Skip to main content
Provision two DigitalOcean droplets, install Agent Vault on one and OpenClaw on the other, and broker every outbound call through Agent Vault. Plan for 45–60 minutes and ~$12/month. By the end, you’ll have:
  1. Agent Vault running on one droplet, holding real Anthropic, GitHub, Notion, and Slack credentials encrypted at rest behind a master password.
  2. An OpenClaw gateway running on a second droplet, reachable via a Slack bot, with every outbound API call brokered through Agent Vault and revocable from the UI in one click.
Companion video for this guide: a full end-to-end walkthrough from two empty droplets to a brokered, Slack-reachable OpenClaw gateway. Watch below or open on YouTube.

Prerequisites

  • A DigitalOcean account.
  • API keys for the services you want OpenClaw to call. This guide uses Anthropic, GitHub, Notion, and Slack.
  • A Slack workspace where you can install a custom app.
This guide installs Agent Vault as a native binary via the install script, the path documented in Self-hosting locally. For containers, see Docker self-hosting.

Architecture

+-----------------------------------------------------------------+
| Public internet                                                 |
|                                                                 |
|   api.anthropic.com   api.github.com                            |
|   api.notion.com      slack.com                                 |
|          ^                   ^                                  |
+----------+-------------------+----------------------------------+
           |                   |
           +-------------------+
                               | outbound HTTPS, Agent Vault
                               | injects real credentials here
+------------------------------+----------------------------------+
| Private VPC (10.108.0.0/20, region-scoped)                      |
|                              |                                  |
|  +---------------------------+----+     +--------------------+  |
|  | av-broker  10.108.0.3          |     | openclaw-box       |  |
|  | Agent Vault server             |<----| 10.108.0.2         |  |
|  | :14321  control UI / API       |     | OpenClaw gateway   |  |
|  | :14322  MITM proxy             |     | (placeholders)     |  |
|  | (real credentials, encrypted)  |     |                    |  |
|  +----------------^---------------+     +--------------------+  |
|                   |                                             |
+-------------------+---------------------------------------------+
                    | SSH + tunnel for AV UI from laptop
                    |
                Operator
Only av-broker holds real credentials, encrypted at rest behind your master password. openclaw-box holds placeholder strings (__anthropic_api_key__, etc.) and one revocable agent token.

1. Provision the VPS boxes

1

Generate an SSH key on your laptop

ssh-keygen -t ed25519 -f ~/.ssh/digital-ocean-1 -C "digital-ocean-1"
Every ssh command in this guide uses -i ~/.ssh/digital-ocean-1 to pin to this key.
2

Upload the public key to DigitalOcean

In the DigitalOcean console: Settings → Security → SSH Keys → Add SSH Key. Paste the contents of ~/.ssh/digital-ocean-1.pub, name it (e.g. digital-ocean-1), and save.
3

Create the VPC

Networking → VPC → Create VPC Network. Pick any region. Both droplets must use the same region. Default IP range is fine.
4

Create av-broker

Create → Droplets. Set:
PanelSetting
RegionSame region as the VPC
OSUbuntu 24.04 (LTS)
Droplet typeBasic, Regular ($6/mo, 1GB / 1vCPU is plenty for Agent Vault)
VPC NetworkThe VPC you just created
AuthenticationSSH Key, tick digital-ocean-1
Hostnameav-broker
Click Create Droplet.
5

Create openclaw-box

Repeat the previous step with one change:
  • Hostname: openclaw-box
Same region, VPC, and SSH key.
6

Note the private IPs

Click each droplet, then Networking. Note the private IPv4 each got from the VPC range. The rest of this guide assumes:
  • av-broker is 10.108.0.3
  • openclaw-box is 10.108.0.2
Substitute yours into every later command.
7

Verify private connectivity

From your laptop:
ssh -i ~/.ssh/digital-ocean-1 root@<av-broker-public-ip>
ping -c 3 10.108.0.2
Three replies confirm the VPC is live. Type exit to disconnect.

2. Restrict SSH and broker ports with a cloud firewall

1

Find your laptop's public IPv4

curl -4 ifconfig.me; echo
2

Create and attach the firewall

Networking → Firewalls → Create Firewall, name it openclaw-lab. Add three inbound rules:
TypePortSources
TCP22Your laptop’s public IPv4
TCP14321openclaw-box private IP (10.108.0.2)
TCP14322openclaw-box private IP (10.108.0.2)
Leave outbound rules empty (DigitalOcean allows all outbound by default).Scroll to Apply to Droplets and tick both av-broker and openclaw-box.
If your laptop’s public IP changes (cafe networks, VPNs), update the firewall rule’s source IP for port 22.

3. Install Agent Vault on av-broker

1

SSH into av-broker

From your laptop:
ssh -i ~/.ssh/digital-ocean-1 root@<av-broker-public-ip>
Every command in this section runs on av-broker until you exit.
2

Install Agent Vault

curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh
The script detects your architecture, verifies the signed release, and drops the binary at /usr/local/bin/agent-vault.
3

Install tmux

apt update && apt install -y tmux
You’ll run Agent Vault inside a tmux session so it survives your SSH disconnect.
4

Launch the server inside tmux

tmux new -s av
agent-vault server --host 10.108.0.3 --port 14321 --mitm-port 14322
--host 10.108.0.3 binds both listeners to the private NIC, keeping Agent Vault unreachable from the public internet.First-run prompts: master password, admin email, admin password.Detach with Ctrl-B then D. You’ll see [detached from session av] and drop back to your normal shell. The server keeps running inside the tmux session.
5

Verify the server

curl -sI http://10.108.0.3:14321/health
Expect HTTP/1.1 200 OK.
On reboot, tmux dies and so does the server. SSH back in, tmux new -s av, restart with the same command, re-enter the master password. For zero-touch restart, set AGENT_VAULT_MASTER_PASSWORD, but note the password then lives in an env file.

4. Configure the vault

1

Open an SSH tunnel

In a new terminal on your laptop (don’t reuse the one you used to install Agent Vault):
ssh -i ~/.ssh/digital-ocean-1 -L 14321:10.108.0.3:14321 root@<av-broker-public-ip> -N
The terminal hangs silently. That’s correct. Leave it running for the rest of the guide. Closing it stops the tunnel and the AV UI goes dark.Open http://localhost:14321 in your laptop’s browser and sign in with the admin email and password you set during install.
2

Understand vaults, credentials, and services

You’ll create one of each. Briefly:
  • A vault is a named isolation boundary. We’ll create prod.
  • A credential is one secret value stored under a name (e.g. ANTHROPIC_API_KEY = sk-ant-...). Encrypted at rest.
  • A service is the wiring for one upstream host: host pattern + auth mode + substitution rules that reference credentials by name.
Credentials store values. Services define wiring. At request time, Agent Vault matches the service by host, looks up the named credential, and rewrites the wire bytes before forwarding.
3

Create the prod vault

Vaults → New vault → prod → Create.Agent Vault UI showing the prod vault
4

Add credentials

In the prod vault, Credentials tab → Add credential. Add real tokens for Anthropic, GitHub, and Notion now; the two Slack tokens are placeholders you’ll fill in the next section.
KeyValue
ANTHROPIC_API_KEYAnthropic API key (sk-ant-...)
GITHUB_TOKENGitHub PAT with repo scope (ghp_...)
NOTION_TOKENNotion internal integration token (ntn_...)
SLACK_BOT_TOKENPlaceholder; you create the Slack app in the next section
SLACK_APP_TOKENPlaceholder; you create the Slack app in the next section
Credentials tab in the prod vault with the five credentials added
5

Add services

Services tab → + Add service. For each row below: fill Name and Host, set Authentication to the value in the Auth column. For Bearer rows, fill the Token (credential key) field with the credential name (e.g. GITHUB_TOKEN) and skip the substitutions section. For Passthrough rows, scroll to URL Substitutions, click + Add substitution, paste the placeholder, tick the surface boxes listed, select the credential. Save.
NameHostAuthCredential / PlaceholderSurface
anthropicapi.anthropic.comPassthrough__anthropic_api_key__ANTHROPIC_API_KEYheader
githubapi.github.comBearerToken key: GITHUB_TOKENn/a
notionapi.notion.comBearerToken key: NOTION_TOKENn/a
slackslack.com/*Passthrough__slack_bot_token__SLACK_BOT_TOKENheader, body
Anthropic service in Agent Vault with the Passthrough auth and URL substitution ruleGitHub service in Agent Vault with Bearer auth and the GITHUB_TOKEN credential keyThe slack service carries a second substitution on the same service for the app token. After saving the first rule, click + Add substitution again on the same service:
PlaceholderSurfaceCredential
__slack_app_token__header, bodySLACK_APP_TOKEN
Two auth modes appear above (Bearer for github/notion, Passthrough + substitution for anthropic/slack); see Services for how each one works and when to pick it.
Slack ticks both header and body surfaces because @slack/web-api puts the bot token in the request body on its method-arg shape (client.auth.test({token})). Without body ticked, Bolt’s auth.test validation fails at boot and the bot silently stops responding to mentions.
For passthrough+substitution services, placeholder strings are exact-match. If Anthropic or Slack returns 401, check the failing request’s Credential keys field in the AV UI’s Logs tab; an empty value means the substitution didn’t fire (typo in the placeholder is the usual cause). Bearer services don’t have this concern: Agent Vault rewrites the Authorization header regardless of what the client sent.

5. Install OpenClaw on openclaw-box

1

SSH into openclaw-box and install the Agent Vault CLI

In a fresh terminal on your laptop (leave the SSH tunnel to av-broker running):
ssh -i ~/.ssh/digital-ocean-1 root@<openclaw-box-public-ip>
curl --proto '=https' --proto-redir '=https' --tlsv1.2 -fsSL https://get.agent-vault.dev | sh
On this box the Agent Vault CLI is a client wrapper; no server runs here.
2

Install OpenClaw and walk the setup wizard

curl -fsSL https://openclaw.ai/install.sh | bash
The installer drops OpenClaw at /usr/lib/node_modules/openclaw and launches its interactive setup wizard. At every token prompt, type the placeholder, not the real value. Exact strings matter; copy from this guide.
  1. Personal data acknowledgementI understand. Personal data acknowledgement prompt
  2. Setup modeQuickstart. Quickstart setup mode selection
  3. Model providerAnthropic. Model provider list with Anthropic selected
  4. Anthropic auth methodAnthropic API Key. Anthropic auth method with Anthropic API Key selected
  5. Anthropic API key__anthropic_api_key__. Anthropic API key prompt with the placeholder entered
  6. Model → pick your preferred Claude model. Claude model picker
  7. Messaging platformSlack (Socket Mode). The wizard then prints a Slack manifest JSON block; copy it for the next section. Messaging platform list with Slack (Socket Mode) selected Slack manifest JSON block ready to copy
If you miss the manifest or re-run the wizard, it skips that step. Run openclaw channels remove slack then re-run the wizard to see it again.
  1. Slack Bot Token__slack_bot_token__. Slack bot token prompt with the placeholder entered
  2. Slack App Token__slack_app_token__. Slack app token prompt with the placeholder entered
  3. Configure channel access?Yes. Configure Slack channel access prompt set to Yes
  4. Channel accessOpen. Slack channel access set to Open
  5. Search providerSkip. Search provider prompt with Skip selected
  6. SkillsNo (skip). Skills configuration prompt with No selected
  7. HooksSkip for now. Hooks prompt with Skip for now selected
  8. Hatch agent in terminal?No (hatch later). Hatch agent in terminal prompt with hatch-later selected
3

Sanity-check the placeholders landed

grep -R "__anthropic_api_key__\|__slack_bot_token__\|__slack_app_token__" ~/.openclaw
You should see hits in ~/.openclaw/openclaw.json (Slack tokens) and ~/.openclaw/agents/main/agent/auth-profiles.json (Anthropic). If any are missing or mistyped, re-run the wizard.

6. Create the Slack app from OpenClaw’s manifest

OpenClaw’s manifest pre-configures every scope, event, and feature its Slack plugin needs. Pasting it into Slack’s “Create from manifest” flow provisions the app in one shot.
1

Create the app in Slack from the manifest

Go to api.slack.com/apps, click Create New App → From a manifest, pick your workspace, paste the JSON, and click Create.
2

Install to your workspace and copy the bot token

In the new app’s sidebar: OAuth & Permissions → Install to Workspace. Approve the scopes. Copy the Bot User OAuth Token (xoxb-...).
3

Generate the App-Level Token

The manifest doesn’t cover App-Level Tokens. Basic Information → App-Level Tokens → Generate Token and Scopes, name it, add the connections:write scope, Generate, copy the xapp-... token.
4

Paste the real tokens into Agent Vault

In the AV UI: prodCredentialsSLACK_BOT_TOKEN → edit → paste the xoxb-... token → save. Then SLACK_APP_TOKEN → edit → paste the xapp-... token → save.
5

Invite the bot to your channel

In Slack, open the channel you want OpenClaw to listen in. Type /invite @<your-bot-name>.

7. Connect openclaw-box to Agent Vault

agent-vault run wraps OpenClaw’s gateway so every outbound call goes through av-broker.
1

Mint an agent token

Switch to the AV UI tab in your laptop browser. Sidebar: All Agents → Add agent.All Agents tab with the Add agent button highlightedIn the modal:
  • Agent name: openclaw-box
  • Vault access: click + Add vault, pick prod, leave role at proxy
  • Click Add Add Agent modal with openclaw-box name and prod vault assignment
The modal flips to the Connect Your Agent view with three values you’ll need: AGENT_VAULT_ADDR, AGENT_VAULT_TOKEN (the av_agt_... value), and AGENT_VAULT_VAULT. Copy all three. The address shown may point at localhost or your laptop’s tunnel; in the env file below you’ll substitute av-broker’s private VPC IP (e.g. http://10.108.0.3:14321) because openclaw-box reaches Agent Vault over the private network, not through your laptop’s SSH tunnel.Connect Your Agent modal with the three-line export snippet
2

Write the env file on openclaw-box

Back in the SSH session on openclaw-box:
mkdir -p /etc/openclaw && cat > /etc/openclaw/agent-vault.env <<EOF
AGENT_VAULT_ADDR=http://10.108.0.3:14321
AGENT_VAULT_TOKEN=<paste-the-av_agt_-token>
AGENT_VAULT_VAULT=prod
GITHUB_TOKEN=__github_token__
NOTION_TOKEN=__notion_token__
EOF
chmod 600 /etc/openclaw/agent-vault.env
3

Export the env vars into your shell

systemd reads the file natively at gateway start, but a manual agent-vault run needs the vars in the current shell:
set -a
source /etc/openclaw/agent-vault.env
set +a
4

Sanity-check the proxy path

agent-vault run -- curl -H "Authorization: Bearer __github_token__" https://api.github.com/user
A real GitHub user response means the placeholder was substituted on the wire and the proxy path works.
5

Write the systemd drop-in override

Drop in an override that wraps the gateway’s ExecStart with agent-vault run:
mkdir -p /root/.config/systemd/user/openclaw-gateway.service.d
cat > /root/.config/systemd/user/openclaw-gateway.service.d/override.conf <<'EOF'
[Service]
EnvironmentFile=/etc/openclaw/agent-vault.env
ExecStart=
ExecStart=/usr/local/bin/agent-vault run -- /usr/bin/openclaw gateway run --port 18789
EOF
6

Enable linger, reload, and start

loginctl enable-linger root
systemctl --user daemon-reload
systemctl --user restart openclaw-gateway
sleep 3
journalctl --user -u openclaw-gateway -n 30 --no-pager
Healthy log lines to look for in the first few seconds:
  • agent-vault: routing HTTP/HTTPS through MITM proxy (10.108.0.3:14322): the wrap is live.
  • [slack] socket mode connected: bot is on Slack via Socket Mode.
  • [gateway] provider auth state pre-warmed in <N>ms: Anthropic API key brokered successfully.
  • [gateway] ready: gateway accepting traffic.

8. Lock down egress (optional)

Restrict openclaw-box outbound to av-broker only. A compromised OpenClaw then has nowhere to exfiltrate.
1

Create and attach the egress firewall

Networking → Firewalls → Create Firewall, name openclaw-egress. One outbound rule: TCP, destination 10.108.0.0/20 (your VPC range), any port.In Apply To Droplets, select only openclaw-box. Attaching this to av-broker breaks the brokered requests.
2

Verify

From openclaw-box:
curl --max-time 5 https://api.anthropic.com/v1/models
That should time out. Proxied calls through 10.108.0.3:14322 still work.

9. Try it end-to-end

In your target Slack channel, @-mention the bot. OpenClaw replies, with every outbound call routed through 10.108.0.3:14322. To exercise all four brokered services in one prompt:
@openclaw summarize the last 5 PRs in <owner>/<repo> and create a Notion page with the summary. Reply with the new page’s URL.
Replace <owner>/<repo> with a repo your GITHUB_TOKEN has read access to. To watch brokered traffic in real time, tail the gateway journal on openclaw-box: 
journalctl --user -u openclaw-gateway -f
Open Logs in the AV UI to see each request’s matched service and substituted credential.

10. Revoke and recover

1

Revoke the agent

In the AV UI: All Agents → openclaw-box → Rotate (or Delete).
2

Send another Slack message

The next outbound call returns 401 from the broker. The placeholder strings on openclaw-box are inert without a valid agent token.
3

Re-issue to recover

Copy the rotated token, update AGENT_VAULT_TOKEN in /etc/openclaw/agent-vault.env, then systemctl --user restart openclaw-gateway. OpenClaw replies normally on the next @-mention. See Agents → Rotating an agent token.

Cleanup

  1. DigitalOcean console → Droplets: delete av-broker and openclaw-box.
  2. Networking → VPC: delete the VPC.
  3. Firewalls: delete openclaw-lab and openclaw-egress (if you created it).
  4. Rotate or revoke the real upstream API tokens you uploaded (they remain valid in their home services until you do).