Documentation

How Tropic secures your OpenClaw instance, what runs under the hood, and what you can configure.

SecuritySonderaSecureClawInfrastructureLocal ProvidersNetworkPoliciesAgentsSkillsSettingsGatewayCredentialsWhatsApp

Security

Every user gets their own managed OpenClaw instance. Your OpenClaw process, credentials, browser, and chat history are completely isolated from every other user. Nothing is shared.

No public ports

By default, no ports on your VM are exposed to the public internet. HTTP access is locked to Tropic's reverse proxy IPs. SSH is restricted to your detected IP at provision time.

Port 18789 (the OpenClaw gateway) is never publicly accessible. All gateway traffic goes through Tropic's proxy with Clerk auth. If you see guides telling you to open 18789 to your own IP, don't.

Referer validation

Nginx on your VM blocks direct requests to /chat. Only requests with a tropic.bot referer get through. Even if someone knows your VM's IP, they can't hit the gateway directly.

What gets blocked
# Direct request — blocked with 403
curl http://your-vm-ip/chat

# Request via Tropic — allowed
curl -H "Referer: https://tropic.bot" http://your-vm-ip/chat

X-Frame-Options and Content-Security-Policy headers are stripped only on the proxied gateway path so the OpenClaw UI can load inside Tropic's iframe. All other responses keep their default headers.

Encrypted credentials

Credentials are encrypted at the application layer before being stored in Supabase. Nothing is stored in plaintext.

Sondera

Sondera is a pre-execution decision gate deployed automatically during VM provisioning as a native OpenClaw plugin. It intercepts every tool call before it runs, redacts secrets from output, and logs all executions for audit.

Cedar policy evaluation

Every tool call is evaluated against Cedar policies before execution. Tool name and parameters are mapped to principal/action/resource triples and checked against permit and forbid rules. If denied, the tool call is blocked with a policy reason. Fail-closed: evaluation errors result in deny.

Policy packs

Three Cedar policy packs ship with Sondera. The base pack is enabled by default; system and OWASP packs are opt-in via plugin config.

  • Base pack (41 rules) — dangerous commands, sensitive file protection, network restrictions, secret redaction
  • System pack (24 rules) — OpenClaw workspace files, credentials, sessions, plugin manifests, IDE config
  • OWASP pack (38 rules) — OWASP Top 10 for Agentic Apps: goal hijack, tool misuse, supply chain, rogue agents

Output redaction

Tool results are scanned before persistence. API keys (AWS, GitHub, Anthropic, OpenAI, Stripe), private keys, JWTs, and bearer tokens are replaced with [REDACTED BY SONDERA POLICY]. Both Cedar policy-based and regex pattern-based redaction run as defense in depth.

Audit logging

All tool executions are logged to ~/.openclaw/.sondera/audit.log with timestamps, tool names, decision (ALLOW/DENY/REDACT), duration, and errors. Entries are JSON-lines format.

Example Cedar policy

From the base policy pack
// Block recursive force-delete
@id("sondera-deny-rm-rf")
forbid(
  principal,
  action == Action::"tool_call",
  resource == Tool::"Bash"
) when {
  context.command like "*rm *-rf*"
};

// Redact AWS keys from output
@id("sondera-redact-aws-keys")
forbid(
  principal,
  action == Action::"tool_result",
  resource
) when {
  context.output like "*AKIA*"
};

Toggle Sondera

Enable or disable via the Skills Marketplace drawer on your machine card. Sondera is instance-wide — all agents on the machine share the same Sondera gate.

SecureClaw

SecureClaw provides baseline auditing and hardening for your VM. It tells you whether the box is safe to host an agent: 56 audit checks, 15 behavioral rules, 9 automation scripts, mapped to 7 security frameworks.

When it runs

TriggerWhat happens
VM provisioningAuto-hardening + baseline audit
Agent deployRe-audit with timestamped results
ContinuousDaily audit (Rule 6) + 12h integrity check (Rule 7)

What it checks

Gateway binding, authentication, file permissions, credential exposure, sandbox mode, supply chain scanning, memory integrity, browser relay exposure, DM policy, privacy directives, and kill switch availability.

Severity levels: CRIT / HIGH / MED / PASS with a posture score from 0–100.

Gateway bind override

SecureClaw's quick-harden.sh sets the gateway to bind to 127.0.0.1 (loopback only), which is the most secure configuration — only processes on the same machine can reach the gateway.

Tropic overrides this to 0.0.0.0 (all interfaces) during image build and VM provisioning. This is required because:

  • The nginx reverse proxy on the VM needs to reach the gateway on 127.0.0.1:18789
  • WireGuard VPN peers (Fly.io proxy, local instances) connect via the 10.100.x.x interface on port 18789

Mitigations in place:

  • Port 18789 is never exposed publicly — security groups only allow the Fly.io egress IP and user-allowlisted IPs
  • Non-loopback binds require OPENCLAW_GATEWAY_TOKEN authentication (enforced by OpenClaw)
  • WireGuard tunnel encrypts all traffic between the proxy and the VM on the 10.100.0.0/16 private network
  • The Fly.io proxy validates Clerk sessions before forwarding any traffic to the gateway

This override is applied in three places: the VM image build (install.sh), the systemd service file (--bind lan), and the provisioning script (sed patch for existing VMs). SecureClaw audits will report this as a non-PASS finding — this is expected and documented.

Audit log locations

LogPath
Provision audit~/.openclaw/.secureclaw/provision-audit.txt
Deploy audits~/.openclaw/.secureclaw/deploy-audit-*.txt
Incident events~/.openclaw/.secureclaw/events.log
Integrity baselines~/.openclaw/.secureclaw/baselines/

Manual commands

SSH into your VM and run these directly:

# Run a manual audit
bash ~/.openclaw/skills/secureclaw/scripts/quick-audit.sh

# Emergency response (7-point diagnostic with auto-logging)
bash ~/.openclaw/skills/secureclaw/scripts/emergency-response.sh

How Sondera + SecureClaw work together

SecureClaw answers “is the box safe?” — infrastructure baseline, hardening, and continuous audit. Sondera answers “is this action safe?” — runtime pre-execution gate. Together they cover deployment-time hardening and runtime enforcement.

Infrastructure

VM specs

CPU / RAM2 vCPU, 4 GB
Storage20 GB SSD
OSUbuntu 22.04 + XFCE

Cloud instances run on AWS and launch from a pre-built Tropic image. OpenClaw, Node.js 22, Chrome (headed), and Nginx are pre-installed, so your instance is ready in under 2 minutes instead of 10+.

Nginx reverse proxy

Nginx listens on port 80 and proxies to the OpenClaw gateway on 18789. WebSocket connections are supported with a 1-hour read/write timeout for long-running sessions.

Systemd services

Core processes run as systemd services with automatic restart on failure. You shouldn't need to touch these directly, but if you SSH in:

# Check status
sudo systemctl status openclaw-gateway
sudo systemctl status nginx

# Restart the gateway
sudo systemctl restart openclaw-gateway

Disabled Ubuntu services

To maximise available RAM, the following default Ubuntu services are disabled at provisioning time. None are required on a headless AI agent server:

ServiceWhy disabledRAM saved
apt-daily.timerAutomatic apt updates compete for CPU/RAM at boot~100 MB
unattended-upgradesBackground package upgrades
multipathdSAN multipath storage — not needed for EBS~27 MB
pipewire / rtkit-daemonAudio stack — headless server~20 MB
packagekitGUI package manager daemon~6 MB
udisks2Desktop disk management~6 MB
avahi-daemonmDNS/Bonjour discovery~2 MB

Total: ~65 MB freed. The gateway needs ~600 MB heap to start, so every MB matters on a 1 GB box.

Tropic uses a secure management channel for operations like syncing API keys, reading config, and restarting services. No SSH tunnel is needed for any of this. SSH access is a separate thing, for your use.

Local Providers

Connect your own machine to Tropic as a local instance. Tropic manages your OpenClaw gateway remotely — syncing credentials, deploying agents, and installing skills — while everything runs on your hardware.

macOS

Supported on Apple Silicon and Intel Macs. Tropic registers your machine for secure remote management so it can manage your local OpenClaw installation the same way it manages cloud VMs.

From the Agents page, click Add InstanceConnect local machine and run the one-liner in your terminal. The setup script installs the management agent, registers with Tropic, and starts the gateway as a launchd service.

Agent37

Agent37 is an external provider that hosts OpenClaw instances with its own model and API key management. Tropic auto-detects Agent37 environments and adjusts the UI accordingly — model selection and API key controls are handled on Agent37's side.

To connect an Agent37 instance, run the Tropic setup command on the Agent37 machine the same way you would any local instance. Tropic detects the OPENCLAW_STARTER_PROXY_URL environment variable and flags the instance as Agent37 automatically.

Linux

Linux support is available for distributions with systemd (Ubuntu, Debian, Fedora, etc.). The setup process is the same as macOS — run the one-liner, and the gateway starts as a systemd service.

Network rules

Inbound

PortSourceWhy
22Your IP onlySSH
80Tropic proxy IPsNginx reverse proxy
443Tropic proxy IPsHTTPS
18789Tropic proxy IPsGateway (proxied, never public)
SSH access is locked to the IP detected when you provision. If your IP changes (VPN, new network), update it in Settings → SSH Access or you'll be locked out.

All outbound traffic is allowed. Your VM can reach any external API, website, or service — OpenClaw needs this to browse the web, call APIs, and send messages.

On every provision, Tropic revokes all existing ingress rules and re-applies the correct set from scratch. Stale rules don't accumulate.

Policies

Policies are security guardrails that control what an agent can and can't do. Each agent can have one policy attached. Policies use a simple plain-text rules format with three directives.

Rule directives

DirectiveBehavior
ALLOWAgent can perform this action freely
REQUIRE CONFIRMAction pauses and waits for your approval before executing
DENYAction is blocked entirely
Example policy
ALLOW: browse any public website
ALLOW: read files in workspace directory
ALLOW: execute code in sandbox environment
REQUIRE CONFIRM: download files larger than 10MB
REQUIRE CONFIRM: send WhatsApp messages
DENY: access /etc/passwd or system credentials
DENY: run sudo or elevated commands
DENY: outbound connections on port 22

How policies attach to agents

There are three ways a policy gets connected to an agent:

  1. At deploy time — select a policy when deploying from the marketplace
  2. After deployment — click the shield icon on any agent card to change its policy
  3. From scratch — create a new policy with custom ALLOW / REQUIRE CONFIRM / DENY rules
When you update a policy on a running agent, the new rules are pushed to your VM immediately. There's no need to restart the agent.

See the API Reference for full endpoint documentation with request/response examples.

Agents

Agents are AI assistants deployed from marketplace templates onto your VM. Each agent runs in its own isolated workspace with a configured model, skills, and optional security policy. You can run up to 5 agents concurrently.

Agent lifecycle

Deploy ──▶ [provisioning] ──▶ VM push ──▶ [ready]
                                                      │
                                                 Stop │
                                                      ▼
                                                  [stopped]

If VM is offline when you deploy, the agent stays in
[provisioning] and auto-pushes when the VM starts.

What gets deployed

When you deploy an agent, Tropic pushes these files to your VM:

  • /home/ubuntu/.openclaw/workspace/<slug>/ — workspace files (AGENTS.md, TOOLS.md, etc.)
  • /home/ubuntu/.openclaw/openclaw.json — agent registered in orchestrator config

Policy rules are embedded in the agent configuration and enforced at runtime.

See the API Reference for full endpoint documentation with request/response examples.

Skills

Skills extend your agent with third-party integrations. Install them from the Skills drawer on your agent's page. Each skill may require credentials or API keys that you configure at install time.

How skill installation works

1. Open the Skills drawer on your agent

2. Find the skill and click Install

3. Enter any required credentials (API keys, tokens)

4. Click Confirm Install

Tropic writes the credentials securely to your VM and restarts the gateway so the agent picks up the new skill immediately.

Google Sheets

Read and write Google Sheets spreadsheets from your agent using gws-sheets. Authentication is handled automatically through your Google connection.

Setup

1

Connect your Google account

Go to Settings > Connections in the Tropic dashboard and connect a Google account with Google Sheets access. This is the same connection used for Gmail and other Google services.

2

Install the skill

Open the Skills drawer on your agent and install Google Sheets. No credentials to enter. Tropic automatically uses your Google connection's OAuth tokens.

3

Share your spreadsheet

The agent accesses sheets through your connected Google account, so it can read any spreadsheet you have access to. No extra sharing required.

Usage

All commands use the gws-sheets wrapper. The full gws CLI is not available for security reasons.

Read values from a spreadsheet
gws-sheets +read --spreadsheet SPREADSHEET_ID --range "Sheet1!A1:D10"
Append a row
gws-sheets +append --spreadsheet SPREADSHEET_ID --values 'Alice,100,true'
Append multiple rows (JSON)
gws-sheets +append --spreadsheet SPREADSHEET_ID --json-values '[["a","b"],["c","d"]]'
Append to a specific sheet
gws-sheets +append --spreadsheet SPREADSHEET_ID --range "Sheet2!A1" --values 'Alice,100'

Discovering commands

The agent can inspect available API methods at runtime:

# Browse all resources and methods
gws-sheets --help

# Inspect a method's parameters
gws schema sheets.<resource>.<method>
The spreadsheet ID is the long string in the URL between /d/ and /edit. For example: docs.google.com/spreadsheets/d/1BxiMVs0XRA.../edit

Notion

Search, read, and manage Notion pages and databases from your agent using notion-cli.

Setup

1

Create a Notion integration

Go to notion.so/my-integrations. In the left sidebar under Build, click Internal integrations, then New internal integration. Give it a name (e.g. "Tropic Agent") and select your workspace.

2

Copy the integration secret

On the integration's Configuration tab, click Show next to "Internal integration secret" to reveal the token. It starts with secret_. Copy it.

3

Install the skill

Open the Skills drawer on your agent and install Notion. Paste the integration secret as your NOTION_API_KEY.

4

Connect the integration to your pages

Notion integrations can only access pages you explicitly share with them. Open any page in Notion, click the ... menu (top right), then click Connections and search for your integration name. All child pages under a shared parent are automatically accessible.

You must share at least one page with the integration before the agent can do anything. If you share a top-level page, everything nested under it becomes accessible too.

Usage

All commands use notion-cli:

Search all accessible content
notion-cli search
Search by title
notion-cli search --query "meeting notes"
List pages
notion-cli pages list
List databases
notion-cli databases list
Get a block with children (plain text)
notion-cli blocks get "<block_id>" --with_children --format plain_text

CSV import

Create or sync databases from CSV files:

Create a database from CSV
notion-cli csv import --input ~/data.csv --parent_page_id <page_id> \
  --delimiter "," --title "My Database" --title_column "name"
Sync into existing database (idempotent)
notion-cli csv sync --input ~/data.csv --database_id "<database_id>" --delimiter ","

Tips

  • Use --format json and pipe to jq for structured data extraction
  • CSV sync is idempotent and safe to run repeatedly
  • Use --help on any command for full options

Settings

Command Blacklist

Control what your agent can execute on your VM. Each toggle restricts a category of commands:

ToggleWhen enabled
Browser SearchRestricts web browsing (Chrome, Chromium)
Code ExecutionRestricts Python/Node scripts and dev tools
OS CommandsRestricts shell access and file system commands

Toggles are off by default (all commands allowed). Enable them to restrict categories you don't want your agent using.

Set runtime limits

Set a max session runtime so a runaway agent can't loop forever. Once the limit is hit, OpenClaw pauses until you resume. Recommended unless you're actively testing.

Change your model

Pick from the preset list or enter a custom provider + model ID. This applies to all conversations on your instance.

Install skills

Browse and install skills from the marketplace. Installed skills are deployed to your agent machines automatically. You can enable, disable, or uninstall skills from the skills drawer on any instance card. See the skill setup guides for step-by-step instructions on connecting Google Sheets, Notion, and other services.

Manage SSH access

Your current IP is auto-detected at provision time. You can update the allowlist from settings whenever you need to.

Changing your SSH allowlist takes effect immediately. If you accidentally remove your own IP, you can re-add it from the dashboard — you don't need SSH to fix it.

Restrict phone numbers

Three modes: unrestricted, allowlist, or blocklist. Numbers use E.164 format. Wildcards work:

Pattern examples
+6591234567     # exact match
+65*            # all Singapore numbers
+1415*          # all San Francisco numbers
+44*            # all UK numbers

If you're using allowlist mode, you probably want to add your own number first before testing.

Gateway

The OpenClaw gateway runs as a systemd service (openclaw-gateway). It auto-restarts on failure and survives reboots. You can start, stop, and restart it from the VM instances page.

How authentication works

  1. Your Clerk JWT is verified by Tropic's proxy
  2. A 48-character hex gateway token is injected into the page
  3. The token is stored in localStorage for WebSocket auth
  4. A session cookie (10-minute TTL) is set for subsequent requests
If you re-run the OpenClaw onboarding on your VM, it generates a new gateway token. Tropic will pick it up automatically on next sync, but any open sessions will disconnect.

Health checks

Tropic polls your VM's nginx every 15 seconds. The logic is simple:

  • • 200 response → running
  • • 502/503 within 3 min of start → initializing
  • • Anything else → stopped

WebSocket connections use TCP keep-alive (30s interval) with no idle timeout, so long-running sessions won't drop from inactivity.

Stopping a running agent

If your agent is mid-task and you need it to stop immediately, send stop as a message through any connected channel (WebChat, WhatsApp, Telegram). This is built into OpenClaw and interrupts the active run instantly, even if the agent is busy. No need to wait for the current task to finish.

Other words that trigger an immediate stop: abort, halt, interrupt, exit.

Credentials

All credentials are encrypted before being stored in the database. Keys are synced to your VM during provisioning and on every start.

Claude API key

Encrypted in the database. Written to OpenClaw's .env on the VM during provisioning. If you update it while the VM is stopped, it'll be re-synced on next start.

SSH key pair

An Ed25519 key pair is generated per user. Download the private key as a .pem file from the "Download SSH key" link on any agent machine card.

Connect via SSH
# Download your key from the agent machine card, then:
chmod 600 ~/Downloads/tropic-vm-key.pem
ssh -i ~/Downloads/tropic-vm-key.pem ubuntu@your-vm-ip

SSH keys rotate automatically based on your configured rotation period (30, 60, or 90 days, default 90). When a key rotates, the new public key is pushed to all your running VMs and the old private key stops working. Re-download the new key from the agent machine card. You can also regenerate your key manually at any time.

Gateway token

48-character hex token, generated during OpenClaw onboarding on the VM. Tropic reads it from openclaw.json over the secure management channel. This authenticates WebSocket connections to the gateway.

There's also a 64-character VM API token for internal communication between Tropic and the VM. Stored encrypted in Tropic's secret store. You don't need to manage this one.

WhatsApp

Pair your account

Go to the VM instances page and click “Pair WhatsApp.” A QR code will appear — scan it with WhatsApp on your phone. The QR updates in real-time.

WhatsApp Web only supports one active session at a time. If you pair with Tropic, any existing WhatsApp Web session (browser, desktop app) will be disconnected.

Restrict who your agent can message

Three modes:

  • Unrestricted — agent can message anyone. Probably not what you want in production.
  • Allowlist — only numbers matching your patterns. Start here.
  • Blocklist — everyone except numbers on the list.

Phone number patterns are documented in Settings → Restrict phone numbers above.