docs/network.md

---
summary: "Network hub: gateway surfaces, pairing, discovery, and security"
read_when:
  - You need the network architecture + security overview
  - You are debugging local vs tailnet access or pairing
  - You want the canonical list of networking docs
title: "Network"
---

# Network hub

This hub links the core docs for how OpenClaw connects, pairs, and secures
devices across localhost, LAN, and tailnet.

## Core model

Most operations flow through the Gateway (`openclaw gateway`), a single long-running process that owns channel connections and the WebSocket control plane.

- **Loopback first**: the Gateway WS defaults to `ws://127.0.0.1:18789`.
  Non-loopback binds require a valid gateway auth path: shared-secret
  token/password auth, or a correctly configured non-loopback
  `trusted-proxy` deployment.
- **One Gateway per host** is recommended. For isolation, run multiple gateways with isolated profiles and ports ([Multiple Gateways](/gateway/multiple-gateways)).
- **Canvas host** is served on the same port as the Gateway (`/__openclaw__/canvas/`, `/__openclaw__/a2ui/`), protected by Gateway auth when bound beyond loopback.
- **Remote access** is typically SSH tunnel or Tailscale VPN ([Remote Access](/gateway/remote)).

Key references:

- [Gateway architecture](/concepts/architecture)
- [Gateway protocol](/gateway/protocol)
- [Gateway runbook](/gateway)
- [Web surfaces + bind modes](/web)

## Pairing + identity

- [Pairing overview (DM + nodes)](/channels/pairing)
- [Gateway-owned node pairing](/gateway/pairing)
- [Devices CLI (pairing + token rotation)](/cli/devices)
- [Pairing CLI (DM approvals)](/cli/pairing)

Local trust:

- Direct local loopback connects can be auto-approved for pairing to keep
  same-host UX smooth.
- OpenClaw also has a narrow backend/container-local self-connect path for
  trusted shared-secret helper flows.
- Tailnet and LAN clients, including same-host tailnet binds, still require
  explicit pairing approval.

## Discovery + transports

- [Discovery & transports](/gateway/discovery)
- [Bonjour / mDNS](/gateway/bonjour)
- [Remote access (SSH)](/gateway/remote)
- [Tailscale](/gateway/tailscale)

## Nodes + transports

- [Nodes overview](/nodes)
- [Bridge protocol (legacy nodes, historical)](/gateway/bridge-protocol)
- [Node runbook: iOS](/platforms/ios)
- [Node runbook: Android](/platforms/android)

## Security

- [Security overview](/gateway/security)
- [Gateway config reference](/gateway/configuration)
- [Troubleshooting](/gateway/troubleshooting)
- [Doctor](/gateway/doctor)
docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00			`---`
			`summary: "Network hub: gateway surfaces, pairing, discovery, and security"`
			`read_when:`
			`- You need the network architecture + security overview`
			`- You are debugging local vs tailnet access or pairing`
			`- You want the canonical list of networking docs`
Docs: add nav titles across docs (#5689 ) 2026-01-31 16:04:03 -05:00			`title: "Network"`
docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00			`---`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00			`# Network hub`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`This hub links the core docs for how OpenClaw connects, pairs, and secures`
docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00			`devices across localhost, LAN, and tailnet.`

			`## Core model`

docs: merge network-model stub into network hub, improve bridge deprecation 2026-03-31 14:37:43 +09:00			Most operations flow through the Gateway (`openclaw gateway`), a single long-running process that owns channel connections and the WebSocket control plane.

docs: refresh bridge removal mirrors 2026-04-04 21:24:09 +01:00			- Loopback first: the Gateway WS defaults to `ws://127.0.0.1:18789`.
			`Non-loopback binds require a valid gateway auth path: shared-secret`
			`token/password auth, or a correctly configured non-loopback`
			`trusted-proxy` deployment.
docs: merge network-model stub into network hub, improve bridge deprecation 2026-03-31 14:37:43 +09:00			`- One Gateway per host is recommended. For isolation, run multiple gateways with isolated profiles and ports ([Multiple Gateways](/gateway/multiple-gateways)).`
			- Canvas host is served on the same port as the Gateway (`/__openclaw__/canvas/`, `/__openclaw__/a2ui/`), protected by Gateway auth when bound beyond loopback.
			`- Remote access is typically SSH tunnel or Tailscale VPN ([Remote Access](/gateway/remote)).`

			`Key references:`

docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00			`- [Gateway architecture](/concepts/architecture)`
			`- [Gateway protocol](/gateway/protocol)`
			`- [Gateway runbook](/gateway)`
			`- [Web surfaces + bind modes](/web)`

			`## Pairing + identity`

docs: canonicalize docs paths and align zh navigation (#11428 ) 2026-02-07 15:40:35 -05:00			`- [Pairing overview (DM + nodes)](/channels/pairing)`
docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00			`- [Gateway-owned node pairing](/gateway/pairing)`
			`- [Devices CLI (pairing + token rotation)](/cli/devices)`
			`- [Pairing CLI (DM approvals)](/cli/pairing)`

			`Local trust:`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
docs: refresh pairing locality refs 2026-04-04 16:12:56 +01:00			`- Direct local loopback connects can be auto-approved for pairing to keep`
			`same-host UX smooth.`
			`- OpenClaw also has a narrow backend/container-local self-connect path for`
			`trusted shared-secret helper flows.`
			`- Tailnet and LAN clients, including same-host tailnet binds, still require`
			`explicit pairing approval.`
docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00
			`## Discovery + transports`

			`- [Discovery & transports](/gateway/discovery)`
			`- [Bonjour / mDNS](/gateway/bonjour)`
			`- [Remote access (SSH)](/gateway/remote)`
			`- [Tailscale](/gateway/tailscale)`

docs: align node transport with gateway ws 2026-01-22 23:07:58 +00:00			`## Nodes + transports`
docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00
			`- [Nodes overview](/nodes)`
docs: refresh bridge removal mirrors 2026-04-04 21:24:09 +01:00			`- [Bridge protocol (legacy nodes, historical)](/gateway/bridge-protocol)`
docs: add network hub + pairing locality 2026-01-21 00:14:06 +00:00			`- [Node runbook: iOS](/platforms/ios)`
			`- [Node runbook: Android](/platforms/android)`

			`## Security`

			`- [Security overview](/gateway/security)`
			`- [Gateway config reference](/gateway/configuration)`
			`- [Troubleshooting](/gateway/troubleshooting)`
			`- [Doctor](/gateway/doctor)`