Auth-Protected Apps
Access any localhost port through Clawdy's secure subdomain proxy without configuring nginx or reverse proxies.
One of Clawdy's most powerful features is the ability to access any application running on your instance through a secure, authenticated subdomain. No nginx configuration, no SSL setup, no firewall rules.
How It Works
When you run a web application on your OpenClaw instance (like a Next.js dev server on port 3000), you can access it through a special subdomain pattern:
https://{port}--{your-slug}.clawdy.app
For example, if your instance slug is dev-machine and you're running an app on port 3000:
https://3000--dev-machine.clawdy.app
Key Benefits
Automatic Authentication
Every request to your app goes through Clawdy's authentication layer. Only you (and people you explicitly share access with) can access your running applications. No need to:
- Set up HTTP basic auth
- Configure OAuth
- Manage API keys
- Worry about exposing development servers
Automatic SSL
All connections are encrypted with SSL/TLS. You get HTTPS for free on any port, any application. This is especially useful for:
- Testing OAuth callbacks that require HTTPS
- Developing Progressive Web Apps (PWAs)
- Working with secure cookies
- Testing WebSocket connections over WSS
Zero Configuration
There's nothing to configure. The moment you start a server on any port between 1024 and 65535, it's automatically accessible. Compare this to traditional setups:
| Traditional Setup | Clawdy |
|---|---|
| Configure nginx reverse proxy | Nothing |
| Set up SSL with Let's Encrypt | Nothing |
| Configure firewall rules | Nothing |
| Set up authentication | Nothing |
| Update DNS records | Nothing |
Supported Ports
You can access any port in the range 1024-65535. Common examples:
| Port | Typical Use |
|---|---|
| 3000 | Next.js, Create React App, Vite |
| 3001 | Secondary dev server |
| 4000 | GraphQL servers |
| 5000 | Flask, generic backends |
| 5173 | Vite default |
| 8000 | Django, FastAPI |
| 8080 | Various web servers |
| 8888 | Jupyter notebooks |
Example: Running a Next.js App
- SSH into your instance or use the web terminal
- Create and start your app:
npx create-next-app@latest my-app
cd my-app
npm run dev- Access it instantly at
https://3000--your-slug.clawdy.app
That's it. No additional configuration needed.
Pro Tips
Avoid Port Conflicts with path-to-port
When working on multiple projects, port conflicts are a common headache. Two projects both wanting port 3000? Use path-to-port to generate a unique port based on your project's path:
# Get a unique port for the current directory
bunx path-to-port `pwd`
# Output: 4821 (deterministic based on path)Tell OpenClaw to use this pattern when building apps:
"When starting dev servers, use
bunx path-to-port \pwd`` to set a unique port for this project so I don't have port conflicts with other projects."
This way, each project gets a consistent, unique port:
| Project Path | Generated Port |
|---|---|
~/projects/frontend | 4821 |
~/projects/backend | 5234 |
~/projects/admin-dashboard | 3892 |
You can then access each at its unique port: https://4821--your-slug.clawdy.app
Run Dev Servers in tmux Sessions
Don't tie up your terminal with a running dev server. Use tmux to run servers in the background:
# Create a named session for your project
tmux new -s my-app
# Start your dev server
npm run dev
# Detach (Ctrl+b, then d) - server keeps running!
# Later, reattach to check logs
tmux attach -t my-appThis is especially useful when you have multiple services running (frontend, backend, database). See the Web Terminal guide for more tmux tips.
Example: Sharing Your Work
Need to show your work to a colleague or client? They just need to:
- Have a Clawdy account
- Be added to your instance's access list (coming soon)
They can then view your running application at the same URL, fully authenticated.
WebSocket Support
The proxy fully supports WebSocket connections. If your application uses WebSockets (for real-time features, hot module replacement, etc.), they work automatically:
// This just works through the proxy
const ws = new WebSocket('wss://3000--your-slug.clawdy.app/ws');Technical Details
Under the hood, Clawdy uses a Cloudflare Worker to:
- Intercept requests to
{port}--{slug}.clawdy.app - Validate the user's session
- Forward the request to your instance on the specified port
- Stream the response back to the user
The proxy handles:
- HTTP/1.1 and HTTP/2
- WebSocket upgrades
- Server-Sent Events (SSE)
- Large file uploads and downloads
- Streaming responses
Limitations
- Port range: Only ports 1024-65535 are supported (no privileged ports)
- Local only: The application must be listening on
localhostor0.0.0.0 - One instance: Each subdomain maps to one specific instance
Next Steps
- Web Terminal: Learn about the browser-based terminal
- Security Layers: Understand how your apps are protected