Documentation

Compute cost

Charged regardless of whether you bring your own API key. Default instance is t3.micro. You can change this in Settings.

Model API cost (Tropic key only)

If you use Tropic's built-in API key instead of your own, the following model rate is added on top of compute:

Bring your own key

Add your own Anthropic API key in Settings → Credentials to pay only the compute cost (5 cr/hr). Model API usage goes directly to your Anthropic account at their standard rates.

Credit packages

1,000 credits = $25. Purchase from the Credits page. At the default rate (Sonnet + t3.micro = 55 cr/hr), 1,000 credits gives you roughly 18 hours of runtime. With your own key (5 cr/hr compute only), the same 1,000 credits lasts 200 hours.

No public ports

By default, no ports on your VM are exposed to the public internet. HTTP access is locked to Tropic's reverse proxy IPs. SSH is restricted to your detected IP at provision time.

Referer validation

Nginx on your VM blocks direct requests to /chat. Only requests with a tropic.bot referer get through. Even if someone knows your VM's IP, they can't hit the gateway directly.

# Direct request — blocked with 403
curl http://your-vm-ip/chat

# Request via Tropic — allowed
curl -H "Referer: https://tropic.bot" http://your-vm-ip/chat

Encrypted credentials

Credentials are encrypted at the application layer before being stored in Supabase. Nothing is stored in plaintext.

Cedar policy evaluation

Every tool call is evaluated against Cedar policies before execution. Tool name and parameters are mapped to principal/action/resource triples and checked against permit and forbid rules. If denied, the tool call is blocked with a policy reason. Fail-closed: evaluation errors result in deny.

Policy packs

Three Cedar policy packs ship with Sondera. The base pack is enabled by default; system and OWASP packs are opt-in via plugin config.

• Base pack (41 rules) — dangerous commands, sensitive file protection, network restrictions, secret redaction
• System pack (24 rules) — OpenClaw workspace files, credentials, sessions, plugin manifests, IDE config
• OWASP pack (38 rules) — OWASP Top 10 for Agentic Apps: goal hijack, tool misuse, supply chain, rogue agents

Output redaction

Tool results are scanned before persistence. API keys (AWS, GitHub, Anthropic, OpenAI, Stripe), private keys, JWTs, and bearer tokens are replaced with [REDACTED BY SONDERA POLICY]. Both Cedar policy-based and regex pattern-based redaction run as defense in depth.

Audit logging

All tool executions are logged to ~/.openclaw/.sondera/audit.log with timestamps, tool names, decision (ALLOW/DENY/REDACT), duration, and errors. Entries are JSON-lines format.

Example Cedar policy

// Block recursive force-delete
@id("sondera-deny-rm-rf")
forbid(
  principal,
  action == Action::"tool_call",
  resource == Tool::"Bash"
) when {
  context.command like "*rm *-rf*"
};

// Redact AWS keys from output
@id("sondera-redact-aws-keys")
forbid(
  principal,
  action == Action::"tool_result",
  resource
) when {
  context.output like "*AKIA*"
};

Toggle Sondera

Enable or disable via the Skills Marketplace drawer on your machine card. Sondera is instance-wide — all agents on the machine share the same Sondera gate.

When it runs

What it checks

Gateway binding, authentication, file permissions, credential exposure, sandbox mode, supply chain scanning, memory integrity, browser relay exposure, DM policy, privacy directives, and kill switch availability.

Severity levels: CRIT / HIGH / MED / PASS with a posture score from 0–100.

Audit log locations

Manual commands

SSH into your VM and run these directly:

# Run a manual audit
bash ~/.openclaw/skills/secureclaw/scripts/quick-audit.sh

# Emergency response (7-point diagnostic with auto-logging)
bash ~/.openclaw/skills/secureclaw/scripts/emergency-response.sh

How Sondera + SecureClaw work together

SecureClaw answers “is the box safe?” — infrastructure baseline, hardening, and continuous audit. Sondera answers “is this action safe?” — runtime pre-execution gate. Together they cover deployment-time hardening and runtime enforcement.

VM specs

Nginx reverse proxy

Nginx listens on port 80 and proxies to the OpenClaw gateway on 18789. WebSocket connections are supported with a 1-hour read/write timeout for long-running sessions.

Systemd services

Core processes run as systemd services with automatic restart on failure. You shouldn't need to touch these directly, but if you SSH in:

# Check status
sudo systemctl status openclaw-gateway
sudo systemctl status chrome-headed
sudo systemctl status nginx

# Restart the gateway
sudo systemctl restart openclaw-gateway

Disabled Ubuntu services

To maximise available RAM on t3.micro (914 MB), the following default Ubuntu services are disabled at provisioning time. None are required on a headless AI agent server:

Total: ~65 MB freed. The gateway needs ~600 MB heap to start, so every MB matters on a 1 GB box.

Inbound

Rule directives

How policies attach to agents

There are three ways a policy gets connected to an agent:

1. At deploy time — select a policy when deploying from the marketplace
2. After deployment — click the shield icon on any agent card to change its policy
3. From scratch — create a new policy with custom ALLOW / REQUIRE CONFIRM / DENY rules

Agent lifecycle

Deploy ──▶ [provisioning] ──▶ VM push via SSM ──▶ [ready]
                                                      │
                                                 Stop │
                                                      ▼
                                                  [stopped]

If VM is offline when you deploy, the agent stays in
[provisioning] and auto-pushes when the VM starts.

What gets deployed

When you deploy an agent, Tropic pushes these files to your VM via SSM:

• • /home/ubuntu/.openclaw/workspace/<slug>/ — workspace files (AGENTS.md, TOOLS.md, etc.)
• • /home/ubuntu/.openclaw/openclaw.json — agent registered in orchestrator config

Policy rules are embedded in the agent configuration and enforced at runtime.

Command Blacklist

Control what your agent can execute on your VM. Each toggle restricts a category of commands:

Toggles are off by default (all commands allowed). Enable them to restrict categories you don't want your agent using.

Set spending limits

Set a daily credit cap and a max session runtime. Once either limit is hit, OpenClaw pauses until the next day or until you raise it. You probably want both set unless you're actively testing.

Change your model

Pick from the preset list or enter a custom provider + model ID. This applies to all conversations on your instance.

Install skills

Browse and install skills from the marketplace. Installed skills are deployed to your agent machines automatically. You can enable, disable, or uninstall skills from the skills drawer on any instance card.

Manage SSH access

Your current IP is auto-detected at provision time. You can update the allowlist from settings whenever you need to.

Restrict phone numbers

Three modes: unrestricted, allowlist, or blocklist. Numbers use E.164 format. Wildcards work:

+6591234567     # exact match
+65*            # all Singapore numbers
+1415*          # all San Francisco numbers
+44*            # all UK numbers

If you're using allowlist mode, you probably want to add your own number first before testing.

How authentication works

1. Your Clerk JWT is verified by Tropic's proxy
2. A 48-character hex gateway token is injected into the page
3. The token is stored in localStorage for WebSocket auth
4. A session cookie (10-minute TTL) is set for subsequent requests

Health checks

Tropic polls your VM's nginx every 15 seconds. The logic is simple:

• • 200 response → running
• • 502/503 within 3 min of start → initializing
• • Anything else → stopped

Claude API key

Encrypted in the database. Written to OpenClaw's .env on the VM during provisioning. If you update it while the VM is stopped, it'll be re-synced on next start.

SSH key pair

An Ed25519 key pair is generated per user via AWS EC2. Download the private key as a .pem file from the "Download SSH key" link on any agent machine card.

# Download your key from the agent machine card, then:
chmod 600 ~/Downloads/tropic-vm-key.pem
ssh -i ~/Downloads/tropic-vm-key.pem ubuntu@your-vm-ip

SSH keys rotate automatically based on your configured rotation period (30, 60, or 90 days, default 90). When a key rotates, the new public key is pushed to all your running VMs and the old private key stops working. Re-download the new key from the agent machine card. You can also regenerate your key manually at any time.

Gateway token

48-character hex token, generated during OpenClaw onboarding on the VM. Tropic reads it from openclaw.json via SSM. This authenticates WebSocket connections to the gateway.

Pair your account

Go to the VM instances page and click “Pair WhatsApp.” A QR code will appear — scan it with WhatsApp on your phone. The pairing happens via SSM, and the QR updates in real-time.

Restrict who your agent can message

Three modes:

• Unrestricted — agent can message anyone. Probably not what you want in production.
• Allowlist — only numbers matching your patterns. Start here.
• Blocklist — everyone except numbers on the list.