ContextQMD
Back to Daytona

Run OpenClaw in a Daytona Sandbox via CLI

apps/docs/src/content/docs/en/guides/openclaw/openclaw-run-secure-sandbox.mdx

0.173.07.4 KB
Original Source

import { TabItem, Tabs } from '@astrojs/starlight/components'

This guide walks you through setting up OpenClaw inside a Daytona sandbox and configuring Telegram and WhatsApp channels.

Running OpenClaw in a Daytona sandbox keeps your AI assistant isolated from your local machine, provides a secure environment for code execution, and ensures your bot stays online 24/7 without tying up your personal computer.

Prerequisites

  • Daytona account and API key (Get it from Daytona Dashboard)
  • Local terminal (macOS, Linux, or Windows)

Install the Daytona CLI

<Tabs syncKey="os"> <TabItem label="Mac/Linux"> ```bash brew install daytonaio/cli/daytona ``` </TabItem> <TabItem label="Windows"> ```bash powershell -Command "irm https://get.daytona.io/windows | iex" ``` </TabItem> </Tabs>

:::note Already have the CLI? Check your version with daytona --version. If it's below 0.135.0, upgrade to the latest version. :::

Authenticate with Daytona

Log in to your Daytona account using your API key:

bash
daytona login --api-key=YOUR_API_KEY

Replace YOUR_API_KEY with your actual Daytona API key.

Create a Sandbox

Create a sandbox for running OpenClaw:

bash
daytona sandbox create --name openclaw --snapshot daytona-medium --auto-stop 0

OpenClaw comes preinstalled in the default Daytona snapshot, so the command above is all you need.

:::note The --auto-stop 0 flag disables automatic shutdown, keeping OpenClaw accessible until you manually stop or delete the sandbox. The daytona-medium snapshot is required because the OpenClaw gateway needs a minimum of 2GB memory. :::

Connect to the Sandbox

SSH into your sandbox:

bash
daytona ssh openclaw

Run OpenClaw Onboarding

Start the onboarding process:

bash
openclaw onboard

:::note The model provider steps below are for Anthropic. If using a different provider, follow the prompts for your chosen option. :::

Follow the prompts:

  1. Security acknowledgment: Accept to continue
  2. Onboarding mode: Select Quickstart
  3. Model/auth provider: Select Anthropic
  4. Anthropic auth method: Select Anthropic API key
  5. Enter Anthropic API key: Paste your API key
  6. Default model: Keep current (default: anthropic/claude-opus-4-5)
  7. Select channel: Choose Skip for now (we'll configure channels later)
  8. Configure skills: Select No (configure later based on your needs)
  9. Enable hooks: Select Skip for now (configure later based on your needs)
  10. Gateway service: Select Skip (already installed)

When onboarding finishes, the output will display a Dashboard ready section with a dashboard link. Your gateway token is the value after ?token= in the URL. Save this token - you'll need it to connect to the dashboard.

Also, OpenClaw will ask you to Install shell completion script? - choose whatever you prefer, this is optional and doesn't affect functionality.

Start the Gateway

Run the gateway in the background:

bash
nohup openclaw gateway run > /tmp/gateway.log 2>&1 &

The & runs the gateway as a background process, keeping your terminal free for other commands. The nohup ensures the gateway keeps running even after you close the SSH connection.

Access the Dashboard

The OpenClaw dashboard is a web interface for managing your assistant, monitoring connections, and configuring channels. To access it, you need a preview URL that exposes the gateway port running inside your sandbox.

In your local terminal (not inside the sandbox SSH session), generate the preview URL:

bash
daytona preview-url openclaw --port 18789

This command generates a signed preview URL that securely exposes the port.

Open the URL in your browser, go to the Overview section, paste your gateway token in the Gateway Token field, and click Connect.

:::tip The preview URL expires after 1 hour by default (customizable with --expires flag). When it expires, simply run the same CLI command to generate a new one. :::

Pair Your Browser

OpenClaw uses device pairing as a security measure - only approved devices can connect to and control your assistant. When you first attempt to connect from the dashboard, your browser registers as a new device that needs approval.

List pending device requests:

bash
openclaw devices list

Approve your device:

bash
openclaw devices approve REQUEST_ID

Replace REQUEST_ID with the value from the Request column.

Click Connect again in the dashboard.

Once connected, you should see a green status indicator - your OpenClaw is now ready to use.

Security

Running OpenClaw this way provides three layers of security:

  1. Preview URL: Time-limited access to the dashboard port
  2. Gateway token: Required to authenticate with the dashboard
  3. Device approval: Only approved devices can connect and control your assistant

Even if someone obtains your dashboard URL, they cannot connect without the gateway token and an approved device.

:::caution Keep your gateway token and preview URL secret. Do not share them publicly. :::

Configure Telegram

Set up a Telegram bot to chat with OpenClaw.

Create a Telegram Bot

  1. Open Telegram and search for @BotFather
  2. Send /start, then /newbot
  3. Enter a name for your bot
  4. Enter a username for your bot
  5. Copy the bot token provided

Configure OpenClaw

Enable Telegram and set your bot token:

bash
openclaw config set channels.telegram.enabled true
openclaw config set channels.telegram.botToken YOUR_BOT_TOKEN

Verify the configuration:

bash
openclaw config get channels.telegram

Restart the Gateway

bash
openclaw gateway stop
nohup openclaw gateway run > /tmp/gateway.log 2>&1 &

Complete Verification

  1. Open your bot's chat in Telegram and click Start
  2. A pairing code will appear. Approve the pairing request:
bash
openclaw pairing approve telegram PAIRING_CODE

You can now message your OpenClaw through Telegram.

Configure WhatsApp

Set up WhatsApp to chat with OpenClaw.

Run Configuration

bash
openclaw config --section channels

When prompted:

  1. Select Local (this machine) for gateway location
  2. Choose Configure/link
  3. Select WhatsApp (QR link)
  4. Select Yes for "Link WhatsApp now (QR)?"

Scan the QR Code

Open WhatsApp on your phone, go to Settings → Linked Devices → Link a Device, and scan the QR code displayed in your terminal.

Once paired, you'll see:

✅ Linked after restart; web session ready.

Set Up Your Phone Number

Select This is my personal phone number (or choose the other option if you have a separate phone for OpenClaw) and enter your phone number when prompted.

Finish Configuration

When prompted to select another channel, choose Finished. You'll see:

└  Configure complete.

Start Chatting

Send a message to yourself in WhatsApp - OpenClaw will respond. You can give it instructions and information on how to behave directly in the chat.

:::tip To allow other users to chat with OpenClaw, add their phone numbers to the Allow From list in Channels → WhatsApp inside the dashboard. When they send a message, OpenClaw will respond. :::