Skip to main content

Documentation Index

Fetch the complete documentation index at: https://claworc.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

First-time setup

On first run with an empty database, Claworc shows a Create admin account form before the login page. Enter a username and password to create the initial admin account. Alternatively, create the admin account from the CLI: 
# Docker Compose
docker compose exec claworc ./claworc --create-admin

# Kubernetes
kubectl exec -n claworc deploy/claworc -- ./claworc --create-admin

Roles

Claworc has two roles:

Admin

  • Full access to all instances
  • Create, edit, and delete users
  • Assign instances to users
  • Access the Settings page (global API keys, SSH keys, audit logs)
  • View and configure SSH source IP restrictions per instance

User

  • Read and write access to assigned instances only
  • Can create, list, download, and delete backups for assigned instances
  • Can manage backup schedules whose instances are all assigned to them
  • No access to the Settings page
  • Cannot view or manage other users
  • Cannot see instances not assigned to them
  • Cannot create new instances or restore from a backup unless the admin grants the Can create instances permission

Can create instances (per-user permission)

Admins can grant any user the Can create instances permission. A user with this flag can:
  • Create new OpenClaw instances from the dashboard. The new instance is automatically assigned to the user.
  • Restore an assigned instance from one of its backups.
The flag has no effect on admins (admins always can).

User management

Admins manage users from SettingsUsers:
ActionHow
Create userClick Add user, enter username and password, choose role and assigned instances, then save
Edit userClick the username in the table to open the edit dialog
Change roleOpen the user → change the Role dropdown. Selecting Admin automatically grants access to all instances
Toggle Can-create-instancesOpen the user → tick or untick Can create instances
Assign instancesOpen the user → pick instances from the list (disabled for admins, who always have access to all instances)
Reset passwordOpen the user → click Reset password
Delete userOpen the user → click Delete and confirm
Press Enter to save changes in the user dialog, or Escape to cancel.

Passkeys (WebAuthn)

Claworc supports passkeys for passwordless login using biometrics or hardware security keys.

Registering a passkey

  1. Log in with your username and password.
  2. Go to ProfileSecurity.
  3. Click Register passkey and follow your browser’s prompt.

Logging in with a passkey

On the login page, click Sign in with passkey instead of entering a password.

Production configuration

For passkeys to work, configure the Relying Party settings to match your domain: 
CLAWORC_RP_ORIGINS=https://claworc.example.com
CLAWORC_RP_ID=claworc.example.com
Passkey registration will fail if CLAWORC_RP_ID does not match the domain the user is accessing. Set this correctly before registering passkeys in production.

Sessions

Sessions use HTTP-only cookies and expire after 1 hour of inactivity. Sessions are stored in memory — restarting the Claworc process logs all users out.

Disabling authentication

For local development only, you can disable authentication entirely: 
CLAWORC_AUTH_DISABLED=true
Never disable authentication on a publicly accessible instance. All API endpoints and dashboard features become unauthenticated.

Password reset (CLI)

If the admin password is lost: 
# Docker Compose
docker compose exec claworc ./claworc --reset-password --username admin

# Kubernetes
kubectl exec -n claworc deploy/claworc -- ./claworc --reset-password --username admin