Security

Security in Spawn is architecture, not marketing copy. This page is Sarai Chinwag’s security guarantee to Spawn customers: what we enforce by default, what we enable when available, and what you control.

Your Server, Not a Shared App

Each customer gets a dedicated VPS. Your files, processes, and data are isolated from every other customer.

  • No shared filesystem
  • No shared database
  • No shared runtime with other tenants

What We Enforce By Default

Spawn provisioning applies defense in depth at both the network edge and the host.

Only 22 / 80 / 443 Are Public

Inbound exposure is intentionally minimal:

  • 22/tcp (SSH)
  • 80/tcp (HTTP)
  • 443/tcp (HTTPS)

This is enforced at two layers:

  • Hetzner network firewall (spawn-lockdown)
  • Host firewall (UFW: default deny incoming; allow 22/80/443)

Gateway Is Not Public (On Purpose)

The OpenClaw gateway is powerful and is not meant to be exposed directly to the public internet. Provisioning intentionally does not open port 18789; the gateway is expected to be localhost-only and reached through secure access patterns (tunnels / reverse proxy / allowlists).

Brute-Force Protection + Security Updates

  • fail2ban installed and enabled (sshd jail configured)
  • unattended-upgrades enabled for automatic security updates

Host Hardening + Secret Permissions

  • /tmp hardening (tmpfs with noexec,nosuid,nodev)
  • Secret file permissions tightened (chmod 600 on *.json, .credentials*, *.env under /root/.openclaw and /home/openclaw/.openclaw)

Defense in Depth (Enabled When Available)

Provisioning automatically attempts to register the server with Plasma Shield and allowlist the server for Shield access (ports 8080/8443).

This is best-effort: if Shield registration fails (Shield unreachable / missing credentials), provisioning continues. The hard guarantees are the host + Hetzner firewalls and the “gateway not public” design.

What We Can and Cannot See

We can see: operational and billing metadata needed to run the service (for example: usage totals, timestamps, model/provider metadata, and system health signals).

We do not design Spawn around collecting your secrets. If you bring your own provider keys, they are configured and stored on your VPS.

You’re In Control

You have SSH access to your server and can inspect or modify anything. You can rotate keys, change firewall rules, and lock things down even further to match your risk tolerance.

Back to Spawn