First-time setup
Section titled “First-time setup”On first run with an empty database, Claworc shows a Create admin account form before the login page. Enter a username and password to create the initial admin account.
Alternatively, create the admin account from the CLI:
# Docker Composedocker compose exec claworc ./claworc --create-admin
# Kuberneteskubectl exec -n claworc deploy/claworc -- ./claworc --create-adminClaworc has two roles:
- Full access to all instances
- Create, edit, and delete users
- Assign instances to users
- Access the Settings page (global API keys, SSH keys, audit logs)
- View and configure SSH source IP restrictions per instance
- Read and write access to assigned instances only
- Can create, list, download, and delete backups for assigned instances
- Can manage backup schedules whose instances are all assigned to them
- No access to the Settings page
- Cannot view or manage other users
- Cannot see instances not assigned to them
- Cannot create new instances or restore from a backup unless the admin grants the Can create instances permission
Can create instances (per-user permission)
Section titled “Can create instances (per-user permission)”Admins can grant any user the Can create instances permission. A user with this flag can:
- Create new OpenClaw instances from the dashboard. The new instance is automatically assigned to the user.
- Restore an assigned instance from one of its backups.
The flag has no effect on admins (admins always can).
User management
Section titled “User management”Admins manage users from Settings → Users:
| Action | How |
|---|---|
| Create user | Click Add user, enter username and password, choose role and assigned instances, then save |
| Edit user | Click the username in the table to open the edit dialog |
| Change role | Open the user → change the Role dropdown. Selecting Admin automatically grants access to all instances |
| Toggle Can-create-instances | Open the user → tick or untick Can create instances |
| Assign instances | Open the user → pick instances from the list (disabled for admins, who always have access to all instances) |
| Reset password | Open the user → click Reset password |
| Delete user | Open the user → click Delete and confirm |
Passkeys (WebAuthn)
Section titled “Passkeys (WebAuthn)”Claworc supports passkeys for passwordless login using biometrics or hardware security keys.
Registering a passkey
Section titled “Registering a passkey”- Log in with your username and password.
- Go to Profile → Security.
- Click Register passkey and follow your browser’s prompt.
Logging in with a passkey
Section titled “Logging in with a passkey”On the login page, click Sign in with passkey instead of entering a password.
Production configuration
Section titled “Production configuration”For passkeys to work, configure the Relying Party settings to match your domain:
CLAWORC_RP_ORIGINS=https://claworc.example.comCLAWORC_RP_ID=claworc.example.comSessions
Section titled “Sessions”Sessions use HTTP-only cookies and expire after 1 hour of inactivity. Sessions are stored in memory — restarting the Claworc process logs all users out.
Disabling authentication
Section titled “Disabling authentication”For local development only, you can disable authentication entirely:
CLAWORC_AUTH_DISABLED=truePassword reset (CLI)
Section titled “Password reset (CLI)”If the admin password is lost:
# Docker Composedocker compose exec claworc ./claworc --reset-password --username admin
# Kuberneteskubectl exec -n claworc deploy/claworc -- ./claworc --reset-password --username admin