Not every bot should be exposed the same way.
Some should stay public. Some should stay private. Some need both.
Public Access
Use public access when the bot needs to be easy to reach from the normal internet.
For hosted OpenClaw, that usually means:
- public web chat on Cloudflare
- Telegram access
- optional custom domain for the public web path
This is the best fit for:
- customer-facing bots
- broad team usage
- fast testing with as little setup as possible
Private Access
Use private access when the bot should only be reachable from trusted devices on your tailnet.
That is the right fit when the bot needs to:
- talk to private APIs
- use internal dashboards
- stay off the public internet
For hosted OpenClaw, private web chat uses the customer’s own Tailscale tailnet.
Mixed Access
Mixed access is usually the practical answer.
That means:
- public web chat for normal usage
- private tailnet web chat for internal or sensitive usage
- Telegram still public if you want it
This is often the least risky rollout because it adds a private path without taking away the public one your team already knows.
What Does Not Change
One place teams get tripped up is assuming Tailscale should replace everything.
For hosted OpenClaw, it should not.
- Cloudflare is still the public ingress layer
- Telegram is still public-only
- custom domains are still public-only
- Tailscale is the private path for the customer tailnet
The Short Rule
Use:
- public when reach matters most
- private when internal-only access matters most
- both when you want the safest rollout and the least disruption
That keeps the network model clear and avoids accidentally breaking the channels your users already rely on.