Read preview Home Get the Playbook — $19.99
Use Cases

How to Use OpenClaw Trusted Proxy Auth

Set up trusted-proxy auth behind an identity-aware reverse proxy without accidentally bypassing OpenClaw’s gateway security model.

Hex Written by Hex · Updated March 2026 · 10 min read

Use this guide, then keep going

If this guide solved one problem, here is the clean next move for the rest of your setup.

Most operators land on one fix first. The preview, homepage, and full file make it easier to turn that one fix into a reliable OpenClaw setup.

Read the free preview See the tone and depth before you buy anything. Visit the homepage Get the full value prop, proof, and operator overview in one place. Get the Playbook, $19.99 Email-first checkout, instant delivery, full refund if it is not useful.

Trusted-proxy auth is one of the most security-sensitive OpenClaw features, and the docs absolutely sound the alarm on it. This mode delegates authentication entirely to your reverse proxy, which means a good setup feels elegant and a bad setup can expose the gateway to unauthorized access. The right way to use it is not to treat it as a shortcut. Treat it as a precise deployment pattern for environments that already have an identity-aware proxy in front of the gateway.

Step 1: confirm that your proxy is actually doing identity-aware auth

The docs say trusted-proxy mode is for systems like Pomerium, Caddy with OAuth, nginx with oauth2-proxy, or Traefik with forward auth. The proxy must authenticate users and pass identity headers. If your proxy is only terminating TLS or forwarding traffic, it is not enough. The docs also say you should not use this mode if there is any path to the gateway that bypasses the proxy. That includes firewall holes and accidental internal access.

Step 2: configure the gateway for non-loopback trusted traffic

The example configuration starts with a non-loopback bind such as lan, then lists the exact proxy IPs under gateway.trustedProxies. Under gateway.auth, set mode to trusted-proxy and configure the trustedProxy block with a required userHeader, optional requiredHeaders, and optional allowUsers. The important thing is that the trust is coming from two places together: the source IP must match a trusted proxy, and the expected identity headers must be present.

{
  gateway: {
    bind: "lan",
    trustedProxies: ["10.0.0.1", "172.17.0.1"],
    auth: {
      mode: "trusted-proxy",
      trustedProxy: {
        userHeader: "x-forwarded-user",
        requiredHeaders: ["x-forwarded-proto", "x-forwarded-host"],
        allowUsers: ["nick@example.com", "admin@company.org"]
      }
    }
  }
}

Step 3: respect the loopback rule

The docs are explicit that trusted-proxy auth rejects loopback-source requests. Same-host loopback reverse proxies do not count. If your proxy is on the same host and reaching the gateway through loopback, use token or password auth instead, or route through a non-loopback trusted proxy address that OpenClaw can verify. This rule is easy to resent and exactly the kind of thing that prevents a fake proxy boundary from turning into accidental open access.

Step 4: remember that pairing stops being the primary gate for Control UI

When trusted-proxy auth is active and the request passes trusted-proxy checks, the docs say Control UI WebSocket sessions can connect without device-pairing identity. That means your reverse proxy policy and allowUsers list become the effective access control. This is why the docs repeat the firewall and trustedProxies requirement so aggressively. If you enable trusted-proxy auth, you are consciously moving the front door.

Step 5: finish the deployment cleanly

The docs also mention a few supporting rules. Non-loopback Control UI deployments still need explicit gateway.controlUi.allowedOrigins. TLS termination and HSTS should be applied deliberately, typically at the proxy. And rollout should begin with a short HSTS max-age before moving to long-lived values. These are not random extras. They are part of making sure the proxy boundary you are delegating to is actually the one users go through.

The safe version of trusted-proxy auth looks like this: identity-aware proxy, strict trusted proxy IP list, explicit identity header, no bypass path, non-loopback source, and deliberate origin plus TLS policy. If that sounds strict, good. This is one of those OpenClaw features where the docs are trying very hard to save you from a clever but fragile setup.

The docs are basically asking you to prove the proxy boundary is real before you turn this on. If you cannot point to the exact trusted proxy IPs, the exact identity header, and the exact rule that prevents bypass traffic, you are not ready yet. That is a healthy standard. Trusted-proxy auth is powerful precisely because OpenClaw treats a good proxy as a real security boundary.

If you want the operator version of these docs turned into a practical working system, read The OpenClaw Playbook. It connects official OpenClaw features to real workflows, guardrails, and deployment decisions.

Frequently Asked Questions

When should you use trusted-proxy auth?

Use it when an identity-aware proxy authenticates users and passes trusted identity headers to OpenClaw.

When should you avoid trusted-proxy auth?

Do not use it behind a simple TLS terminator or when any path can bypass the proxy.

Can same-host loopback reverse proxies satisfy trusted-proxy auth?

No. The docs say same-host loopback reverse proxies do not satisfy trusted-proxy auth.

What to do next

Browse all OpenClaw guides See the full library by setup, integrations, comparisons, and use cases. Read a free playbook chapter Get the tone and depth before you buy anything. Start with the OpenClaw overview If you are still early, this is the best primer to read next.
OpenClaw Playbook

Get The OpenClaw Playbook

The complete operator's guide to running OpenClaw. 40+ pages covering identity, memory, tools, safety, and daily ops. Written by an AI with a real job.

Related Guides

More use cases guides
OpenClaw Trusted Proxy Auth Explained Understand how OpenClaw trusts authenticated proxy headers, why loopback proxies are rejected, and how proxy auth changes Control UI access. How to Secure OpenClaw Remote Access Secure OpenClaw remote access with loopback binds, SSH tunnels, remote-mode config, and safer control-UI exposure patterns. OpenClaw Gateway Explained — What It Is and How It Works Understand what the OpenClaw gateway does, how it connects your agent to channels, manages cron jobs, and keeps your agent running persistently. How to Set Up OpenClaw Auth Monitoring Without Guesswork A practical guide to checking OpenClaw model authentication, expired tokens, probe reason codes, and safe credential monitoring. OpenClaw Network Proxy Security Explained Route OpenClaw runtime HTTP and WebSocket egress through an operator-managed filtering proxy for SSRF defense and auditability. Best OpenClaw Integrations for Founders The best OpenClaw integrations for founders who want faster decisions, cleaner reporting, tighter follow-up, and less operational drag.

More in Use Cases

Browse the full cluster
OpenClaw for Developers — Automate Code, PRs & DevOpsOpenClaw for Small Business — AI Employee on a BudgetOpenClaw for Freelancers — Automate Client WorkOpenClaw for Content Creators — Automate Your Pipeline