Deploy to Production
James opened his laptop in the morning and found three unanswered WhatsApp messages from the night. His agent had stopped checking leads at 11:47 PM, the exact minute he closed his laptop lid.
He looked at the gateway log. Thirteen lessons of building, customizing, securing. His agent had a personality, skills, plugins, voice, multi-agent routing, and a custom approval gate. But it stopped working every time he closed his laptop lid.
"I want this running when I sleep," he said.
Emma pulled up a Hetzner pricing page. "Five dollars a month. Two vCPUs, four gigs of RAM, forty gigs of SSD." She turned the screen toward him. "Your agent runs on less hardware than your coffee maker."
"How long to set it up?"
"Budget forty-five minutes. Fifteen for the VPS and Docker. Fifteen for OpenClaw. Fifteen for the paper cuts you will definitely hit." She paused. "After that? Your agent never sleeps."
You are doing exactly what James is doing: taking an agent that works on your laptop and moving it to infrastructure that never sleeps.
Your AI Employee runs on your laptop, which sleeps, loses Wi-Fi, and shuts down for updates. This lesson moves it to a server that runs 24/7. By the end, your agent responds from a datacenter, and you access its Control UI through an encrypted tunnel.
If you do not want to deploy right now, read through the steps and understand the process. You can deploy later when you are ready. The exercises at the end work either way.
Choose Your Deployment Path
- Managed Server (Recommended)
- Manual VPS Setup
One-Click Managed Server
Alibaba Cloud's Simple Application Server comes with OpenClaw pre-installed. No Docker, no SSH, no manual configuration. Your agent is running 24/7 within minutes.
Pricing: Starting at $0.99/month (promotional). Regular price ~$8/month for a 2 GB instance.
Steps:
- Go to the OpenClaw on Alibaba Cloud setup page
- Select a Simple Application Server with the OpenClaw image (2 GB+ memory)
- Choose your region and subscription duration
- Complete payment
- In the SAS Console, open your instance and run the firewall configuration command
- Set up your API key through Model Studio (Qwen models are integrated, or bring your own provider)
- Access the dashboard URL shown in your instance details
Your OpenClaw gateway is now running in the cloud. The dashboard is your Control UI.
After provisioning, connect a messaging channel. The managed server handles infrastructure; you still configure WhatsApp, Telegram, or Discord using the same steps from Lesson 2. SSH into your instance and run:
openclaw channels add --channel telegram
# or
openclaw channels add --channel whatsapp
openclaw channels login --channel whatsapp
Follow the channel setup flow from Lesson 2 (BotFather for Telegram, QR scan for WhatsApp). Restart the gateway after adding the channel: openclaw gateway restart.
Send a test message. If the agent responds, you are deployed.
For the complete walkthrough, see the Alibaba Cloud OpenClaw guide.
Alibaba Cloud also offers a 1-year free trial on ECS (Elastic Compute Service) instances. If you prefer the manual setup path (VPS tab) at zero cost, sign up for the free trial and follow the VPS steps below on your free ECS instance.
Set Up Your Own Server
If you want full control or prefer a different provider, set up a VPS manually with Docker Compose.
You need: A Linux server with at least 2 vCPUs and 4 GB RAM.
| Provider | Monthly Cost | Notes |
|---|---|---|
| Alibaba ECS | Free 1 year | Free trial, then ~$8/mo |
| Hetzner CX21 | $5/mo | 2 vCPU, 4 GB RAM, 40 GB SSD |
| DigitalOcean | $6/mo | Similar specs |
| Vultr | $6/mo | Similar specs |
| Oracle Cloud | Free | Always Free ARM, 4 vCPU/24 GB |
On Hetzner (example):
- Sign up at hetzner.com/cloud
- Create a new project
- Click Add Server
- Select Ubuntu 24.04, CX21
- Add your SSH key (or let Hetzner email you the root password)
- Click Create & Buy Now
- Note the IP address
WhatsApp is a single-connection protocol. You cannot load-balance it across multiple pods. The linked-device session is stateful, tied to one gateway process. Docker Compose on a single VPS is the right architecture for one AI Employee.
SSH In and Install Docker
ssh root@YOUR_VPS_IP
apt-get update
apt-get install -y git curl ca-certificates
curl -fsSL https://get.docker.com | sh
Verify:
docker --version
docker compose version
Clone and Configure
git clone https://github.com/openclaw/openclaw.git
cd openclaw
Create persistent directories:
mkdir -p /root/.openclaw/workspace
chown -R 1000:1000 /root/.openclaw
Generate a gateway token and create the .env file:
GATEWAY_TOKEN=$(openssl rand -hex 32)
cat > .env << EOF
OPENCLAW_IMAGE=openclaw:latest
OPENCLAW_GATEWAY_TOKEN=$GATEWAY_TOKEN
OPENCLAW_GATEWAY_BIND=lan
OPENCLAW_GATEWAY_PORT=18789
OPENCLAW_CONFIG_DIR=/root/.openclaw
OPENCLAW_WORKSPACE_DIR=/root/.openclaw/workspace
EOF
Save your gateway token. Print it now and copy it somewhere safe:
echo $GATEWAY_TOKEN
Build and Launch
docker compose up -d
First build takes 3-5 minutes. Check status:
docker compose ps
If it shows Restarting, check docker compose logs -f openclaw-gateway. If you see Gateway start blocked — gateway.mode not configured:
docker compose run --rm --no-deps --entrypoint node openclaw-gateway \
dist/index.js config set gateway.mode local
docker compose restart openclaw-gateway
Run Onboarding
docker compose exec openclaw-gateway openclaw onboard --no-install-daemon
Same wizard from Lesson 2: choose your model provider, authenticate, select a model.
If you cancel the wizard, the gateway looks running but no model is configured. Nothing responds. Complete the wizard, or set the provider manually:
docker compose exec openclaw-gateway openclaw config set model.provider google
docker compose exec openclaw-gateway openclaw config set model.model gemini-2.5-flash
Connect a Channel
Your local WhatsApp is linked to your laptop's gateway. You need a separate channel for the VPS.
Telegram (easiest for production):
docker compose exec openclaw-gateway openclaw channels add --channel telegram
Discord:
docker compose exec openclaw-gateway openclaw channels add --channel discord
WhatsApp (requires a dedicated phone number):
docker compose exec -it openclaw-gateway openclaw channels add --channel whatsapp
docker compose exec -it openclaw-gateway openclaw channels login --channel whatsapp
Restart after adding the channel:
docker compose restart openclaw-gateway
Send a test message. If the agent responds, you are deployed.
Access the Control UI
The gateway binds to 127.0.0.1. It is not accessible from the public internet. To reach the Control UI from your laptop, open an SSH tunnel:
ssh -N -L 18789:127.0.0.1:18789 root@YOUR_VPS_IP
Open http://127.0.0.1:18789/ in your browser and paste the gateway token.
If your local gateway is already using port 18789, use a different local port:
ssh -N -L 19000:127.0.0.1:18789 root@YOUR_VPS_IP
Then open http://localhost:19000. If the page loads but shows no data, fix the allowed origins:
# For managed (Alibaba Cloud):
openclaw config set gateway.controlUi.allowedOrigins \
'["http://localhost:18789","http://127.0.0.1:18789","http://localhost:19000","http://127.0.0.1:19000"]' \
--strict-json
# For VPS (Docker):
docker compose exec openclaw-gateway openclaw config set \
gateway.controlUi.allowedOrigins \
'["http://localhost:18789","http://127.0.0.1:18789","http://localhost:19000","http://127.0.0.1:19000"]' \
--strict-json
The Security Model
No reverse proxy. No TLS certificates. No WAF.
| Component | Role |
|---|---|
| Loopback bind | Gateway only on 127.0.0.1, nothing external can reach it |
| SSH tunnel | Encrypted point-to-point from your laptop to the VPS |
| Gateway token | Authentication for the Control UI once tunnel is open |
The SSH key IS the authentication. The tunnel IS the encryption. The loopback binding IS the access control. For a single-operator deployment, this is the correct security posture.
Production Security Hardening
Before any customer touches your agent, run the security audit:
docker compose exec openclaw-gateway openclaw security audit
On a default installation, expect critical findings from groupPolicy set to open and warn findings for credential directory permissions.
Two Commands to Zero Criticals
docker compose exec openclaw-gateway openclaw config set groupPolicy allowlist
chmod 700 /root/.openclaw/credentials/
Run the audit again. Zero criticals.
The Hardening Checklist
groupPolicy=allowlist(notopen)- Credentials directory =
700permissions - Tool profile =
messagingorminimal(notcoding) - Log redaction enabled:
openclaw config set logRedaction tools - Backup verified:
openclaw backupcreates a portable backup; test the restore - /commands awareness: all OpenClaw slash commands (
/think off,/forget,/sessions) are accessible to every approved user with no role gating. Awareness mitigation only: add a note in the system prompt that these commands are operator-only
Cost Analysis
| Item | Monthly Cost |
|---|---|
| Hetzner VPS (CX21) | $5 |
| Model provider (paid) | $50-100 |
| Telnyx voice (optional) | $11 |
| Domain + DNS | ~$1 |
| Total | ~$67-117 |
The real cost is not infrastructure; it is the model provider. And the real optimization is not cheaper hardware; it is fewer tokens per interaction. That is why Lesson 4 spent time on workspace file optimization and Lesson 8 covered heartbeat cost management.
Try With AI
Exercise 1: Deploy or Trace
If you have a VPS, follow Steps 1-7 and deploy. If you do not, trace the deployment by reading each step and predicting what goes wrong if you skip it.
For each of the 7 deployment steps, write one sentence
describing what it does and what breaks if you skip it.
What you are learning: Production deployment is sequential. Skipping onboarding (Step 5) leaves a running gateway that never responds. Skipping channel setup (Step 6) means the VPS gateway has no way to receive messages.
Exercise 2: Map the Security Model
Draw a diagram showing: your laptop, the SSH tunnel,
the VPS, the gateway on 127.0.0.1, and the Docker container.
Label where authentication happens and where encryption happens.
Why is no TLS certificate needed?
What you are learning: The SSH tunnel replaces three components (reverse proxy, TLS termination, API gateway) with one. The security model is simple because the attack surface is small: SSH key authentication plus loopback binding.
Exercise 3: Calculate Your Costs
Calculate the monthly cost of running your AI Employee
in production. Include: VPS, model provider at your
expected message volume, and any optional services.
Compare this to the cost of a human performing the same tasks.
What you are learning: The infrastructure cost ($5-15/month) is trivial compared to the model cost ($50-100/month). The economics favor AI Employees only when the agent handles enough volume to justify the model cost.
When Emma came back, James had his phone in one hand and a terminal SSH session in the other. "It is responding from Germany."
"How long?"
"Forty-two minutes. Permission denied because I forgot the chown. Then the CORS thing when I tunneled to port 19000." He paused. "Same debugging pattern as Lesson 2, though. Check the log, find the error, fix the config."
Emma nodded. "The CORS paper cut caught me too, first time. I expected it to just work."
She looked at the terminal. Health endpoint returning 200. Gateway uptime climbing. "Your agent runs when you sleep now. That is what separates a demo from a product."
James thought about his old job. The operations team had a saying: production is the thing that works at 3 AM when nobody is watching. His agent was that now.
"The hardest part was not the deployment," he said. "It was realizing that the setup from Lesson 2 repeats almost exactly on the VPS. Same wizard, same config, same crash loop. I already knew the fixes."
"That is the point." Emma closed her laptop. "Thirteen lessons on your laptop were not just about learning features. They were about building the instincts you need when the same problems appear on a server with no one else around to ask."