Security

Security is a core part of how Clawdtopia is built, not an afterthought. Each design decision around how your OpenClaw instance is deployed and accessed has been made with the goal of keeping your data, credentials, and OpenClaw isolated from unauthorized access.

This page explains what we do to protect your OpenClaw and your information, in plain language.

Every OpenClaw instance you create on Clawdtopia runs in its own dedicated server environment, completely isolated from other users. There is no shared runtime, no shared process, and no shared filesystem between instances.

Your OpenClaw dashboard is not directly reachable from the public internet. All access goes through a secure proxy layer that we control, which means there is no way to reach your instance's internals by scanning for open ports or services.

All connections to your OpenClaw dashboard and to the Clawdtopia platform are encrypted using HTTPS. We enforce this for every subdomain we provision, with no fallback to unencrypted HTTP.

Traffic between your browser and your OpenClaw always travels over an encrypted channel.

Each OpenClaw instance is protected by a unique, cryptographically generated access token. This token is created fresh when your instance is provisioned and is specific to that instance only. Without it, the dashboard cannot be accessed.

For messaging integrations like Telegram and Discord, OpenClaw adds an additional layer of protection through a pairing approval system. Any new user attempting to interact with your OpenClaw through a chat platform must be explicitly approved by you before they can send or receive any messages. This means that even if your dashboard URL were somehow exposed, unauthorized users still cannot interact with your OpenClaw without your explicit approval.

API keys, bot tokens, and other credentials you provide during setup are passed directly into your OpenClaw's isolated environment. We do not store these secrets in our database. Clawdtopia staff cannot retrieve or view your API keys or channel tokens.

The only metadata we store is what is necessary to manage your instance: its name, deployment status, and configuration preferences. Never the secrets themselves.

Passwords on Clawdtopia are hashed using bcrypt and never stored in plain text. Authentication sessions are managed using signed tokens with server-side secrets. We support Google OAuth as a passwordless login option.

We recommend using a strong, unique password or signing in with Google to reduce the risk of credential exposure.

Integrations with services like Telegram, Discord, and Slack work entirely through outbound connections initiated by your OpenClaw. Your instance connects to those platforms. They do not connect back to your instance. This means your OpenClaw remains protected even when integrated with external messaging services.

Payments are handled by Dodo Payments, a PCI-compliant payment processor. We never see or store your credit card number, bank details, or any financial credentials. Only a subscription identifier is stored on our side to manage your billing status.

If you discover a security vulnerability in Clawdtopia, please report it to us privately before disclosing it publicly. We take all reports seriously and will respond promptly.

Contact us at [email protected] with the subject line "Security Disclosure".