openclaw/docs/web/index.md

---
summary: "Gateway web surfaces: Control UI, bind modes, and security"
read_when:
  - You want to access the Gateway over Tailscale
  - You want the browser Control UI and config editing
---
# Web (Gateway)

The Gateway serves a small **browser Control UI** (Vite + Lit) from the same port as the Gateway WebSocket:

- default: `http://<host>:18789/`
- optional prefix: set `gateway.controlUi.basePath` (e.g. `/clawdbot`)

Capabilities live in [Control UI](/web/control-ui).
This page focuses on bind modes, security, and web-facing surfaces.

## Webhooks

When `hooks.enabled=true`, the Gateway also exposes a small webhook endpoint on the same HTTP server.
See [Gateway configuration](/gateway/configuration) → `hooks` for auth + payloads.

## Config (default-on)

The Control UI is **enabled by default** when assets are present (`dist/control-ui`).
You can control it via config:

```json5
{
  gateway: {
    controlUi: { enabled: true, basePath: "/clawdbot" } // basePath optional
  }
}
```

## Tailscale access

### Integrated Serve (recommended)

Keep the Gateway on loopback and let Tailscale Serve proxy it:

```json5
{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "serve" }
  }
}
```

Then start the gateway:

```bash
clawdbot gateway
```

Open:
- `https://<magicdns>/` (or your configured `gateway.controlUi.basePath`)

### Tailnet bind + token

```json5
{
  gateway: {
    bind: "tailnet",
    controlUi: { enabled: true },
    auth: { mode: "token", token: "your-token" }
  }
}
```

Then start the gateway (token required for non-loopback binds):

```bash
clawdbot gateway
```

Open:
- `http://<tailscale-ip>:18789/` (or your configured `gateway.controlUi.basePath`)

### Public internet (Funnel)

```json5
{
  gateway: {
    bind: "loopback",
    tailscale: { mode: "funnel" },
    auth: { mode: "password" } // or CLAWDBOT_GATEWAY_PASSWORD
  }
}
```

## Security notes

- Binding the Gateway to a non-loopback address **requires** auth (`gateway.auth` or `CLAWDBOT_GATEWAY_TOKEN`).
- The wizard generates a gateway token by default (even on loopback).
- The UI sends `connect.params.auth.token` or `connect.params.auth.password`.
- Use `gateway.auth.allowTailscale: false` to require explicit credentials even in Serve mode.
- `gateway.tailscale.mode: "funnel"` requires `gateway.auth.mode: "password"` (shared password).

## Building the UI

The Gateway serves static files from `dist/control-ui`. Build them with:

```bash
pnpm ui:build # auto-installs UI deps on first run
```
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00			`---`
			`summary: "Gateway web surfaces: Control UI, bind modes, and security"`
			`read_when:`
			`- You want to access the Gateway over Tailscale`
			`- You want the browser Control UI and config editing`
			`---`
			`# Web (Gateway)`

			`The Gateway serves a small browser Control UI (Vite + Lit) from the same port as the Gateway WebSocket:`

feat: configurable control ui base path 2026-01-03 17:54:52 +01:00			- default: `http://<host>:18789/`
chore: rename project to clawdbot 2026-01-04 14:32:47 +00:00			- optional prefix: set `gateway.controlUi.basePath` (e.g. `/clawdbot`)
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00
Docs: fix internal links 2026-01-10 14:51:21 -06:00			`Capabilities live in [Control UI](/web/control-ui).`
docs: reorganize documentation structure 2026-01-07 00:41:31 +01:00			`This page focuses on bind modes, security, and web-facing surfaces.`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00
feat: add gateway webhooks 2025-12-24 14:32:55 +00:00			`## Webhooks`

docs: document multi-agent mode 2026-01-06 18:25:52 +00:00			When `hooks.enabled=true`, the Gateway also exposes a small webhook endpoint on the same HTTP server.
Docs: fix internal links 2026-01-10 14:51:21 -06:00			See [Gateway configuration](/gateway/configuration) → `hooks` for auth + payloads.
feat: add gateway webhooks 2025-12-24 14:32:55 +00:00
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00			`## Config (default-on)`

			The Control UI is enabled by default when assets are present (`dist/control-ui`).
			`You can control it via config:`

			```json5
			`{`
			`gateway: {`
chore: rename project to clawdbot 2026-01-04 14:32:47 +00:00			`controlUi: { enabled: true, basePath: "/clawdbot" } // basePath optional`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00			`}`
			`}`
			```

feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00			`## Tailscale access`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00
feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00			`### Integrated Serve (recommended)`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00
feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00			`Keep the Gateway on loopback and let Tailscale Serve proxy it:`

			```json5
			`{`
			`gateway: {`
			`bind: "loopback",`
			`tailscale: { mode: "serve" }`
			`}`
			`}`
			```

			`Then start the gateway:`

			```bash
chore: rename project to clawdbot 2026-01-04 14:32:47 +00:00			`clawdbot gateway`
feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00			```

			`Open:`
feat: configurable control ui base path 2026-01-03 17:54:52 +01:00			- `https://<magicdns>/` (or your configured `gateway.controlUi.basePath`)
feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00
fix: update gateway auth docs and clients 2026-01-11 01:51:07 +01:00			`### Tailnet bind + token`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00
			```json5
			`{`
			`gateway: {`
			`bind: "tailnet",`
fix: update gateway auth docs and clients 2026-01-11 01:51:07 +01:00			`controlUi: { enabled: true },`
			`auth: { mode: "token", token: "your-token" }`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00			`}`
			`}`
			```

			`Then start the gateway (token required for non-loopback binds):`

			```bash
chore: rename project to clawdbot 2026-01-04 14:32:47 +00:00			`clawdbot gateway`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00			```

			`Open:`
feat: configurable control ui base path 2026-01-03 17:54:52 +01:00			- `http://<tailscale-ip>:18789/` (or your configured `gateway.controlUi.basePath`)
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00
feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00			`### Public internet (Funnel)`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00
feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00			```json5
			`{`
			`gateway: {`
			`bind: "loopback",`
			`tailscale: { mode: "funnel" },`
chore: rename project to clawdbot 2026-01-04 14:32:47 +00:00			`auth: { mode: "password" } // or CLAWDBOT_GATEWAY_PASSWORD`
feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00			`}`
			`}`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00			```

			`## Security notes`

fix: update gateway auth docs and clients 2026-01-11 01:51:07 +01:00			- Binding the Gateway to a non-loopback address requires auth (`gateway.auth` or `CLAWDBOT_GATEWAY_TOKEN`).
			`- The wizard generates a gateway token by default (even on loopback).`
feat(ui): expand control dashboard 2025-12-21 00:34:39 +00:00			- The UI sends `connect.params.auth.token` or `connect.params.auth.password`.
			- Use `gateway.auth.allowTailscale: false` to require explicit credentials even in Serve mode.
refactor: drop PAM auth and require password for funnel 2025-12-23 13:13:09 +00:00			- `gateway.tailscale.mode: "funnel"` requires `gateway.auth.mode: "password"` (shared password).
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00
			`## Building the UI`

			The Gateway serves static files from `dist/control-ui`. Build them with:

			```bash
fix: drop explicit ui:install step 2026-01-09 07:02:42 +00:00			`pnpm ui:build # auto-installs UI deps on first run`
Gateway: add browser control UI 2025-12-18 22:40:46 +00:00			```