCPU and 2 GB RAM is the practical minimum for production. Agents under load with multiple concurrent LLM calls benefit from 4 GB RAM. Storage needs are modest — 20 GB covers most setups comfortably.

Should I use Docker or a bare Node.js process for OpenClaw?

Both work. Docker simplifies environment consistency and rollbacks. Bare Node.js with PM2 is faster to set up and easier to debug. For teams managing multiple services, Docker Compose wins. For single-server solo deployments, PM2 gets you to stable production faster.

Do I need a reverse proxy for OpenClaw?

Yes, for any production deployment. Nginx or Caddy in front of OpenClaw handles TLS termination, request buffering, rate limiting, and clean domain mapping. Running OpenClaw directly on port 80 or 443 is not recommended — it bypasses security and performance benefits a proxy provides.

How do I keep OpenClaw running after server reboots?

Use PM2 with startup scripts: run pm2 startup, then pm2 save after starting OpenClaw. PM2 registers a systemd service that auto-restarts your process on reboot. For Docker deployments, set restart: unless-stopped in your Compose file.

How do I update OpenClaw without downtime?

Pull the latest code, run npm install, then use pm2 reload openclaw for a zero-downtime reload. PM2 keeps the old process alive until the new one is ready. For Docker, update the image and use docker compose up -d --no-deps to replace the container.

What ports does OpenClaw use in production?

OpenClaw's gateway listens on port 8080 by default. Your reverse proxy maps public ports 80 and 443 to it. Keep port 8080 firewalled — only the reverse proxy should reach it. Agents connect to the gateway via the internal network or loopback.