Skip to main content

Fly.io Deployment

Goal: OpenClaw Gateway running on a Fly.io machine with persistent storage, automatic HTTPS, and Discord/channel access.

What you need

  • flyctl CLI installed
  • Fly.io account (free tier works)
  • Model auth: API key for your chosen model provider
  • Channel credentials: Discord bot token, Telegram token, etc.

Beginner quick path

  1. Clone repo → customize fly.toml
  2. Create app + volume → set secrets
  3. Deploy with fly deploy
  4. SSH in to create config or use Control UI

1) Create the Fly app

Tip: Choose a region close to you. Common options: lhr (London), iad (Virginia), sjc (San Jose).

2) Configure fly.toml

Edit fly.toml to match your app name and requirements. Security note: The default config exposes a public URL. For a hardened deployment with no public IP, see Private Deployment or use fly.private.toml.
Key settings:

3) Set secrets

Notes:
  • Non-loopback binds (--bind lan) require OPENCLAW_GATEWAY_TOKEN for security.
  • Treat these tokens like passwords.
  • Prefer env vars over config file for all API keys and tokens. This keeps secrets out of openclaw.json where they could be accidentally exposed or logged.

4) Deploy

First deploy builds the Docker image (~2-3 minutes). Subsequent deploys are faster. After deployment, verify:
You should see:

5) Create config file

SSH into the machine to create a proper config:
Create the config directory and file:
Note: With OPENCLAW_STATE_DIR=/data, the config path is /data/openclaw.json. Note: The Discord token can come from either:
  • Environment variable: DISCORD_BOT_TOKEN (recommended for secrets)
  • Config file: channels.discord.token
If using env var, no need to add token to config. The gateway reads DISCORD_BOT_TOKEN automatically. Restart to apply:

6) Access the Gateway

Control UI

Open in browser:
Or visit https://my-openclaw.fly.dev/ Paste your gateway token (the one from OPENCLAW_GATEWAY_TOKEN) to authenticate.

Logs

SSH Console

Troubleshooting

”App is not listening on expected address”

The gateway is binding to 127.0.0.1 instead of 0.0.0.0. Fix: Add --bind lan to your process command in fly.toml.

Health checks failing / connection refused

Fly can’t reach the gateway on the configured port. Fix: Ensure internal_port matches the gateway port (set --port 3000 or OPENCLAW_GATEWAY_PORT=3000).

OOM / Memory Issues

Container keeps restarting or getting killed. Signs: SIGABRT, v8::internal::Runtime_AllocateInYoungGeneration, or silent restarts. Fix: Increase memory in fly.toml:
Or update an existing machine:
Note: 512MB is too small. 1GB may work but can OOM under load or with verbose logging. 2GB is recommended.

Gateway Lock Issues

Gateway refuses to start with “already running” errors. This happens when the container restarts but the PID lock file persists on the volume. Fix: Delete the lock file:
The lock file is at /data/gateway.*.lock (not in a subdirectory).

Config Not Being Read

If using --allow-unconfigured, the gateway creates a minimal config. Your custom config at /data/openclaw.json should be read on restart. Verify the config exists:

Writing Config via SSH

The fly ssh console -C command doesn’t support shell redirection. To write a config file:
Note: fly sftp may fail if the file already exists. Delete first:

State Not Persisting

If you lose credentials or sessions after a restart, the state dir is writing to the container filesystem. Fix: Ensure OPENCLAW_STATE_DIR=/data is set in fly.toml and redeploy.

Updates

Updating Machine Command

If you need to change the startup command without a full redeploy:
Note: After fly deploy, the machine command may reset to what’s in fly.toml. If you made manual changes, re-apply them after deploy.

Private Deployment (Hardened)

By default, Fly allocates public IPs, making your gateway accessible at https://your-app.fly.dev. This is convenient but means your deployment is discoverable by internet scanners (Shodan, Censys, etc.). For a hardened deployment with no public exposure, use the private template.

When to use private deployment

  • You only make outbound calls/messages (no inbound webhooks)
  • You use ngrok or Tailscale tunnels for any webhook callbacks
  • You access the gateway via SSH, proxy, or WireGuard instead of browser
  • You want the deployment hidden from internet scanners

Setup

Use fly.private.toml instead of the standard config:
Or convert an existing deployment:
After this, fly ips list should show only a private type IP:

Accessing a private deployment

Since there’s no public URL, use one of these methods: Option 1: Local proxy (simplest)
Option 2: WireGuard VPN
Option 3: SSH only

Webhooks with private deployment

If you need webhook callbacks (Twilio, Telnyx, etc.) without public exposure:
  1. ngrok tunnel - Run ngrok inside the container or as a sidecar
  2. Tailscale Funnel - Expose specific paths via Tailscale
  3. Outbound-only - Some providers (Twilio) work fine for outbound calls without webhooks
Example voice-call config with ngrok:
The ngrok tunnel runs inside the container and provides a public webhook URL without exposing the Fly app itself. Set webhookSecurity.allowedHosts to the public tunnel hostname so forwarded host headers are accepted.

Security benefits

Notes

  • Fly.io uses x86 architecture (not ARM)
  • The Dockerfile is compatible with both architectures
  • For WhatsApp/Telegram onboarding, use fly ssh console
  • Persistent data lives on the volume at /data
  • Signal requires Java + signal-cli; use a custom image and keep memory at 2GB+.

Cost

With the recommended config (shared-cpu-2x, 2GB RAM):
  • ~$10-15/month depending on usage
  • Free tier includes some allowance
See Fly.io pricing for details.