This template exposes your OpenClaw gateway to the public internet. Please read the OpenClaw security documentation before deploying to understand the risks and recommended configuration. If you only use chat channels (Telegram, Discord, Slack) and don't need the gateway dashboard, you can remove the public endpoint from Railway after setup.
- OpenClaw Gateway + Control UI (served at
/and/openclaw) - A friendly Setup Wizard at
/setup(protected by a password) - Optional Web Terminal at
/tuifor browser-based TUI access - Persistent state via Railway Volume (so config/credentials/memory survive redeploys)
- The container runs a wrapper web server.
- The wrapper protects
/setupwithSETUP_PASSWORD. - During setup, the wrapper runs
openclaw onboard --non-interactive ...inside the container, writes state to the volume, and then starts the gateway. - After setup,
/is OpenClaw. The wrapper reverse-proxies all traffic (including WebSockets) to the local gateway process.
- Open Telegram and message @BotFather
- Run
/newbotand follow the prompts - BotFather will give you a token that looks like:
123456789:AA... - Paste that token into
/setup
- Go to the Discord Developer Portal: https://discord.com/developers/applications
- New Application → pick a name
- Open the Bot tab → Add Bot
- Copy the Bot Token and paste it into
/setup - Invite the bot to your server (OAuth2 URL Generator → scopes:
bot,applications.commands; then choose permissions)
The template includes an optional web-based terminal that runs openclaw tui in your browser.
Set ENABLE_WEB_TUI=true in your Railway Variables. The terminal is disabled by default.
Once enabled, access it at /tui or via the "Open Terminal" button on the setup page.
The web TUI implements multiple security layers:
| Control | Description |
|---|---|
| Opt-in only | Disabled by default, requires explicit ENABLE_WEB_TUI=true |
| Password protected | Uses the same SETUP_PASSWORD as the setup wizard |
| Single session | Only 1 concurrent TUI session allowed at a time |
| Idle timeout | Auto-closes after 5 minutes of inactivity (configurable via TUI_IDLE_TIMEOUT_MS) |
| Max duration | Hard limit of 30 minutes per session (configurable via TUI_MAX_SESSION_MS) |
| Variable | Default | Description |
|---|---|---|
ENABLE_WEB_TUI |
false |
Set to true to enable |
TUI_IDLE_TIMEOUT_MS |
300000 (5 min) |
Closes session after inactivity |
TUI_MAX_SESSION_MS |
1800000 (30 min) |
Maximum session duration |
docker build -t openclaw-railway-template .
docker run --rm -p 8080:8080 \
-e PORT=8080 \
-e SETUP_PASSWORD=test \
-e ENABLE_WEB_TUI=true \
-e OPENCLAW_STATE_DIR=/data/.openclaw \
-e OPENCLAW_WORKSPACE_DIR=/data/workspace \
-v $(pwd)/.tmpdata:/data \
openclaw-railway-template
# Setup wizard: http://localhost:8080/setup (password: test)
# Web terminal: http://localhost:8080/tui (after setup)Q: How do I access the setup page?
A: Go to /setup on your deployed instance. When prompted for credentials, use the generated SETUP_PASSWORD from your Railway Variables as the password. The username field is ignored—you can leave it empty or enter anything.
Q: I see "gateway disconnected" or authentication errors in the Control UI. What should I do?
A: Go back to /setup and click the "Open OpenClaw UI" button from there. The setup page passes the required auth token to the UI. Accessing the UI directly without the token will cause connection errors.
Q: I don't see the TUI option on the setup page.
A: Make sure ENABLE_WEB_TUI=true is set in your Railway Variables and redeploy. The web terminal is disabled by default.
Q: How do I approve pairing for Telegram or Discord?
A: Go to /setup and use the "Approve Pairing" dialog to approve pending pairing requests from your chat channels.
Q: I see "pairing required" when opening the Control UI. How do I fix it?
A: New browsers/devices need a one-time approval from the gateway. Go to /setup, click "Manage Devices" in the Devices section, and click "Approve Latest Request". Refresh the Control UI and it should connect. Local connections (127.0.0.1) are auto-approved; remote connections (LAN, public URL) require explicit approval.
Q: How do I change the AI model after setup?
A: Use the OpenClaw CLI to switch models. Access the web terminal at /tui (if enabled) or SSH into your container and run:
openclaw models set provider/model-idFor example: openclaw models set anthropic/claude-sonnet-4-20250514 or openclaw models set openai/gpt-4-turbo. Use openclaw models list --all to see available models.
Q: How do I access configuration after the initial setup?
A: Visit /setup on your deployed instance at any time — it works both before and after setup. Once configured, the setup page shows your current status along with management tools: device approval, health checks (Run Doctor), data export, and a reset option. You'll need your SETUP_PASSWORD to access it.
Q: My config seems broken or I'm getting strange errors. How do I fix it?
A: Go to /setup and click the "Run Doctor" button. This runs openclaw doctor --repair which performs health checks on your gateway and channels, creates a backup of your config, and removes any unrecognized or corrupted configuration keys.
Need help? Request support on Railway Station