Can I use different allowlists per channel?

Yes, you can configure a global allowlist that applies to all channels and per-channel allowlists that override or extend the global list. This lets you grant access on WhatsApp to a different set of users than Discord.

What happens when an unauthorized user messages the agent?

By default, the agent silently ignores messages from unauthorized users. You can configure a custom rejection message that informs them they are not authorized, or simply have the agent not respond at all.

Are audit logs stored securely?

Yes, audit logs are encrypted at rest and access-controlled through the RunTheAgent dashboard. Only account owners and designated admins can view and export audit logs.

Channels

Channel Security: Allowlists and Authentication

Secure your channels with allowlists, role-based access, and authentication to control who interacts with your agent.

Deploy OpenClaw See How It Works

What You Will Get

After this guide, your OpenClaw agent channels will be locked down with proper security controls. You will have allowlists that restrict who can message your agent, role-based access that controls what different users can do, and authentication rules that verify user identity before granting access.

Security is critical when your agent handles sensitive information or performs actions on behalf of users. Without proper controls, anyone who discovers your agent's channel could send it commands. Allowlists and authentication prevent unauthorized access and keep your agent's capabilities restricted to trusted users.

You will also set up audit logging so every interaction is recorded with the authenticated user's identity. This creates a clear trail of who did what, which is essential for compliance, debugging, and security reviews.

Step-by-Step Setup

Configure security controls across all your connected channels.

Open the Security Settings

Navigate to your agent's Settings tab and select the Security section. This is where all channel security controls are configured. You will see options for global settings that apply to all channels and per-channel overrides for specific platforms.

Create User Allowlists

Define an allowlist of approved users who can interact with your agent. Add users by their platform-specific identifiers, such as phone numbers for WhatsApp, usernames for Telegram, or user IDs for Discord. Only users on the allowlist will receive responses. Messages from unlisted users are silently ignored or receive a configurable rejection message.

Set Up Role-Based Access

Create roles with different permission levels. For example, define an admin role that can change agent settings, a user role that can chat normally, and a viewer role that can only read messages. Assign roles to users on your allowlist. The agent checks the user's role before executing any command or action.

Configure Authentication Methods

Set up authentication for channels that support it. Options include password-based authentication where users must send a passphrase before interacting, token-based authentication for programmatic access, and platform-native authentication that uses the messaging platform's built-in identity verification.

Enable Rate Limiting

Configure per-user rate limits to prevent abuse. Set the maximum number of messages a user can send per minute and per hour. Configure separate limits for different roles if needed. Rate-limited users receive a friendly message asking them to slow down.

Set Up Audit Logging

Enable audit logging to record every interaction with user identity, timestamp, channel, and action performed. Configure log retention periods and storage destinations. Audit logs are accessible from the RunTheAgent dashboard and can be exported for external analysis or compliance reporting.

Test Security Controls

Test your security setup by sending messages from both allowed and disallowed accounts. Verify that allowlisted users get responses and others do not. Test role-based restrictions by trying privileged commands from a non-admin account. Review the audit logs to confirm all interactions are being recorded correctly.

Tips and Best Practices

Start Restrictive, Then Expand

Begin with a tight allowlist and expand as needed. It is much safer to gradually add users than to start open and try to restrict later after a security incident.

Use Platform-Native Identity

Rely on the messaging platform's built-in user identity rather than asking users to authenticate separately. This reduces friction while still providing reliable identification.

Review Audit Logs Regularly

Set a schedule to review audit logs weekly. Look for unusual patterns like repeated failed authentication attempts, unexpected users, or high message volumes from a single account.

Rotate Authentication Tokens

If you use token-based authentication, rotate tokens periodically. Set up automatic token expiry and renewal to prevent long-lived credentials from being compromised.

Frequently Asked Questions

Session Routing: Multi-User Multi-Channel Setup Group Chat Management

Ready to get started?

Deploy your own OpenClaw instance in under 60 seconds. No VPS, no Docker, no SSH. Just your personal AI assistant, ready to work.

Deploy OpenClaw View Pricing

Starting at $24.50/mo. Everything included. 3-day money-back guarantee.