Skip to content

Run OpenClaw in a Secure Daytona Sandbox

View as Markdown

This guide walks you through setting up OpenClaw inside a Daytona sandbox and configuring Telegram and WhatsApp channels.

Running OpenClaw in a Daytona sandbox keeps your AI assistant isolated from your local machine, provides a secure environment for code execution, and ensures your bot stays online 24/7 without tying up your personal computer.

Prerequisites

  • Daytona account and API key (Get it from Daytona Dashboard)
  • Local terminal (macOS, Linux, or Windows)

Install the Daytona CLI

Terminal window
brew install daytonaio/cli/daytona

Authenticate with Daytona

Log in to your Daytona account using your API key:

Terminal window
daytona login --api-key=YOUR_API_KEY

Replace YOUR_API_KEY with your actual Daytona API key.

Create a Sandbox

Create a sandbox for running OpenClaw:

Terminal window
daytona sandbox create --name openclaw --snapshot daytona-medium --auto-stop 0

OpenClaw comes preinstalled in the default Daytona snapshot, so the command above is all you need.

Connect to the Sandbox

SSH into your sandbox:

Terminal window
daytona ssh openclaw

Run OpenClaw Onboarding

Start the onboarding process:

Terminal window
openclaw onboard

Follow the prompts:

  1. Security acknowledgment: Accept to continue
  2. Onboarding mode: Select Quickstart
  3. Model/auth provider: Select Anthropic
  4. Anthropic auth method: Select Anthropic API key
  5. Enter Anthropic API key: Paste your API key
  6. Default model: Keep current (default: anthropic/claude-opus-4-5)
  7. Select channel: Choose Skip for now (we’ll configure channels later)
  8. Configure skills: Select No (configure later based on your needs)
  9. Enable hooks: Select Skip for now (configure later based on your needs)
  10. Gateway service: Select Skip (already installed)

When onboarding finishes, the output will display a Dashboard ready section with a dashboard link. Your gateway token is the value after ?token= in the URL. Save this token - you’ll need it to connect to the dashboard.

Also, OpenClaw will ask you to Install shell completion script? - choose whatever you prefer, this is optional and doesn’t affect functionality.

Start the Gateway

Run the gateway in the background:

Terminal window
nohup openclaw gateway run > /tmp/gateway.log 2>&1 &

The & runs the gateway as a background process, keeping your terminal free for other commands. The nohup ensures the gateway keeps running even after you close the SSH connection.

Access the Dashboard

The OpenClaw dashboard is a web interface for managing your assistant, monitoring connections, and configuring channels. To access it, you need a preview URL that exposes the gateway port running inside your sandbox.

In your local terminal (not inside the sandbox SSH session), generate the preview URL:

Terminal window
daytona preview-url openclaw --port 18789

This command generates a signed preview URL that securely exposes the port.

Open the URL in your browser, go to the Overview section, paste your gateway token in the Gateway Token field, and click Connect.

Pair Your Browser

OpenClaw uses device pairing as a security measure - only approved devices can connect to and control your assistant. When you first attempt to connect from the dashboard, your browser registers as a new device that needs approval.

List pending device requests:

Terminal window
openclaw devices list

Approve your device:

Terminal window
openclaw devices approve REQUEST_ID

Replace REQUEST_ID with the value from the Request column.

Click Connect again in the dashboard.

Once connected, you should see a green status indicator - your OpenClaw is now ready to use.

Security

Running OpenClaw this way provides three layers of security:

  1. Preview URL: Time-limited access to the dashboard port
  2. Gateway token: Required to authenticate with the dashboard
  3. Device approval: Only approved devices can connect and control your assistant

Even if someone obtains your dashboard URL, they cannot connect without the gateway token and an approved device.


Configure Telegram

Set up a Telegram bot to chat with OpenClaw.

Create a Telegram Bot

  1. Open Telegram and search for @BotFather
  2. Send /start, then /newbot
  3. Enter a name for your bot
  4. Enter a username for your bot
  5. Copy the bot token provided

Configure OpenClaw

Enable Telegram and set your bot token:

Terminal window
openclaw config set channels.telegram.enabled true
openclaw config set channels.telegram.botToken YOUR_BOT_TOKEN

Verify the configuration:

Terminal window
openclaw config get channels.telegram

Restart the Gateway

Terminal window
openclaw gateway stop
nohup openclaw gateway run > /tmp/gateway.log 2>&1 &

Complete Verification

  1. Open your bot’s chat in Telegram and click Start
  2. A pairing code will appear. Approve the pairing request:
Terminal window
openclaw pairing approve telegram PAIRING_CODE

You can now message your OpenClaw through Telegram.


Configure WhatsApp

Set up WhatsApp to chat with OpenClaw.

Run Configuration

Terminal window
openclaw config --section channels

When prompted:

  1. Select Local (this machine) for gateway location
  2. Choose Configure/link
  3. Select WhatsApp (QR link)
  4. Select Yes for “Link WhatsApp now (QR)?”

Scan the QR Code

Open WhatsApp on your phone, go to Settings → Linked Devices → Link a Device, and scan the QR code displayed in your terminal.

Once paired, you’ll see:

✅ Linked after restart; web session ready.

Set Up Your Phone Number

Select This is my personal phone number (or choose the other option if you have a separate phone for OpenClaw) and enter your phone number when prompted.

Finish Configuration

When prompted to select another channel, choose Finished. You’ll see:

└ Configure complete.

Start Chatting

Send a message to yourself in WhatsApp - OpenClaw will respond. You can give it instructions and information on how to behave directly in the chat.