OpenClaw reliability layer

Secure by default

Self-hosted OpenClaw is easy to misconfigure. Most incidents are simpler than people want to admit: missing auth, open ports, and leaked keys.

molt.host is an independent, third-party hosting service for OpenClaw. Not affiliated with or endorsed by the OpenClaw project or its creators.

The footguns we design against

These are the patterns we see repeatedly in operator reports. The security baseline is about avoiding predictable failures, not claiming perfection.

"No auth. Ports open. API keys ready to steal."
"Exposed IPs. Leaked keys. Config nightmares."
Keys in env files (copied, shared, or committed by mistake).
A gateway you can reach from the internet (because you had to make it work).

What the security baseline includes

We ship secure defaults so operators can run an agent without building a bespoke security stack.

Isolated by default

Your OpenClaw instance runs in isolated infrastructure with fewer shared surfaces.

Encrypted credentials

Model keys, bot tokens, and channel credentials are stored encrypted at rest and used only to operate your instance.

Restricted access + audit trails

Operational access is restricted and logged. Support diagnostics do not require message inspection.

Safer network defaults

The safe path is the default. No open ports, no missing auth out of the box.

BYOK keeps control with you

Bring Your Own Keys means model requests run under your model provider account. You can rotate or revoke keys without waiting on a host.

Minimal retention (by design)

By default we do not retain conversation history in molt.host systems such as logs, analytics, or support tools. We may keep limited operational metadata, like delivery status and timestamps, to run the service.

BYOK: what it means in practice

BYOK means you provide the model API keys and requests go to your provider under your account.

We store keys encrypted at rest and restrict access. You can rotate or revoke them on your side.

Security snapshot (simplified)

This is the operator-friendly posture we aim for. Clear defaults, not buzzwords.

Baseline status

Access: restricted

Credentials: encrypted at rest

Isolation: per instance

Conversation history: not retained by default

Audit logs: enabled

For the full details on data handling and retention, see our Privacy Policy.

No lock-in

OpenClaw is open source. You can move to self-hosting anytime. We win by making the operational experience safer and more reliable.

What we monitor How staged upgrades work Compare self-hosting vs managed

The footguns we design against

These are the patterns we see repeatedly in operator reports. The security baseline is about avoiding predictable failures, not claiming perfection.

"No auth. Ports open. API keys ready to steal."

"Exposed IPs. Leaked keys. Config nightmares."

Keys in env files (copied, shared, or committed by mistake).

A gateway you can reach from the internet (because you had to make it work).

What the security baseline includes

We ship secure defaults so operators can run an agent without building a bespoke security stack.

Isolated by default

Your OpenClaw instance runs in isolated infrastructure with fewer shared surfaces.

Encrypted credentials

Model keys, bot tokens, and channel credentials are stored encrypted at rest and used only to operate your instance.

Restricted access + audit trails

Operational access is restricted and logged. Support diagnostics do not require message inspection.

Safer network defaults

The safe path is the default. No open ports, no missing auth out of the box.

BYOK keeps control with you

Bring Your Own Keys means model requests run under your model provider account. You can rotate or revoke keys without waiting on a host.

Minimal retention (by design)

Security snapshot (simplified)

This is the operator-friendly posture we aim for. Clear defaults, not buzzwords.

Baseline status

Access: restricted

Credentials: encrypted at rest

Isolation: per instance

Conversation history: not retained by default

Audit logs: enabled

For the full details on data handling and retention, see our Privacy Policy.

The footguns we design against

What the security baseline includes

Isolated by default

Encrypted credentials

Restricted access + audit trails

Safer network defaults

BYOK keeps control with you

Minimal retention (by design)

BYOK: what it means in practice

Security snapshot (simplified)

No lock-in

Managed OpenClaw hosting that stays reachable.

The footguns we design against

What the security baseline includes

Isolated by default

Encrypted credentials

Restricted access + audit trails

Safer network defaults

BYOK keeps control with you

Minimal retention (by design)

BYOK: what it means in practice

Security snapshot (simplified)

No lock-in

Managed OpenClaw hosting that stays reachable.