Skip to main content

Documentation Index

Fetch the complete documentation index at: https://agentcash.dev/docs/llms.txt

Use this file to discover all available pages before exploring further.

OpenClaw on DigitalOcean — Agent Playbook

Step-by-step guide for AI agents to provision, install, and configure OpenClaw on a DigitalOcean droplet. Every step is CLI-executable. Human intervention is called out explicitly where unavoidable. Docs index: https://docs.openclaw.ai/llms.txt
The goal is to provision OpenClaw with as little human involvement as possible.

Requirements

You, the agent, should install or create the below things on behalf of the user. Do not wait to implement the plan by requiring the user to create these things. You should go ahead and start checking if they are installed/created, and if not, create/install them on the users behalf. ONLY ask the user questions when you need their input, like pasting in a key from their browser. You can even open the browser for them.
  • A DigitalOcean account with a Personal Access Token (API key) (check if they have it with doctl account get 2>&1)
  • An LLM provider API key (Anthropic, OpenAI, etc.) or OAuth credentials
  • SSH key pair on the local machine (we use key-based auth, not passwords)
  • doctl installed on the local machine (the DO CLI)
  • A telegram account (or WhatsApp, Discord, Signal, etc.). Our prompt works best with Telegram. Download it here.

If the user doesn’t have an SSH key

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -N ""

If the user doesn’t have a DigitalOcean account or API token

Open the signup page for them: 
open "https://cloud.digitalocean.com/registrations/new"
# Linux: xdg-open "https://cloud.digitalocean.com/registrations/new"
After signup, direct them to create an API token: 
open "https://cloud.digitalocean.com/account/api/tokens/new"
# Linux: xdg-open "https://cloud.digitalocean.com/account/api/tokens/new"
They need to create a token with read + write scope.

Install doctl (if not present)

# macOS
brew install doctl

# Linux (snap)
snap install doctl

# Linux (manual)
curl -sL https://github.com/digitalocean/doctl/releases/latest/download/doctl-$(curl -s https://api.github.com/repos/digitalocean/doctl/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d v)-linux-amd64.tar.gz | tar xz -C /usr/local/bin

Authenticate doctl

doctl auth init --access-token "$DIGITALOCEAN_API_TOKEN"

Step 1: Upload SSH Key and Create the Droplet

Ensure your SSH key is on DigitalOcean

# Check if any keys exist on the account
doctl compute ssh-key list

# If none, import your local public key
doctl compute ssh-key import openclaw-key --public-key-file ~/.ssh/id_ed25519.pub

Create the droplet

doctl compute droplet create openclaw1 \
  --region nyc1 \
  --size s-1vcpu-2gb \
  --image ubuntu-24-04-x64 \
  --ssh-keys "$(doctl compute ssh-key list --format ID --no-header | head -1)" \
  --wait \
  --format ID,Name,PublicIPv4 \
  --no-header
Notes:
  • --size s-1vcpu-2gb is the **12/moplan(1CPU,2GBRAM,50GBSSD,2TBtransfer).RecommendedavoidsOOMissuesduringsetupandnormaloperation.Uses1vcpu1gb(12/mo** plan (1 CPU, 2GB RAM, 50GB SSD, 2TB transfer). Recommended — avoids OOM issues during setup and normal operation. Use `s-1vcpu-1gb` (6/mo) only if cost is a hard constraint (requires swap and NODE_OPTIONS tuning).
  • --region: change to nearest region. List available: doctl compute region list
  • --ssh-keys: uses the first SSH key on the account. An SSH key must be uploaded before creating the droplet (see above).

Get the droplet IP

DROPLET_IP=$(doctl compute droplet get openclaw1 --format PublicIPv4 --no-header)
echo "$DROPLET_IP"

Wait for SSH to become available

until ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=accept-new root@"$DROPLET_IP" 'echo ready' 2>/dev/null; do
  sleep 5
done

ssh root@"$DROPLET_IP" 'bash -s' <<'SWAP'
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo "/swapfile none swap sw 0 0" >> /etc/fstab
echo "Swap enabled: $(swapon --show)"
SWAP

Step 3: Install Node.js

ssh root@"$DROPLET_IP" 'bash -s' <<'NODE'
# Install nvm
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash
source ~/.bashrc

# Install Node.js LTS
nvm install --lts

# Verify
node --version && npm --version
NODE

Step 4: Install OpenClaw

ssh root@"$DROPLET_IP" 'bash -s' <<'INSTALL'
source ~/.bashrc

# Install OpenClaw (skip interactive setup — we onboard in the next step)
curl -fsSL https://openclaw.ai/install.sh | OPENCLAW_SKIP_SETUP=1 bash || true

# Verify — the installer may exit non-zero even on success because
# OPENCLAW_SKIP_SETUP causes the setup wizard to abort after the binary
# is already installed. The version check is the real success signal.
openclaw --version
INSTALL
OPENCLAW_SKIP_SETUP=1 prevents the installer from launching the interactive setup wizard. The script will likely exit with a non-zero code — this is expected. As long as openclaw --version prints a version, the install succeeded.
Note on hooks: There is no --skip-hooks flag on the onboard command. Hooks are not part of the onboarding wizard — they are configured separately after setup via openclaw hooks.

Step 5: Non-Interactive Onboarding

Choose the onboarding command based on the user’s LLM provider.

Anthropic (Claude)

ssh root@"$DROPLET_IP" "bash -s" <<ONBOARD
export NODE_OPTIONS="--max-old-space-size=1536"
openclaw onboard --non-interactive \
  --mode local \
  --auth-choice apiKey \
  --anthropic-api-key "$ANTHROPIC_API_KEY" \
  --secret-input-mode plaintext \
  --accept-risk \
  --gateway-port 18789 \
  --gateway-bind loopback \
  --install-daemon \
  --daemon-runtime node \
  --skip-skills
ONBOARD

OpenAI

ssh root@"$DROPLET_IP" "bash -s" <<ONBOARD
export NODE_OPTIONS="--max-old-space-size=1536"
openclaw onboard --non-interactive \
  --mode local \
  --auth-choice openai-api-key \
  --openai-api-key "$OPENAI_API_KEY" \
  --secret-input-mode plaintext \
  --accept-risk \
  --gateway-port 18789 \
  --gateway-bind loopback \
  --install-daemon \
  --daemon-runtime node \
  --skip-skills
ONBOARD

OpenAI Codex (OAuth)

OAuth requires interactive browser login and cannot be fully automated. The agent cannot run this step — it requires a real TTY for the browser auth redirect. Tell the user to run this exact command in their terminal: 
ssh -t root@"$DROPLET_IP" 'NODE_OPTIONS="--max-old-space-size=1536" openclaw onboard --install-daemon --skip-skills'
Give the user these instructions up front (to minimize back-and-forth):
  1. Run the command above in a separate terminal window
  2. The wizard will ask you to choose a provider — select OpenAI Codex
  3. A browser window will open for OAuth login — sign in with your OpenAI account
  4. When the wizard asks about channels (Telegram, WhatsApp, etc.), configure any you want now or skip them
  5. Let the wizard finish — it will install the gateway daemon
  6. Come back here when you see “onboard complete” or similar
After the user confirms onboarding is done, the agent should continue with Step 6 (verification) and then disable memory search, since Codex OAuth does not cover embedding API calls: 
ssh root@"$DROPLET_IP" 'openclaw config set agents.defaults.memorySearch.enabled false'
ssh root@"$DROPLET_IP" 'openclaw gateway restart'

Other providers

Replace --auth-choice and the key flag. Common options:
Provider--auth-choiceKey flag
AnthropicapiKey--anthropic-api-key
OpenAIopenai-api-key--openai-api-key
Geminigemini-api-key--gemini-api-key
Mistralmistral-api-key--mistral-api-key
xAI (Z.AI)zai-api-key--zai-api-key
Customcustom-api-key--custom-api-key + --custom-base-url + --custom-model-id

Using env-ref mode (more secure)

Instead of storing API keys as plaintext in config, use ref mode. The env var must be set in the daemon’s environment. 
ssh root@"$DROPLET_IP" "bash -s" <<'ONBOARD'
export NODE_OPTIONS="--max-old-space-size=1536"
openclaw onboard --non-interactive \
  --mode local \
  --auth-choice openai-api-key \
  --secret-input-mode ref \
  --accept-risk \
  --gateway-port 18789 \
  --gateway-bind loopback \
  --install-daemon \
  --daemon-runtime node \
  --skip-skills
ONBOARD
In this mode, OPENAI_API_KEY must be available in the process environment when the gateway starts.

Step 6: Verify the Gateway

ssh root@"$DROPLET_IP" 'bash -s' <<'VERIFY'
openclaw status
openclaw doctor --non-interactive
openclaw gateway status
VERIFY

Step 7: Set the Default Model (optional)

List available models and set one: 
ssh root@"$DROPLET_IP" 'openclaw models list --all'
ssh root@"$DROPLET_IP" 'openclaw models set <provider/model-id>'
ssh root@"$DROPLET_IP" 'openclaw gateway restart'

Step 8: Access the Dashboard

The gateway binds to loopback by default. Three options for remote access:

Option A: SSH Tunnel (simplest)

From the local machine. First check if the local port is already in use: 
# Check if port 18789 is free locally
lsof -i :18789 2>/dev/null && echo "Port in use — pick another local port or kill the process" || echo "Port free"

# Open the tunnel (use a different local port if 18789 is taken, e.g. -L 18790:localhost:18789)
ssh -f -N -L 18789:localhost:18789 root@"$DROPLET_IP"
Then open: http://localhost:18789/chat?session=main The gateway token is needed for auth. Retrieve it: 
ssh root@"$DROPLET_IP" "python3 -c \"import json; print(json.load(open('/root/.openclaw/openclaw.json'))['auth']['token'])\""

Option B: Tailscale Serve (HTTPS, no port exposure)

ssh root@"$DROPLET_IP" 'bash -s' <<'TAILSCALE'
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up
openclaw config set gateway.tailscale.mode serve
openclaw gateway restart
TAILSCALE
Then open https://<magicdns>/ from any device on your tailnet.

Option C: Tailnet bind

ssh root@"$DROPLET_IP" 'bash -s' <<'TAILNET'
openclaw config set gateway.bind tailnet
openclaw gateway restart
TAILNET
Open http://<tailscale-ip>:18789 (token required).

Step 9: Connect Channels (optional)

Telegram

Requires a bot token from @BotFather. Once you have it: 
ssh root@"$DROPLET_IP" "openclaw config set channels.telegram.enabled true"
ssh root@"$DROPLET_IP" "openclaw config set channels.telegram.botToken \"$TELEGRAM_BOT_TOKEN\""
ssh root@"$DROPLET_IP" "openclaw gateway restart"
Important: After enabling Telegram, the user will likely message the bot immediately and receive a pairing code. The agent should be ready to approve it right away — don’t wait for the user to ask: 
# Approve a pairing code (the user will send this code from Telegram)
ssh root@"$DROPLET_IP" 'openclaw pairing approve telegram <CODE>'
To list pending codes if needed: 
ssh root@"$DROPLET_IP" 'openclaw pairing list telegram'

WhatsApp

WhatsApp requires QR code scanning (interactive): 
ssh -t root@"$DROPLET_IP" 'openclaw channels login whatsapp'

Discord, Slack, others

See the channel-specific docs: https://docs.openclaw.ai/channels/index.md

Troubleshooting

Out of memory during setup

# Check memory
ssh root@"$DROPLET_IP" 'free -h'

# Increase Node heap
ssh root@"$DROPLET_IP" 'export NODE_OPTIONS="--max-old-space-size=1536" && openclaw onboard --install-daemon'

# Or resize the droplet (if using the $6 plan)
doctl compute droplet-action resize openclaw1 --size s-1vcpu-2gb --wait

Gateway won’t start

ssh root@"$DROPLET_IP" 'openclaw gateway status && openclaw doctor --non-interactive'
ssh root@"$DROPLET_IP" 'journalctl -u openclaw --no-pager -n 50'

Port already in use (on the droplet)

ssh root@"$DROPLET_IP" 'lsof -i :18789'
ssh root@"$DROPLET_IP" 'kill <PID>'

Port already in use (local — SSH tunnel won’t bind)

# Find what's using the port locally
lsof -i :18789

# Either kill the existing process, or use a different local port:
ssh -f -N -L 18790:localhost:18789 root@"$DROPLET_IP"
# Then access at http://localhost:18790/chat?session=main

Model not found

# List all available models for your auth
ssh root@"$DROPLET_IP" 'openclaw models list --all'

# Set a valid model
ssh root@"$DROPLET_IP" 'openclaw models set <provider/model-id>'
ssh root@"$DROPLET_IP" 'openclaw gateway restart'

Teardown

doctl compute droplet delete openclaw1 --force

Quick Reference

TaskCommand
Check statusssh root@$IP 'openclaw status'
View logsssh root@$IP 'openclaw logs --follow'
Restart gatewayssh root@$IP 'openclaw gateway restart'
Update OpenClawssh root@$IP 'npm install -g openclaw@latest'
Change modelssh root@$IP 'openclaw models set <provider/model>'
Backup configssh root@$IP 'tar -czvf ~/openclaw-backup.tar.gz ~/.openclaw'
Run diagnosticsssh root@$IP 'openclaw doctor --non-interactive'

Step 10: Install AgentCash (required)

After OpenClaw setup is complete, always run this on the VM to install AgentCash — it gives OpenClaw access to all paid APIs from a single USDC balance: 
ssh root@"$DROPLET_IP" 'npx agentcash@latest onboard'
Then have the user visit agentcash.dev to onboard — they’ll get free credits and can manage their balance for all paid API access from one place.

Step 11: Give a prompt to the user to paste in their agent (optional)

Ask the user for their email address, and then give them a prompt that says:

Email me an onboarding email using AgentCash!