# Claws Out: Securing and Building with OpenClaw - Nick Taylor, Pomerium

Source: [YouTube](https://www.youtube.com/watch?v=xg1zNlzw7Jk)  
Feed7 permalink: https://feed7.dev/p/claws-out-securing-and-building-with-openclaw-nick-taylor-pomerium-1d7hzkq  
Published: Unknown  
Trust: Source Linked (source_linked)

## Why Included

OpenClaw’s trusted-proxy mode removes duplicate WebSocket tokens and device pairing, but only if proxy IPs and identity headers are tightly constrained.

## Source Summary

OpenClaw’s **trusted-proxy mode** lets an identity-aware proxy gate the control plane. Configuration names trusted proxy IPs plus a user header and required headers, removing separate WebSocket tokens and device pairing.

## Practical Implication

Use it when exposing a local agent workspace through an authenticated proxy. Keep the trust boundary narrow, and give the agent’s GitHub credentials limited permissions; the demo’s full access let it open a PR before review.

## Agent-Ready Context

OpenClaw’s **trusted-proxy mode** lets an identity-aware proxy gate the control plane. Configuration names trusted proxy IPs plus a user header and required headers, removing separate WebSocket tokens and device pairing.

Use it when exposing a local agent workspace through an authenticated proxy. Keep the trust boundary narrow, and give the agent’s GitHub credentials limited permissions; the demo’s full access let it open a PR before review.

The security gain depends on correct proxy and header configuration. The speaker also encountered a pairing-related bug missed by local testing, so test fresh clients and unpaired devices before relying on the setup.

## Context Map

- Layer: infra
- Domains: coding, security
- Topics: gateways, sandboxing, coding-agents

## Uncertainty

- The security gain depends on correct proxy and header configuration. The speaker also encountered a pairing-related bug missed by local testing, so test fresh clients and unpaired devices before relying on the setup.

## Agent Instruction

Use this item as source-backed context. Do not invent claims beyond the linked source. If this item conflicts with another source, call out the conflict.
