YouTubeVideoSource Linked
Claws Out: Securing and Building with OpenClaw - Nick Taylor, Pomerium
OpenClaw’s trusted-proxy mode removes duplicate WebSocket tokens and device pairing, but only if proxy IPs and identity headers are tightly constrained.
YouTube
Source Summary
OpenClaw’s **trusted-proxy mode** lets an identity-aware proxy gate the control plane. Configuration names trusted proxy IPs plus a user header and required headers, removing separate WebSocket tokens and device pairing.
Practical Implication
Use it when exposing a local agent workspace through an authenticated proxy. Keep the trust boundary narrow, and give the agent’s GitHub credentials limited permissions; the demo’s full access let it open a PR before review.
Agent-Ready Context
OpenClaw’s **trusted-proxy mode** lets an identity-aware proxy gate the control plane. Configuration names trusted proxy IPs plus a user header and required headers, removing separate WebSocket tokens and device pairing. Use it when exposing a local agent workspace through an authenticated proxy. Keep the trust boundary narrow, and give the agent’s GitHub credentials limited permissions; the demo’s full access let it open a PR before review. The security gain depends on correct proxy and header configuration. The speaker also encountered a pairing-related bug missed by local testing, so test fresh clients and unpaired devices before relying on the setup.
Context Map
infracodingsecurity#gateways#sandboxing#coding-agentsUncertainty
The security gain depends on correct proxy and header configuration. The speaker also encountered a pairing-related bug missed by local testing, so test fresh clients and unpaired devices before relying on the setup.