Skip to content

Trust and security

Know where the boundary is

Self-hosted OpenClowd runs on your machine, and repository data, prompts, transcripts, and session history stay on that machine by default. Safe remote access still requires deliberate host security, HTTPS, and authentication.

Last updated

Remote access

Reachable from anywhere must mean reachable safely. The recommended setup must not expose unauthenticated OpenClowd, terminal, or workspace-preview ports to the public internet.

Access model

The launch product is a single-owner system. Anyone authenticated into the instance should be treated as having access to every workspace, session, transcript, preview, and setting.

Transcripts and secrets

Transcripts are sensitive host-local data and may contain confidential information or secrets. OpenClowd should store as little secret material as possible and rely primarily on host-native Git and agent credentials.