#Best practices after fresh install

If I've just freshly installed OpenClaw on a Linux VPS (Ubuntu 24.04). What are some of the best practices I should implement to make OpenClaw perform optimally?

Let me pull the installed docs paths first so I don't make up links/keys.

Yep. For a fresh Ubuntu VPS, I’d optimize for reliability and safe remote access first.

• Keep the Gateway private. Use loopback, then access it via SSH tunnel or Tailscale Serve. If you bind to tailnet or lan, require token/password auth and set allowed origins explicitly. Docs: https://docs.openclaw.ai/web https://docs.openclaw.ai/help/faq
• Run it as a daemon. openclaw onboard --install-daemon, then make sure Linux lingering is enabled, or use a system service for a true always-on box. Docs: https://docs.openclaw.ai/start/setup https://docs.openclaw.ai/vps
• Prefer API keys on the server for long-lived model auth. Put them on the gateway host, usually in ~/.openclaw/.env, then verify with openclaw models status. Docs: https://docs.openclaw.ai/gateway/authentication
• Use a strong primary model and set fallbacks. For tool-enabled agents, avoid older/weaker tiers. Docs: https://docs.openclaw.ai/concepts/models and current community notes: https://docs.openclaw.ai/concepts/models#model-discussions-community-notes
• Make health checks routine:

  openclaw status
  openclaw status --deep
  openclaw doctor
  openclaw channels status --probe
  openclaw logs --follow
  

• Back up both layers. Run openclaw backup create --verify, and keep ~/.openclaw/workspace in a private git repo. Do not commit ~/.openclaw. Docs: https://docs.openclaw.ai/cli/backup https://docs.openclaw.ai/concepts/agent-workspace
• Run a security audit after config changes. openclaw security audit --deep, and lock down perms like chmod 700 ~/.openclaw. Docs: https://docs.openclaw.ai/gateway/security
• If the VPS is small, tune startup/memory. On tiny VMs, prefer cloud models over local ones, add swap if needed, and set:

  [Service]
  Environment=OPENCLAW_NO_RESPAWN=1
  Environment=NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache
  Restart=always
  RestartSec=2
  TimeoutStartSec=90

Docs: https://docs.openclaw.ai/vps

If you want, I can turn that into a copy-paste post-install checklist for your exact VPS size and access setup.

sure

Yep, here’s a solid post-install checklist for an Ubuntu VPS.

1) Verify the install

openclaw --version
node -v
openclaw status
openclaw doctor

2) Keep the Gateway private

Recommended baseline:

openclaw config set gateway.bind loopback
openclaw config set gateway.auth.mode token
openclaw doctor --generate-gateway-token

openclaw gateway restart

3) Pick one remote-access path

Option A, Tailscale Serve (my favorite):

openclaw config set gateway.tailscale.mode serve
openclaw config set gateway.trustedProxies '["127.0.0.1"]'
openclaw gateway restart
tailscale serve status

Option B, SSH tunnel from your laptop:

ssh -N -L 18789:127.0.0.1:18789 user@your-vps

Then open http://127.0.0.1:18789/.

4) Make sure it stays up

sudo loginctl enable-linger $USER
systemctl --user status openclaw-gateway.service

Optional tuning for small VPSes:

systemctl --user edit openclaw-gateway.service

Paste:

[Service]
Environment=OPENCLAW_NO_RESPAWN=1
Environment=NODE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache
Restart=always
RestartSec=2
TimeoutStartSec=90

Then:

systemctl --user daemon-reload
systemctl --user restart openclaw-gateway.service

5) Use server-friendly model auth

For always-on boxes, prefer API keys on the VPS over browser/OAuth-style setups.

Put them in:

~/.openclaw/.env

Then verify:

openclaw models status

Also, use a strong primary model plus fallbacks. Model docs: https://docs.openclaw.ai/concepts/models

6) Security quick wins

chmod 700 ~/.openclaw
openclaw security audit --deep

7) Backup from day one

openclaw backup create --verify

And keep your workspace in a private git repo:

cd ~/.openclaw/workspace
git init
git add .
git commit -m "Initial workspace backup"

Do not commit ~/.openclaw.

8) If the VPS is tiny

If you’re on 1 GB RAM, add swap:

sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

Also, prefer cloud/API models over local models on small VPSes.

9) Routine health commands

openclaw status
openclaw status --deep
openclaw channels status --probe
openclaw logs --follow
openclaw doctor

Best docs for this:

• https://docs.openclaw.ai/vps
• https://docs.openclaw.ai/help/faq
• https://docs.openclaw.ai/gateway/security
• https://docs.openclaw.ai/cli/backup

If you want, I can also give you a Tailscale-specific checklist or a Discord/Telegram-specific hardening checklist.

from openclaw doctor:

◇ Bootstrap file size ──────────────────────────────────────────────────╮
│ │
│ Workspace bootstrap files are near configured limits: │
│ - AGENTS.md: 11,683 chars (97% of max/file 12,000) │
│ Total bootstrap injected chars: 25,400 (42% of max/total 60,000). │
│ Total bootstrap raw chars (before truncation): 25,400. │
│ │
│ - Tip: tune agents.defaults.bootstrapMaxChars for per-file limits. │
│ │
├────────────────────────────────────────────────────────────────────────╯

Is this a concern? How best should I address it?

Let me check the bootstrap docs so I can give you the clean answer, not vibes.

Not an immediate problem, no. It’s a warning, not a failure.

What your output means:

• AGENTS.md is close to the per-file cap: 11,683 / 12,000 chars
• Total bootstrap size is fine: 25,400 / 60,000 chars

So the real risk is per-file truncation, not total budget.

My recommendation

Best fix: keep AGENTS.md focused on the stuff that truly must load every session.

Good split:

• AGENTS.md = core rules, priorities, standing orders
• SOUL.md = tone/personality
• USER.md = user facts/preferences

• TOOLS.md = local tool notes/conventions
• longer procedures / examples = separate docs or skills, read on demand

When it becomes a real concern

If AGENTS.md grows past the cap, the tail gets truncated when injected. That means instructions near the end may silently stop being seen.

In your case

Because total budget is only 42%, you do not need to raise bootstrapTotalMaxChars.

If your AGENTS.md is already lean and the extra text is genuinely important every session, then a small bump to bootstrapMaxChars is reasonable, for example:

{
  agents: {
    defaults: {
      bootstrapMaxChars: 16000

    }
  }
}

I’d do that only after trimming obvious fluff, since bigger bootstrap means more prompt cost every run.

Quick sanity check

Run:

/context
/context detail

That will show raw vs injected sizes and whether truncation is actually happening.

Nice extra perf tweak

If you care about token burn on long chats, look at:

{
  agents: { defaults: { contextInjection: "continuation-skip" } }
}

Docs:

• https://docs.openclaw.ai/concepts/context
• https://docs.openclaw.ai/concepts/agent-workspace
• https://docs.openclaw.ai/gateway/configuration-reference

If you want, paste your AGENTS.md structure and I can tell you what to keep in AGENTS vs what to move out.

I worked on that myself. Here is another issue I encountered:
can you see this? OpenClaw added to Discord is not responding.
#1491065264530264096 message

I’m going to check that linked Discord context first, then I’ll tell you exactly what I can and can’t see.

I can’t open that linked Discord message from here, I don’t have access to that channel.

Since this is troubleshooting, the first thing I need is:

openclaw --version

Then please run this exact set and paste the output:

openclaw status
openclaw gateway status
openclaw channels status --probe
openclaw pairing list --channel discord
openclaw logs --follow

For Discord specifically, the most common causes are:

• mention required in guild channels
• pairing pending
• allowlist / group policy mismatch

Typical log clues look like:

• drop guild message (mention required
• pairing request
• blocked or allowlist

Also useful: does it fail only in the server, or also in DMs?

If you paste openclaw --version plus those command outputs, I can usually narrow it down fast. Docs: https://docs.openclaw.ai/help/troubleshooting

openclaw-agent@automation:~$ openclaw channels status --probe

🦞 OpenClaw 2026.4.21 (f788c88)

│
◇
Gateway reachable.

• Discord default: enabled, configured, running, connected, in:48m ago, bot:@D333's OpenClaw, token:config, intents:content=limited, works
• Telegram default: enabled, configured, running, connected, mode:polling, bot:@Lobsta_bot, token:config, works

Tip: status --deep adds gateway health probes to status output (requires a reachable gateway).
openclaw-agent@automation:~$ openclaw pairing list --channel discord

🦞 OpenClaw 2026.4.21 (f788c88)

No pending discord pairing requests.

Nice, that rules out a few common failures. I’m going to check the Discord docs/log signatures for that content=limited piece before I point you at the next fix.

Yep, this helps a lot.

Good news: the Discord transport itself is up, connected, and probeable. Pairing is not the blocker.

The line that jumps out is:

intents:content=limited

For “bot is online but no guild replies”, the two big suspects now are:

1. Discord message content intent
2. Guild/channel gating (groupPolicy, guild allowlist, requireMention, per-channel allowlist, user allowlist)

First thing I would check

In the Discord Developer Portal → Bot → Privileged Gateway Intents:

• enable Message Content Intent
• enable Server Members Intent (recommended)
• then restart the gateway

Docs: https://docs.openclaw.ai/channels/discord#troubleshooting

Then test with logs open

Run:

openclaw status
openclaw logs --follow

Then send a fresh test message in the server, ideally @mentioning the bot once.

What to look for in logs

If you see:

• drop guild message (mention required
  → mention gating is blocking it

• blocked / allowlist
  → guild/channel/user allowlist is blocking it

Very common config gotchas

If groupPolicy: "allowlist" is set, make sure:

• the server ID is present under channels.discord.guilds
• if you defined a channels map under that guild, the specific channel is listed
• if you set a users allowlist, your user ID is in it
• requireMention is under the right place: channels.discord.guilds.<guildId> or the channel entry

If it’s your private server

A common working setup is:

{
  channels: {
    discord: {
      groupPolicy: "allowlist",
      guilds: {
        YOUR_SERVER_ID: {
          requireMention: false,
          users: ["YOUR_USER_ID"],
        },
      },
    },
  },
}

If you paste these next, I can usually pinpoint it fast:

1. openclaw status
2. the relevant openclaw logs --follow lines from one failed test message
3. your channels.discord config block with the token redacted

"First thing I would check
In the Discord Developer Portal → Bot → Privileged Gateway Intents:
enable Message Content Intent
enable Server Members Intent (recommended)
then restart the gateway" - already enabled.

2. nothing showed up in 'openclaw logs --follow'

3. how to see?

I want to give you the exact config-inspection command, not a guessed one. Checking the CLI docs quickly.

Yep, for 3, easiest way is:

openclaw config get channels.discord --json

Redact the token if needed, then paste it here.

For 2, if you sent a fresh test message and nothing at all appeared in openclaw logs --follow, that usually means the event is not reaching the gateway. That points more to Discord-side visibility/permissions than pairing.

Next checks I’d do

1. Make sure you’re testing the same bot
   The probe says the connected bot is:

@D333's OpenClaw

2. Check the bot can see the exact channel
   In Discord channel permissions, make sure the bot has at least:

   • View Channels
   • Send Messages
   • Read Message History
   • if this is a thread/forum/media post: Send Messages in Threads

3. If in doubt, re-invite the bot
   With:

   • bot
   • applications.commands

4. Do one DM test

If DM works but guild/thread does not, that narrows it hard to guild config/permissions.

Also paste these if you can

openclaw config get channels.discord.groupPolicy
openclaw config get channels.discord.guilds --json

That’ll tell us really fast whether this is:

• guild allowlist
• requireMention
• wrong guild/channel config
• or Discord permissions on the channel/thread

My guess right now is guild/thread visibility or allowlist config, especially since channels status --probe says Discord is connected and healthy.

openclaw-agent@automation:~$ openclaw config get channels.discord --json
{
"enabled": true,
"token": "OPENCLAW_REDACTED",
"allowFrom": [
"723_i redacted it_456"
],
"groupPolicy": "allowlist"
}
openclaw-agent@automation:~$ openclaw config get channels.discord.groupPolicy

🦞 OpenClaw 2026.4.21 (f788c88)

allowlist
openclaw-agent@automation:~$ openclaw config get channels.discord.guilds --json
Config path not found: channels.discord.guilds

Yep, this is the problem. 👀

You have:

channels.discord.groupPolicy = allowlist

but:

channels.discord.guilds = missing

So OpenClaw is connected to Discord, but no guild/server is actually allowed.

Also, allowFrom is not the guild allowlist. That’s for sender allow rules, not the server list.

Then test again.

Why this was failing

With Discord, when groupPolicy is allowlist, docs say the guild must match channels.discord.guilds, and if that map is missing, guild messages are blocked.

Docs: https://docs.openclaw.ai/channels/discord

If it works after that, please right-click the solution message → Apps → ✅ Mark Solution so Answer Overflow can index it.