Beginner
macOS / Linux / Windows (WSL2)
Estimated time: 15 min

New User Checklist: Secure Setup, Backups, and First Week Wins

A practical, opinionated checklist for new OpenClaw users: secure defaults, dashboard access, backups, updates, and the most common early gotchas.

Implementation Steps

Install via npm/pnpm and run `openclaw onboard --install-daemon` so the gateway stays running.

What this checklist is optimizing for

New users generally want three things:

  1. A working install (fast)
  2. A safe install (not an open relay / not public)
  3. A recoverable install (backups + upgrades without pain)

Official references:

1) Install + daemonize the gateway (recommended)

Runtime requirement: Node >= 22.

Global install:

npm install -g openclaw@latest
# or:
pnpm add -g openclaw@latest

Run onboarding (recommended path):

openclaw onboard --install-daemon

This installs a per-user supervised service (launchd on macOS, systemd user service on Linux/WSL2) so the gateway keeps running in the background.

If you are on Windows and have not decided between native Windows and WSL2 yet, read this first:

2) Dashboard access: avoid the “unauthorized” trap

The Control UI is served by the gateway (default http://127.0.0.1:18789/), but auth is enforced.

If you open the URL and see “unauthorized”:

openclaw dashboard

Use the tokenized link it prints (?token=...). The UI stores the token locally after first load.

3) Secure inbound messaging (do not run “open” by accident)

The most common beginner mistake is leaving a DM policy too permissive.

Recommended pattern:

  • DMs: pairing (approve new senders) or allowlist
  • Groups: require mentions by default (so the bot does not reply to everything)

Examples:

  • Telegram guide: /guides/telegram-setup
  • WhatsApp guide: /guides/whatsapp-setup
  • Not responding / blank output / rate limits: /guides/openclaw-no-response-and-rate-limit-troubleshooting
  • Cron & 24/7 automation: /guides/openclaw-cron-and-heartbeat-24x7
  • State/workspace/memory persistence: /guides/openclaw-state-workspace-and-memory
  • Security playbook (skills + prompt injection): /guides/openclaw-skill-safety-and-prompt-injection
  • Browser automation timeouts: /guides/openclaw-browser-automation-timeouts
  • Email reliability (Gmail/IMAP): /guides/openclaw-email-gmail-setup-and-reliability
  • Account/ToS risk mitigation: /guides/openclaw-account-ban-and-tos-risk
  • Operability/observability: /guides/openclaw-operability-and-observability

4) Back up the correct thing: the state directory

OpenClaw is stateful. Back up the full state directory:

  • Default: ~/.openclaw/

It includes:

  • config (openclaw.json)
  • credentials (OAuth tokens, channel creds)
  • sessions
  • workspace files

Simple backup:

tar -czf openclaw-state-backup.tgz ~/.openclaw

Security note: treat backups like secrets.

5) Updates: prefer the boring path

For global installs, update like this:

npm i -g openclaw@latest
openclaw doctor
openclaw gateway restart
openclaw health

If something breaks after an update:

  • do not “randomly reinstall” first
  • capture status + logs, then rollback or adjust config

6) The 3 commands that solve most early problems

Gateway supervisor + probe:

openclaw gateway status

Health snapshot:

openclaw health

Live logs:

openclaw logs --follow

7) First-week wins (high ROI)

  • Set a strict DM policy for every channel you enable.
  • Decide your remote access story early (SSH tunnel vs tailnet vs reverse proxy). Avoid public exposure of the Control UI: /guides/openclaw-remote-dashboard-access-playbook
  • Add a scheduled backup of ~/.openclaw/.
  • Keep a “rescue path”: you should be able to reinstall OpenClaw and restore state in under 15 minutes.

If you want a safe starting point (and fewer footguns), start from presets:

If you’re stuck on a vague symptom, use the triage card:

Verification & references

  • Reviewed by:CoClaw Editorial Team
  • Last reviewed:March 14, 2026
  • Verified on: macOS · Linux · Windows (WSL2)

References

  1. OpenClaw docs: /gatewayOfficial docs
  2. OpenClaw docs: /install/updatingOfficial docs
  3. OpenClaw docs: /web/dashboardOfficial docs

Related Resources

Telegram + OpenClaw: Setup, Group Controls, and Common Pitfalls
Guide
A practical guide to wiring OpenClaw to Telegram (Bot API) with safe defaults, plus the lessons that usually bite first-time users.
OpenClaw Installation Troubleshooting: Node/NPM, PATH, Windows (WSL2), and Docker
Guide
A layered checklist for the most common 'can't install' / 'command not found' / 'service won't start' failures. Covers Node version, global install permissions, PATH issues, WSL2 systemd, and Docker setup gotchas.
OpenClaw Cost and Guardrails Checklist: Prevent Runaway Runs Before They Happen
Guide
A practical operator checklist to control blast radius and token spend: start with a bounded tool profile, tighten DM policies, make runs leave evidence, and keep a kill switch. Designed for real life, not perfect autonomy.
Web chat: dragging an image opens it in a new tab (no upload)
Fix
Work around OpenClaw web chat drag-and-drop image uploads opening in a new tab by using paste/file picker and keeping images small until the UI fix lands.
Compaction deadlock: /new and /reset hang — emergency out-of-band session reset
Fix
If compaction timeouts deadlock the session lane and even `/new` / `/reset` hang, recover by stopping the gateway and resetting the stuck session from disk (backup first).

Need live assistance?

Ask in the community forum or Discord support channels.

Get Support