How to Install OpenClaw: Complete 2026 Guide

TL;DR: Installing OpenClaw requires Docker, Docker Compose, and a machine with at least 4GB of RAM and 2 CPU cores. The process involves cloning the repository, configuring environment variables for your LLM provider and connected services, running docker compose up, and then hardening the default configuration, which ships with no authentication and binds to all network interfaces. Most installation failures come from three places: Docker version incompatibilities, missing environment variables, and OAuth 2.1 configuration errors after OpenClaw dropped API key support in January 2026. Beyond the initial install, you need to configure token budgets and loop detection to prevent runaway API costs, set up OAuth 2.1 for every connected service (1-2 hours each), and add authentication middleware, TLS, and firewall rules for security. This guide walks through every step, including the security hardening that quickstart tutorials skip. If you'd rather skip the technical work entirely, a managed setup handles all of this for you.

What is OpenClaw installation?

OpenClaw installation is the process of deploying the open-source autonomous AI agent framework on a server or local machine so it can run continuously, connect to your tools, and handle tasks on your behalf.

Unlike consumer AI tools that run in a browser, OpenClaw requires a dedicated computing environment, typically a Linux server running Docker, where it operates as a stack of interconnected services including the agent runtime, web gateway, memory store, and tool servers.

If you're new to OpenClaw, our complete guide for business leaders covers what it does and why it matters before you get into the technical details.

What do you need before installing?

You need a machine with at least 4 GB of RAM, 2 CPU cores, and 20 GB of storage, plus Docker Engine 24.0+, Docker Compose v2.20+, and Git. For production use, double those hardware specs and plan on a cloud server rather than a local machine.

OpenClaw isn't a lightweight application. It runs multiple Docker containers simultaneously, each consuming memory and CPU. Here's what you actually need, not the minimums from the README, but what works reliably in production.

Hardware requirements

| Component | Minimum | Recommended | Why it matters | |-----------|---------|-------------|----------------| | RAM | 4 GB | 8 GB | The agent runtime, memory store, and gateway each need headroom. 4 GB works for testing. 8 GB prevents crashes under real workloads. | | CPU | 2 cores | 4 cores | Multi-container orchestration and concurrent tool execution benefit from additional cores. | | Storage | 20 GB | 50 GB | Docker images, agent memory, logs, and conversation history accumulate quickly. | | Network | Stable connection | Low latency | Your agent makes API calls constantly, to LLM providers, email servers, calendars. Network hiccups cause cascading failures. |

Software prerequisites

You need three things installed before touching OpenClaw:

1. Docker Engine 24.0+ (not Docker Desktop, which works but adds overhead on Linux). Check with docker --version.
2. Docker Compose v2.20+, the docker compose command (not the older docker-compose with a hyphen). Check with docker compose version.
3. Git for cloning the repository. Check with git --version.

If you're choosing a server, we wrote a full comparison of the best VPS providers for OpenClaw with specific pricing and setup instructions. For a broader overview of the full setup process including managed options, see our guide to setting up an AI agent.

What about running it on a Mac or Windows PC?

You can run OpenClaw locally for testing, but it's not practical for production. An autonomous agent needs to run 24/7 (checking your email at 3 AM, prepping your morning briefing before you wake up). Your laptop can't do that if it's asleep, closed, or updating Windows.

For anything beyond experimentation, you want a cloud server. Even the cheapest VPS options ($6-12/month) provide the always-on environment OpenClaw needs.

How do you clone and set up the repository?

Start by pulling down the OpenClaw source code with git clone, then copy the example environment file to create your own configuration. The .env file is where all your API keys, provider settings, and gateway configuration live.

Start by pulling down the OpenClaw source code:

git clone https://github.com/openclaw/openclaw.git
cd openclaw

You'll see a directory structure that includes docker-compose.yml, a .env.example file, and several subdirectories for different services. The .env.example file is your starting point for configuration.

How do you configure environment variables?

Copy the example environment file and set your LLM provider keys, gateway binding address, and memory store location. The most important change is switching the gateway from 0.0.0.0 to 127.0.0.1 to prevent public exposure.

Copy the example environment file:

cp .env.example .env

Now open .env in a text editor. The critical variables you need to set:

LLM provider configuration

# Choose your LLM provider
DEFAULT_MODEL_PROVIDER=openai
OPENAI_API_KEY=sk-your-key-here

# Or use Anthropic
# DEFAULT_MODEL_PROVIDER=anthropic
# ANTHROPIC_API_KEY=sk-ant-your-key-here

Cost warning: Without proper token budgeting (covered in Step 5), a misconfigured agent can burn through hundreds of dollars in API costs per day. Real users have reported $1,000+ in token costs within three days. Set conservative limits from the start.

Gateway configuration

# CRITICAL: Change from default 0.0.0.0 to localhost
GATEWAY_HOST=127.0.0.1
GATEWAY_PORT=3000

The default 0.0.0.0 binding is the single biggest security risk in OpenClaw. It means your instance accepts connections from anywhere on the internet. CrowdStrike found over 135,000 instances exposed this way. Change it to 127.0.0.1 immediately.

Memory store configuration

MEMORY_STORE=chromadb
CHROMA_PERSIST_DIRECTORY=./data/chroma

ChromaDB is the default and works well for single-agent setups. The persist directory determines where your agent's memory lives on disk.

How do you start the Docker containers?

Run docker compose up -d to start all services in the background. First run takes several minutes to download images. Use docker compose ps to verify all services are running, and check logs for any services showing "restarting" or "exited" status.

With your .env configured, start the stack:

docker compose up -d

The -d flag runs containers in the background. For a deeper understanding of how these containers work together, see our OpenClaw Docker configuration guide. First run will take several minutes as Docker pulls the required images (roughly 2-4 GB of downloads depending on your configuration).

Check that everything is running:

docker compose ps

You should see all services listed as "running" or "healthy." If any show "restarting" or "exited," check the logs:

docker compose logs [service-name]

Common errors at this stage

Port conflicts: If port 3000 is already in use, you'll see a bind error. Change GATEWAY_PORT in your .env or stop whatever's using port 3000.

Insufficient memory: Containers will repeatedly restart if your machine doesn't have enough RAM. The docker compose logs will show OOMKilled errors. You need more memory or fewer concurrent services.

Docker socket permissions: On Linux, you may need to add your user to the docker group: sudo usermod -aG docker $USER then log out and back in.

How do you configure OAuth 2.1?

As of January 2026, OpenClaw requires OAuth 2.1 for all service connections. For each service (email, calendar, Slack), you register an OAuth application, set callback URLs, configure client credentials, and define permission scopes. Budget 1-2 hours per service.

As of January 2026, OpenClaw requires OAuth 2.1 for all service connections. This replaced the simpler API key authentication and broke most of the tutorials written before that date.

For each service you want your agent to access (email, calendar, Slack, CRM) you need to:

1. Register an OAuth application with the service provider (Google Cloud Console for Gmail/Calendar, Slack API dashboard, etc.)
2. Set the callback URL to your OpenClaw instance's OAuth endpoint
3. Configure the client ID and secret in your .env file
4. Define permission scopes for what your agent is allowed to do with each service

The specifics vary by service. Google requires a Cloud project with enabled APIs. Slack requires a custom app with bot token scopes. Microsoft requires an Entra ID app registration.

This is consistently the most time-consuming part of OpenClaw setup. Each service has its own console, its own terminology, and its own way of defining permissions. Budget 1-2 hours per service integration if this is your first time.

How do you set up token budgets and cost controls?

Configure spending limits before letting your agent work by setting per-action token caps, daily budget limits, and loop detection thresholds. Model routing lets you send routine tasks to cheaper models while reserving expensive models for complex work.

Before you let your agent start working, configure spending limits:

# Maximum tokens per single agent action
MAX_TOKENS_PER_ACTION=4096

# Daily budget cap (in USD)
DAILY_BUDGET_CAP=10.00

# Enable loop detection to prevent runaway costs
ENABLE_LOOP_DETECTION=true
LOOP_DETECTION_THRESHOLD=5

These settings prevent the most common cost disaster: an agent getting stuck in a loop and burning through your LLM budget. The loop detection feature monitors for repeated similar requests and halts execution after the threshold is reached.

Also configure model routing to use cheaper models for routine tasks:

# Use cheaper models for simple tasks
ROUTING_ENABLED=true
SIMPLE_TASK_MODEL=gpt-4o-mini
COMPLEX_TASK_MODEL=gpt-4o

How do you harden the security?

If your instance is accessible from the internet, you need authentication middleware in front of the gateway, TLS encryption, firewall rules limiting access to known IPs, and dedicated service accounts with limited permissions. None of these are optional for production.

If your instance is accessible from the internet (any cloud server), these steps aren't optional:

Add authentication

OpenClaw ships with no authentication. You need to put a reverse proxy (Nginx or Caddy) in front of the gateway with authentication middleware:

# In your reverse proxy config
# Require authentication for all gateway routes
# Use OAuth proxy, basic auth, or SSO integration

Microsoft's security team recommends against connecting OpenClaw to primary work accounts without proper isolation. At minimum, use dedicated service accounts with limited permissions.

Enable TLS

All traffic to your instance should be encrypted. If you're using Caddy as a reverse proxy, TLS is automatic. With Nginx, you'll need Let's Encrypt certificates.

Restrict network access

Configure firewall rules to allow connections only from IP addresses you control:

# UFW example
sudo ufw allow from YOUR_IP to any port 3000
sudo ufw deny 3000

Use dedicated service accounts

Never connect your agent to your primary email or calendar account. Create dedicated accounts with limited permissions. If the agent's credentials are compromised, the blast radius stays small.

How do you verify the installation?

Access the OpenClaw gateway at http://localhost:3000 to confirm the web interface loads. Then test the LLM connection with a simple task and verify each OAuth service integration individually to isolate any connection failures.

Access the OpenClaw gateway at http://localhost:3000 (or your configured address). You should see the web interface. Try a simple task, like asking your agent to tell you the current time or summarize a web page, to confirm the LLM connection is working.

Then verify each service integration one at a time. If you plan to interact with your agent via messaging, our Telegram setup guide is the natural next step. Send a test email through the agent. Check that calendar access works. Test each OAuth connection individually so you can isolate failures.

What comes after installation?

Installation gets OpenClaw running. Making it useful requires configuring workflows, setting up monitoring, managing memory, handling weekly updates, and vetting community skills. The initial installation is the easy part; ongoing maintenance takes 3-5 hours per week.

Installation gets OpenClaw running. Making it useful is a different project. You'll need to:

• Configure workflows that define what your agent does autonomously vs. what it waits for instructions on
• Set up monitoring with alerts for unusual behavior, cost spikes, or failed actions
• Manage memory by pruning stale entries, resolving conflicts, and tuning retrieval as the knowledge base grows
• Handle updates, since OpenClaw pushes changes weekly, some of which alter configuration formats or deprecate features
• Install and vet skills from ClawHub to extend your agent's capabilities (keeping in mind that 36% contain security flaws)

If that list feels like a lot of ongoing work, it is. The initial installation is the easy part; the ongoing maintenance is what takes 3-5 hours per week of technical attention. Understanding the full cost picture of running an AI agent helps you decide whether the time investment makes sense for your situation.

Related guides

• What Is OpenClaw? A Guide for Business Leaders -- understand what you're installing and why
• OpenClaw Docker Setup: Container Config Explained -- go deeper on the multi-container architecture
• Best VPS for OpenClaw in 2026 -- choose the right server before you begin
• OpenClaw Security: What Business Leaders Must Know -- the hardening steps most tutorials skip

Key takeaways

• OpenClaw requires Docker, Docker Compose, Git, and a machine with at least 4 GB of RAM and 2 CPU cores (8 GB recommended for production).
• The single most important configuration change is binding the gateway to 127.0.0.1 instead of the default 0.0.0.0 to prevent public exposure.
• OAuth 2.1 configuration (mandatory since January 2026) takes 1-2 hours per connected service and is the most time-consuming part of setup.
• Set token budgets and loop detection before letting your agent run to avoid surprise API bills.
• Security hardening (authentication, TLS, firewall rules, dedicated accounts) is not optional for any internet-facing deployment.
• The full process from clone to production-ready agent takes most people 15-25 hours, not counting troubleshooting.
• Ongoing maintenance requires 3-5 hours per week for updates, memory management, and workflow expansion.

Frequently Asked Questions

How long does it take to install OpenClaw?

The technical installation (cloning the repo, configuring environment variables, running Docker Compose) takes 30-60 minutes if everything goes smoothly. The time-consuming parts are OAuth configuration for each service (1-2 hours per service), security hardening (2-4 hours), and initial workflow configuration (4-8 hours). Most people report 15-25 hours total from start to a production-ready agent, not counting troubleshooting time.

Can I install OpenClaw on a Raspberry Pi?

Technically possible on a Raspberry Pi 4 or 5 with 8GB of RAM, but not recommended. The ARM architecture means some Docker images need to be rebuilt, performance is marginal, and the limited cooling causes thermal throttling under sustained workloads. A $6/month VPS gives you better performance with less hassle.

What's the cheapest way to run OpenClaw?

A Hetzner Cloud CX22 at roughly $4/month provides sufficient specs for a single agent. Add $50-200/month in LLM token costs depending on usage. Our VPS comparison guide breaks down all the hosting options with current pricing.

Do I need to know Linux to install OpenClaw?

Basic Linux command-line comfort is required: navigating directories, editing files, running commands. You don't need to be a system administrator, but you should be comfortable in a terminal. If ssh, nano, and docker are unfamiliar commands, the installation process will be challenging without help.

Can I skip security hardening for a local test setup?

If you're running OpenClaw on your laptop purely for experimentation and your machine isn't accessible from the internet, you can defer security hardening. But the moment you move to a cloud server or open any ports, every hardening step becomes mandatory. The default configuration was designed for local development, not production.

Installation is just the beginning. If you want an agent that's configured, secured, and managed from day one — without touching Docker or YAML files — we handle all of this. One conversation about what you need, and we take it from there.