The Honest Version Nobody Tells You
Every OpenClaw tutorial on the internet makes it look easy. "Set up in 20 minutes!" they say. "Just run the installer!" they promise.
I started coding one week ago. I had never touched a terminal. I didn’t know what SSH meant. And I spent 12 hours straight — from 4pm to 4am — getting OpenClaw to actually work on a VPS.
This guide is the one I wish I had. It covers every single error I hit, every wrong turn, and the exact fix for each one. If you’re a complete beginner like I was, this will save you hours of pain.
• A 24/7 AI assistant running on a cheap VPS (€4.51/month)
• Connected to Telegram so you can message it from anywhere
• Powered by Claude Opus 4.6 (or Sonnet to save money)
• Persistent memory — it remembers everything across sessions
• Cron jobs — automated morning briefings, content ideas, market updates
• Your personal Mac stays completely safe — no agent running on it
Security researchers found 500+ vulnerabilities in OpenClaw’s ecosystem. 7.1% of third-party skills on ClawHub contain malware that steals credentials.
NEVER run OpenClaw on your personal Mac if you have trading accounts, banking info, or any sensitive data. Use a VPS. That’s what this guide covers.
────────────────────────────────────────
What You Need Before Starting
Cost Breakdown
Time Estimate
If you follow this guide exactly: about 1–2 hours. If you wing it like I did: 12 hours and a lot of frustration.
Skills Required
None. Seriously. I started coding a week before writing this. If you can copy-paste commands into a black window, you can do this.
────────────────────────────────────────
Part 1: Buy Your VPS
Use my Hetzner referral link: hetzner.cloud/?ref=panke — you get €20 credit, I get a small kickback at no extra cost.
Hetzner will email you the server’s IP address and root password. Save both — you need them next.
────────────────────────────────────────
Part 2: Connect to Your Server
Open Terminal on your Mac (press Cmd+Space, type "Terminal", press Enter).
First connection
ssh root@YOUR_SERVER_IPReplace YOUR_SERVER_IP with the IP from Hetzner’s email (looks like 203.0.113.50). Type "yes" when asked about fingerprint. Paste the root password from the email.
Secure Your Server
This is critical — an unsecured VPS gets hacked within hours.
Step 1: Update everything
apt update && apt upgrade -yStep 2: Create a non-root user
adduser openclaw
usermod -aG sudo openclawChoose a strong password. This is the account OpenClaw will run under.
Step 3: Set up the firewall
ufw enable
ufw status
Type "y" to confirm. This blocks everything except SSH connections.
Step 4: Install fail2ban
apt install fail2ban -yThis auto-bans IPs that try to brute-force your password.
Step 5: Switch to your new user
su - openclaw
From now on, always use this user — never root.
────────────────────────────────────────
Part 3: Install OpenClaw
Install Node.js 22+
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt install -y nodejs
node -v # Should show v22.x.xAdd Swap Space (Prevents Crashes)
OpenClaw’s npm install can eat all 4GB of RAM. Swap prevents your server from freezing.
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstabInstall OpenClaw
curl -fsSL https://openclaw.ai/install.sh | bashThis downloads and installs the OpenClaw gateway. Takes a few minutes.
Run the Setup Wizard
openclaw onboard --install-daemonThe wizard walks you through everything. Here are the exact choices to make:
────────────────────────────────────────
Part 4: The Setup Wizard (Where I Got Burned)
The wizard asks how you want to authenticate with Anthropic. It offers multiple options including OAuth and API key.
DO NOT choose the OAuth/setup-token option, even if you have a Claude Pro subscription.
I chose it because I already had Claude Pro. It generated a token starting with sk-ant-oat01-... but this token has a restricted scope and Anthropic’s API rejects it with "401 Invalid bearer token". This is a known bug as of February 2026 (GitHub issue #23703).
ALWAYS choose: Anthropic API Key
Get Your API Key (Do This First)
Wizard Choices (Exact Selections)
Provider
Choose: Anthropic
Authentication
Choose: Anthropic API Key → paste your sk-ant-api03-... key
Model
If you choose Claude Opus 4.6, it will work initially but then hit rate limits (HTTP 429 errors) very quickly. New API accounts have a 30,000 input token/minute limit, and Opus sends ~15,000–20,000 tokens per message with system prompts included.
My experience: Opus worked for 2–3 messages, then every message after that returned "rate_limit_error: would exceed your organization’s rate limit of 30,000 input tokens per minute."
RECOMMENDATION: Start with Claude Sonnet 4.5. It’s not as smart as Opus but it stays within rate limits. Switch to Opus later once your tier increases (a few days after adding credit).
Messaging Channel
Choose: Telegram (easiest to set up)
Telegram Bot Setup
Skills Configuration
The wizard asks if you want to configure skills. This wasn’t in any guide I read and confused me.
RECOMMENDATION: Skip skills during setup. You can add them later via chat. Installing untested skills during setup can break things.
Remember: 7.1% of ClawHub marketplace skills contain malware. Only install skills from verified publishers you trust.
Remaining Wizard Steps
The wizard finishes and starts the gateway daemon. OpenClaw is now running.
────────────────────────────────────────
Part 5: The Errors I Hit (And How to Fix Each One)
This is the part no tutorial covers. Here’s what happened to me in chronological order and exactly how I fixed each issue.
Error 1: HTTP 401 Invalid Bearer Token
The Fix
If you followed my wizard instructions above, you won’t hit this. But if you did use the OAuth option:
openclaw models auth add --provider anthropic --mode api-key
# Paste your sk-ant-api03-... key when prompted
openclaw gateway restartIf that command doesn’t work, do a clean reinstall:
openclaw gateway stop
rm -rf ~/.openclaw
openclaw onboard --install-daemonThis time choose API Key authentication. Your Telegram bot token stays the same.
Error 2: HTTP 429 Rate Limit Exceeded
Why This Happens
OpenClaw sends your entire SOUL.md personality file + system prompts + conversation history with EVERY single message. On Opus 4.6, that’s roughly 15,000–20,000 input tokens per message. Your Tier 1 limit is 30,000 per minute. Two messages in 60 seconds = rate limited.
The Fix
Typing /new only clears the current conversation. Your SOUL.md, personality settings, and persistent memory are all permanent files that survive across sessions.
Use /new frequently on low rate-limit tiers. It keeps conversations short and saves tokens.
Error 3: Unrecognized Key "default"
The Fix
Instead of using config commands, edit the JSON file directly:
nano ~/.openclaw/openclaw.json
# Press Ctrl+W, type the current model name, press Enter
# Change it to the model you want
# Save: Ctrl+X -> Y -> Enter
openclaw gateway restartError 4: Two Auth Profiles Fighting Each Other
This was the sneakiest bug. After adding my API key, OpenClaw had TWO authentication profiles:
OpenClaw kept trying the broken profile first, getting a 401 error, then falling back to the working one — sometimes. Other times it just failed.
The Fix
Delete the broken profile from the auth file:
nano ~/.openclaw/agents/main/agent/auth-profiles.jsonopenclaw gateway restartNuclear Option: Clean Reinstall
If any of the above feels too complicated, just wipe everything and start fresh:
openclaw gateway stop
rm -rf ~/.openclaw
openclaw onboard --install-daemon
Choose API Key auth this time. Takes 5 minutes. Your Telegram bot token from @BotFather doesn’t change.────────────────────────────────────────
Part 6: Verify Everything Works
Check Your Setup
openclaw models statusYou should see:
Test via TUI
openclaw tuiType "hi" and wait. You should get a response. The bottom status bar shows your model and token usage.
Test via Telegram
Open Telegram, find your bot, send "hi". It should respond within a few seconds.
What Success Looks Like
When mine finally worked, OpenClaw responded with "Hey Panke! I’m here 👋" and immediately referenced my earlier API errors and asked if I’d gotten some sleep. That’s when I knew the memory and personality were working.
────────────────────────────────────────
Part 7: Essential Configuration After Setup
Access the Dashboard (SSH Tunnel)
OpenClaw has a web dashboard, but it’s only accessible via localhost for security. Never expose port 18789 to the internet. Instead, create an SSH tunnel from your Mac:
ssh -L 18789:127.0.0.1:18789 openclaw@YOUR_SERVER_IPThen open http://127.0.0.1:18789 in your Mac’s browser.
Customize Your SOUL.md
SOUL.md is your bot’s personality file. This is where OpenClaw gets its voice and context. You can edit it in the TUI or Telegram by saying something like:
"Update my SOUL.md: I’m a trader and content creator. I post on X about markets, crypto, and AI. My tone is direct, confident, and slightly informal. I like bullet points and actionable insights. Keep content punchy and optimized for engagement."
Set Up Cron Jobs
Cron jobs make OpenClaw proactive. These are the first two I set up:
You can set these up by asking OpenClaw in chat: "Set up a cron job that sends me a morning briefing every day at 8am CET with market updates and content ideas."
Switch Between Models
To change your model:
nano ~/.openclaw/openclaw.json
# Find the model line and change it to:
# anthropic/claude-opus-4-6 (smartest, most expensive)
# anthropic/claude-sonnet-4-20250514 (cheaper, still good)
# Save: Ctrl+X -> Y -> Enter
openclaw gateway restartYou can check what model is active with:
openclaw models status────────────────────────────────────────
Part 8: Saving Money on API Costs
Opus 4.6 is incredible but expensive. I burned through $8–9 in one evening just doing basic tasks. Here’s what I learned about managing costs:
Understanding the Costs
Opus 4.6 costs roughly $30 per million tokens. Every message you send includes your SOUL.md, system prompts, and full conversation history. A typical exchange costs $0.05–0.15 depending on length.
Multi-Model Routing (The Smart Approach)
Don’t replace Opus — use it less. Keep it for creative writing and important tasks. Use cheap models for routine stuff.
The /new Command is Your Best Friend
Type /new between conversations. It clears session history so each new message sends fewer tokens. On a low tier, this is the single biggest money saver.
────────────────────────────────────────
Part 9: What People Actually Use OpenClaw For
Now that it’s running, here’s what’s actually useful:
Content Creation (What I Use It For)
Trading & Finance
Productivity Automation
Developer Workflows
────────────────────────────────────────
Part 10: Security Checklist
Don’t skip this. An insecure OpenClaw setup with your API key exposed is a liability.
✓
Security Item
Why It Matters
☐
Running on VPS, NOT personal Mac
Isolates agent from your banking/trading data
☐
Non-root user for OpenClaw
Limits damage if compromised
☐
UFW firewall enabled
Blocks unauthorized connections
☐
fail2ban installed
Auto-bans brute-force attempts
☐
Consent mode ON (exec.ask)
Agent asks before running commands
☐
Port 18789 NOT exposed to internet
Dashboard accessible only via SSH tunnel
☐
No untrusted skills installed
7.1% of ClawHub skills contain malware
☐
API key stored properly (not in plain text)
Prevents credential leaks────────────────────────────────────────
My Actual Timeline
For anyone wondering how long this actually takes when things go wrong:
Time (CET)
What Happened
4:00 PM
Started researching OpenClaw. Had never used a terminal before.
5:00 PM
Bought Hetzner VPS. Connected via SSH for the first time.
6:00 PM
Secured server (firewall, fail2ban, non-root user). Installed Node.js.
7:00 PM
Installed OpenClaw. Ran the setup wizard.
7:30 PM
Chose OAuth/setup-token auth (MISTAKE). Set up Telegram bot.
8:00 PM
First test: "hi" → 401 Invalid bearer token. Every message. Panic.
9:00 PM
Created Anthropic API account. Got API key. Added it to OpenClaw.
10:00 PM
First successful response! "Hey Panke! I’m here 👋" — EXCITEMENT.
10:05 PM
429 rate limit errors. Every message after the first 2–3 failed.
11:00 PM
Tried switching to Sonnet. Config commands gave wrong-key errors.
12:00 AM
Discovered two auth profiles fighting. Old broken token kept interfering.
1:00 AM
Manually edited auth-profiles.json. Deleted broken profile.
2:00 AM
Clean config. Opus 4.6 working. Rate limits manageable with /new.
3:00 AM
Set up cron jobs. Analyzed 175 bookmarks. Bot fully operational.
4:00 AM
Wrote this guide so nobody else has to go through what I did.────────────────────────────────────────
Lessons Learned
ALWAYS use API Key authentication. Never use OAuth/setup-token. It’s broken as of February 2026.
Add $10–20 credit to your Anthropic account BEFORE running OpenClaw. Your rate limits on Tier 1 are painfully low.
Start with Sonnet, not Opus. Opus is smarter but eats through your rate limits in 2–3 messages. Switch to Opus once your tier increases.
Don’t spam messages when rate-limited. Every failed attempt counts against your limit and makes it worse.
Use /new between conversations. It clears session history and dramatically reduces token usage.
Lesson 6
When in doubt, do a clean reinstall. rm -rf ~/.openclaw && openclaw onboard --install-daemon is faster than debugging broken JSON config for 3 hours.Lesson 7
Never run OpenClaw on your personal Mac with financial data. Use a VPS. €4.51/month is nothing compared to getting your trading account credentials stolen.────────────────────────────────────────
Quick Glossary for Beginners
Term
What It Means
VPS
Virtual Private Server — a computer in a data center you rent
SSH
Secure Shell — how you connect to your server from Terminal
API Key
A password that lets OpenClaw talk to Claude’s brain
Token
A chunk of text (~4 characters). How API usage is measured.
Rate Limit
Maximum tokens you can send per minute
Tier
Your Anthropic account level. Higher = more tokens allowed.
TUI
Text User Interface — the in-terminal chat with OpenClaw
SOUL.md
Your bot’s personality and instruction file
Cron Job
A scheduled task that runs automatically at set times
Gateway
The OpenClaw service running in the background 24/7
nano
A simple text editor inside the terminal
Ctrl+K
Delete a line in nano
Ctrl+W
Search for text in nano
/new
Start a fresh conversation (keeps memory, clears chat history)────────────────────────────────────────
Was it worth the 12 hours? Absolutely.
I now have a 24/7 AI assistant that knows my voice, analyzes my bookmarks, drafts my content, and sends me morning briefings — all running on a €4.51/month server that I control.
The setup guides online make it look like a 20-minute job. It’s not, especially for beginners. But with this guide, it should be closer to 1–2 hours. Every error I hit is documented here with the exact fix.
Start with Sonnet. Add credit. Use /new. Don’t panic when you see 429 errors. And for the love of God, use an API key — not the OAuth token.
Good luck. 🦞
Written after a 12-hour debugging marathon. February 14, 2026.
If this saved you time, share it. Nobody should have to learn these lessons the hard way.