Before you begin the in­stal­la­tion, it’s worth taking a moment to un­der­stand what OpenClaw is and why running the solution with Docker Compose is a practical and reliable approach:

Step 1: Why choose OpenClaw with Docker?

  • OpenClaw is an au­tonomous AI agent, capable of in­de­pen­dent­ly per­form­ing various tasks. These include, among others, pro­cess­ing messages, analyzing files, and au­tomat­ing chat con­ver­sa­tions.
  • OpenClaw can run on your own server, is open source and offers over 50 in­te­gra­tions (including WhatsApp, Telegram, Slack, and Discord).
  • The rec­om­mend­ed and most stable way to install it is via Docker Compose, because all de­pen­den­cies are au­to­mat­i­cal­ly managed in isolation. You can also update or extend them more easily later on.

OpenClaw uses Docker as an isolated en­vi­ron­ment. Docker Compose is then used to start multiple con­tain­ers at the same time, including the gateway, CLI, possibly a sandbox, and external tools that together form the system.

Note

OpenClaw acts in many setups primarily as a gateway and or­ches­tra­tion service that connects mes­sen­gers, tools, and services with a large language model (LLM). How au­tonomous­ly OpenClaw ul­ti­mate­ly operates largely depends on your specific con­fig­u­ra­tion, for example your network rules. For both security and clear ex­pec­ta­tions, you should define per­mis­sions according to the principle of least privilege and grant only the access that your au­toma­tions genuinely require.

Step 2: Find the right server

OpenClaw is not just a chatbot, but an au­tonomous­ly operating tool that runs on your server and interacts with programs, mes­sen­gers, and services. For example, you can use the software to manage calendars, handle files, and send no­ti­fi­ca­tions. It’s also possible to trigger au­toma­tions or execute entire developer workflows.

For most scenarios, a VPS setup is a strong choice, as it offers a cost-effective yet capable foun­da­tion for running OpenClaw with Docker. It becomes even more con­ve­nient if your VPS host supports n8n au­toma­tion, which sim­pli­fies con­nect­ing OpenClaw to other services.

As a rule of thumb, the more complex your tasks are, the more RAM and CPU capacity you should allocate. Docker Compose and AI models also require suf­fi­cient storage for images, container logs and per­sis­tent data. Overall, the exact resource re­quire­ments depend heavily on the workload and, in par­tic­u­lar, on whether you rely on a cloud-based LLM or run the models locally.

The table below offers a general guideline, outlining example use cases and the cor­re­spond­ing rec­om­mend­ed VPS spec­i­fi­ca­tions.

Use case Main functions Rec­om­mend­ed VPS resources
Digital everyday assistant Ap­point­ment summaries, messages, calendar 4 vCores CPU, 4 GB RAM, 120 GB disk space
Workflow au­toma­tion & doc­u­men­ta­tion Create documents, process data, file upload 6 vCores CPU, 8 GB RAM, 240 GB disk space
Developer pro­duc­tiv­i­ty & remote au­toma­tion Tests, builds, logs, shell tasks 8 vCores CPU, 16 GB RAM, 480 GB disk space
Free VPS Trial
30-day money-back guarantee

Try out your VPS for 30 days. If you're not satisfied, you get your money back.

Step 3: Install the operating system and set up a secure con­nec­tion

Before you can install software like OpenClaw with Docker Compose, you need an operating system on your server. For the OpenClaw Docker setup, a Linux dis­tri­b­u­tion such as Ubuntu Server is a good choice. Install a current Ubuntu version on your VPS and then establish a secured con­nec­tion to your server, for example via SSH (Secure Shell). Make sure to use SSH access with keys instead of passwords so your server is protected against unau­tho­rized access.

Note

This tutorial demon­strates a working standard setup intended for test and de­vel­op­ment en­vi­ron­ments. You should not deploy the default con­fig­u­ra­tion unchanged on the public internet. For pro­duc­tion systems, implement ad­di­tion­al hardening measures such as TLS/HTTPS pro­tec­tion via a reverse proxy, cen­tral­ized secrets man­age­ment, network isolation and firewall rules, mon­i­tor­ing and alerting, and regular backups of data and con­fig­u­ra­tions.

Step 4: Install Docker and Compose

Once you’ve es­tab­lished a secure con­nec­tion to the server and set up your desired operating system, you can install Docker and Compose. First, you should update the system to the latest version:

sudo apt update && sudo apt upgrade -y
sudo apt install -y ca-certificates curl gnupg lsb-release
bash

Then add the Docker GPG key and set up the repos­i­to­ry:

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo \
    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
    $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
bash

Update the package list again and then install the Docker Engine, the Docker CLI (command-line interface), and the “con­tain­erd” service:

sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io
bash

In the final step, install Docker Compose. On many modern systems, this can be done using the plugin-based in­stal­la­tion method:

sudo apt install -y docker-compose-plugin
bash

Al­ter­na­tive­ly, download the in­stal­la­tion files manually:

mkdir -p ~/.docker/cli-plugins
curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 \
    -o ~/.docker/cli-plugins/docker-compose
chmod +x ~/.docker/cli-plugins/docker-compose
bash

You can verify that the in­stal­la­tion was suc­cess­ful with the following command:

docker --version
docker compose version
bash
Image: ION_CA_VPS_Fallback_960x320.png
Image: ION_CA_VPS_Fallback_1200x1200.png

Step 5: Clone the OpenClaw repos­i­to­ry

Next, download the OpenClaw source code, which already contains the required Docker con­fig­u­ra­tion:

sudo apt install git -y
git clone https://github.com/openclaw/openclaw.git
cd openclaw
bash

You will now find, among other files, a script called “docker-setup.sh” and the file “docker-compose.yml”, which defines the default con­tain­ers. The latter YAML con­fig­u­ra­tion file contains, among other things, the following in­for­ma­tion:

  • openclaw-gateway: The main service that starts OpenClaw
  • env_file: This in­for­ma­tion tells the container where the en­vi­ron­ment variables are located
  • volumes: This entry ensures that your data is stored per­sis­tent­ly instead of being lost in the container
  • ports: Opens the service on port 18789 so you can later access it in your browser

Step 6: Create en­vi­ron­ment variables and enter API keys

To ensure OpenClaw knows which AI provider to use, how to com­mu­ni­cate with external services, and how to au­then­ti­cate, you need to store several key settings in a .env file. This is a standard text file that contains sensitive in­for­ma­tion such as API keys and tokens and should never be made public (for example, in Git repos­i­to­ries). Ad­di­tion­al­ly, secure the .env file with re­stric­tive per­mis­sions using the command chmod 600 .env.

How to create the .env file step by step

  1. Copy the example file included in the repos­i­to­ry using the following command: cp .env.example .env
  2. Open the new file for editing with the following command: nano .env
  3. You will now see various place­hold­ers. The most important lines you should adjust in this file are the following (the values shown are only examples):
LLM_PROVIDER=anthropic
ANTHROPIC_API_KEY=sk-ihrapikey123xyz
GATEWAY_TOKEN=my_secure_gateway_token_abc
MODEL_VERSION=claude-4-5-sonnet-20260101
txt

LLM_PROVIDER defines which AI provider you want to use. Anthropic is es­sen­tial­ly the rec­om­mend­ed default, but you can of course choose any other option. The cor­re­spond­ing API keys are required so that OpenClaw and Docker can access the LLMs in the cloud. GATEWAY_TOKEN protects access to the dashboard, and with MODEL_VERSION you specify the desired version of the AI model, for example Claude 4.5. Provider names and model versions change fre­quent­ly, so the values shown here are only examples. Refer to your provider’s current doc­u­men­ta­tion for the correct entries.

Note

For pro­duc­tion setups, Docker secrets or a password manager are often a better choice than storing keys in plain text in text files.

Step 7: Run the setup script

After you’ve cloned the OpenClaw repos­i­to­ry, you will also find a file named “docker-setup.sh,” as already mentioned. This file is a setup script that automates many tasks you would otherwise have to perform manually. It’s part of the official OpenClaw Docker in­stal­la­tion rec­om­men­da­tion. Without the script, you would have to:

  • Build Docker images
  • Adjust Docker Compose con­fig­u­ra­tions
  • Enter en­vi­ron­ment variables (if you haven’t already done this manually in Step 6 as described)
  • Start con­tain­ers

The setup script takes this work off your hands and ensures that the con­tain­ers are installed and con­fig­ured correctly. To check in advance what the script actually does, you can run the command less docker-setup.sh. If you’re com­fort­able with the changes, start it with the following terminal command:

./docker-setup.sh
bash

During in­stal­la­tion, you’ll be in­ter­ac­tive­ly asked about setup options (gateway mode, provider, tokens). Answer these prompts as desired to complete the OpenClaw Docker setup.

Step 8: Start Docker Compose

Once the Compose files are prepared, start all services. The following command pulls the images, launches the required con­tain­ers, and au­to­mat­i­cal­ly mounts the necessary volumes:

docker compose up -d
bash

To make sure there are no errors and all services have started up correctly and are running properly, simply enable logging so you can view the logs in real time:

docker compose logs -f
bash
Tip

Logging will also play an important role once your OpenClaw Docker in­stal­la­tion is running in pro­duc­tion. It allows you to con­tin­u­ous­ly monitor resource usage (CPU/RAM/disk) and track error rates over time.

Step 9: Access the web interface

Once every­thing is up and running, you can access the web ad­min­is­tra­tion interface in your browser at http://YOUR_SERVER_IP:18789. Replace YOUR_SERVER_IP with the IP address of your server. From the OpenClaw dashboard, you can now, among other things:

  • Start chat con­ver­sa­tions
  • Configure your agents
  • Create pairing tokens for clients or devices

If error messages like “Unau­tho­rized” or “Pairing required” appear in the browser, simply request a fresh dashboard token with the following command:

docker compose run --rm openclaw-cli dashboard --no-open
bash

Then approve the process as follows:

docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestID>
bash
Tip

Is the container not starting? Check the logs with docker compose logs -f to identify the issue, or review the .env file for missing keys or typos. If the port cannot be reached, you will likely need to adjust your firewall settings or security groups.

Step 10: Secure the OpenClaw Docker instance

OpenClaw can perform system-level actions and execute tasks. If it is exposed to the internet without pro­tec­tion, unau­tho­rized users could po­ten­tial­ly access it. For this reason, follow these security guide­lines:

  • Protect your server with a firewall. Only necessary con­nec­tions should be allowed.
  • Open the OpenClaw port (18789 by default) only when necessary. If you want to allow public access, it’s best to restrict it to trusted IP addresses and enforce con­nec­tions through a reverse proxy with HTTPS or a VPN.
  • Secure your con­tain­ers specif­i­cal­ly by starting them without root priv­i­leges whenever possible, running file systems as read-only, and removing un­nec­es­sary per­mis­sions. Avoid un­nec­es­sary host mounts and restrict network access so that only required targets, such as messenger APIs and LLM providers, are available.
  • Use token-based au­then­ti­ca­tion. The GATEWAY_TOKEN you set in the .env file is used to prevent unau­tho­rized access.
  • Make sure not to run OpenClaw as root inside the container and limit per­mis­sions using flags like --read-only, --cap-drop=ALL, and --security-opt=no-new-privileges to reduce potential attack surfaces.
  • Create an isolated Docker network en­vi­ron­ment or use rules so that OpenClaw can reach only the external services it truly needs (for example, AI provider APIs), instead of having un­re­strict­ed internet access.
  • Make sure you use the correct settings in the OpenClaw security con­fig­u­ra­tion. All au­then­ti­ca­tion mech­a­nisms should be enabled, and all gateway rules must be properly defined for pro­duc­tion use.

On Linux systems like Ubuntu, you can quickly enable solid basic pro­tec­tion using the Un­com­pli­cat­ed Firewall (ufw):

sudo ufw allow 22/tcp
sudo ufw allow 18789/tcp
sudo ufw enable
bash

Allowing TCP port 22 enables secure SSH access. TCP port 18789 is the default port for OpenClaw, unless you have con­fig­ured a different port. If you prefer not to expose the port publicly, you can restrict access to specific IP addresses only.

Tip

A secure con­nec­tion setup could look like this. Use a reverse proxy such as NGINX, Traefik, or Caddy. In addition, install a TLS cer­tifi­cate, for example the free Let’s Encrypt cer­tifi­cate. Then forward requests in­ter­nal­ly to localhost:18789.

Where supported, it is also advisable to configure rate limiting to restrict the number of requests and to enable Basic Auth or OIDC to strength­en au­then­ti­ca­tion.

Step 11: Set up messaging in­te­gra­tions

OpenClaw can connect to various chat platforms, including Slack, WhatsApp, Telegram, and many more. This allows you to control your AI agent directly from your work chat. For example, if you connect OpenClaw to Slack, your AI agent acts like a Slack bot. You can then ask it questions or send tasks in your team chat, and it will respond or perform actions.

The in­te­gra­tion works roughly as follows (depending on the in­te­gra­tion, there are slight dif­fer­ences in the setup):

  1. Register bot / ap­pli­ca­tion: Create a bot or an app in the re­spec­tive service (for example, Telegram, Slack, Discord). Typically, this is done via the service’s developer portal. In the end, you receive one or more API tokens/keys that are used to au­then­ti­cate your bot.
  2. Enter tokens / keys in OpenClaw: Add the API cre­den­tials (for example, TELEGRAM_BOT_TOKEN, SLACK_BOT_TOKEN) to the OpenClaw con­fig­u­ra­tion file .env or an ap­pro­pri­ate con­fig­u­ra­tion interface.
  3. Restart or configure OpenClaw: Restart OpenClaw so it can apply the new in­te­gra­tion settings.
  4. Pairing / au­then­ti­ca­tion: Depending on the service, you must authorize the bot or the con­nec­tion once, for example via pairing codes, OAuth flows, or con­fir­ma­tion links provided by the service or by OpenClaw.
  5. Test: Send a test message via the bot or chat to check whether OpenClaw responds correctly.
Tip

Handle API tokens con­fi­den­tial­ly, grant only the necessary per­mis­sions, test the con­nec­tion right after setup, and complete the au­tho­riza­tion process (for example, pairing/OAuth). If issues arise, check the logs and, for initial tests, use a private channel or workspace.

Step 12: Keep OpenClaw up to date

To ensure you always have access to the latest features of the tool and that current bug fixes and security updates are installed, it’s important to update OpenClaw regularly. To do this, first navigate to the directory:

cd ~/openclaw
bash

Then fetch the latest version with the following command:

git pull
docker compose pull
bash

Restart your OpenClaw Docker instance afterward:

docker compose up -d
bash
Tip

Schedule backups of the per­sis­tent volumes (con­fig­u­ra­tion, tokens and relevant data) so that you have reliable copies available to restore your projects in an emergency.

Go to Main Menu