Open ClawOpen Claw

OpenClaw No TLS/HTTPS — How to Enable Encryption (2026)

Running OpenClaw without TLS/HTTPS exposes all traffic including API keys. Learn how to enable HTTPS with Let's Encrypt, Caddy, or Nginx.

Why HTTPS Matters for OpenClaw

Without encryption, your API keys, conversation data, and user credentials are transmitted as plain text. Anyone on the same network — or any router between your users and server — can read everything. HTTPS is also required for Telegram and WhatsApp webhook integrations.

Option 1: Caddy (Easiest)

Caddy automatically handles SSL certificates via Let's Encrypt:

# Install Caddy
sudo apt install -y caddy

# Create Caddyfile
cat > /etc/caddy/Caddyfile << 'EOF'
your-domain.com {
    reverse_proxy localhost:3000 {
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
}
EOF

# Start Caddy
sudo systemctl restart caddy

Option 2: Nginx + Certbot

# Install Nginx and Certbot
sudo apt install -y nginx certbot python3-certbot-nginx

# Get SSL certificate
sudo certbot --nginx -d your-domain.com

# Nginx config (auto-generated by Certbot)
server {
    listen 443 ssl;
    server_name your-domain.com;

    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Option 3: Cloudflare Tunnel (No Open Ports)

# Install cloudflared
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /etc/apt/trusted.gpg.d/cloudflare.gpg
sudo apt install cloudflared

# Authenticate and create tunnel
cloudflared tunnel login
cloudflared tunnel create openclaw
cloudflared tunnel route dns openclaw your-domain.com

# Run the tunnel
cloudflared tunnel --url http://localhost:3000 run openclaw

Verify HTTPS Is Working

# Check SSL certificate
curl -vI https://your-domain.com 2>&1 | grep "SSL certificate"

# Test with SSL Labs
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=your-domain.com

Frequently Asked Questions

Why does OpenClaw need HTTPS?

Without HTTPS, all traffic between users and your OpenClaw instance is sent in plain text. This includes API keys, conversation data, and authentication tokens. Anyone on the network can intercept this data.

What is the easiest way to add HTTPS to OpenClaw?

Use Caddy as a reverse proxy — it automatically obtains and renews Let's Encrypt certificates. Just point your domain to the server and run: caddy reverse-proxy --from your-domain.com --to localhost:3000.

Can I use a self-signed certificate?

Self-signed certificates encrypt traffic but trigger browser warnings and break Telegram/WhatsApp webhook verification. Use Let's Encrypt for free, trusted certificates instead.

Related Articles

HTTPS Included Free

Deploy OpenClaw with automatic HTTPS — no certificate configuration needed.

Launch with HTTPS
← Back to blog