If you want a hosted OpenClaw bot to reach internal systems or use a private web URL, the flow is straightforward.
What You Need
- a paid hosted OpenClaw bot
- your Tailscale tailnet
- a Tailscale OAuth client with the right scope to mint auth keys for the fixed bot tag
Step 1: Open the bot config
Go to the bot’s Config tab in the dashboard.
You will now see a Private networking section.
Step 2: Save your Tailscale workspace
Enter:
- your tailnet name
- your OAuth client ID
- your OAuth client secret
- the bot tag you want OpenClaw to use
OpenClaw validates that configuration before it saves it.
Step 3: Decide what the bot should do on the tailnet
You can turn on:
- private resource access if the bot needs internal apps, APIs, or databases
- private web chat if the browser UI should stay inside your tailnet
Step 4: Pick web exposure
Choose one of these:
publicprivatebothdisabled
If you are not sure, start with both.
That keeps your normal public web path while adding a private tailnet URL for internal users.
Step 5: Keep the channel rules straight
This is the part that matters most:
- public web chat stays on Cloudflare
- private web chat runs on your tailnet
- Telegram stays public-only
- custom domains stay public-only
So yes, you can have a bot with a private web URL and a public Telegram bot at the same time.
Step 6: Test the private path
From a device on your tailnet:
- open the private web URL shown in the dashboard
- confirm the bot can answer
- if needed, confirm it can reach the internal service you wanted
If that works, you can keep mixed mode or switch to private only.
What OpenClaw Does Behind The Scenes
OpenClaw does not put your OAuth client secret inside the bot container.
Instead it:
- uses your OAuth client on the control plane
- mints a one-off join key
- injects only that short-lived join key into the bot runtime
That keeps the trust boundary tighter than shipping the full OAuth secret with the bot.