- The Control UI is available at your gateway URL + /ui — authenticate with your gateway token and you're in
- The Agents panel shows real-time status, uptime, and message history for every registered agent
- Register and manage channels from the UI without touching the CLI or restarting the gateway
- The Activity feed streams live events via WebSocket — use it for debugging instead of tailing logs
- For production, restrict the /ui path to trusted IPs in your reverse proxy — the gateway token is the only auth layer
Most OpenClaw builders set up the gateway via CLI, configure their agents, and never look back. They miss the Control UI entirely — a browser-based management dashboard that ships with every OpenClaw gateway install. It's not a separate product. It's not a paid add-on. It's already running. You just need to know where to point your browser.
What Is the OpenClaw Control UI
The Control UI is a web interface built into the OpenClaw gateway. It gives you a visual representation of everything the gateway knows: which agents are registered, which channels are live, what messages are flowing, and what state your shared memory holds. Think of it as a read-write dashboard — you can observe and you can act.
It replaces the need to SSH into your server and run CLI commands for most day-to-day operations. Want to send a test message to an agent? Do it from the UI. Want to check if a channel is actually connected? The status light is right there. Want to see what your agent responded to the last ten messages? The message history panel has it.
As of early 2025, the Control UI covers agent management, channel registration, shared memory inspection, and live activity monitoring. It does not yet cover MCP tool management or advanced routing config — those still require editing gateway.yaml directly.
You don't need to install anything extra. The Control UI ships with every OpenClaw gateway. If you can access your gateway URL, you can access the UI at that URL + /ui. Check that ui.enabled isn't set to false in your gateway.yaml if the page doesn't load.
Accessing the Control UI
Point your browser at your gateway URL followed by /ui. For a local dev setup, that's http://localhost:8080/ui. For a cloud-hosted gateway, it's https://your-domain.com/ui.
The login screen asks for your gateway token — the same secret configured in gateway.yaml under gateway.token. Paste the token, hit Enter, and you're in. The session persists in your browser's local storage until you explicitly log out or clear storage.
If the UI doesn't load, check three things in order. First, confirm ui.enabled: true in gateway.yaml. Second, confirm the gateway process is actually running. Third, check that your reverse proxy (if any) is routing /ui requests to the gateway and not dropping them.
# gateway.yaml — UI configuration
ui:
enabled: true
path: /ui # customize the path if needed
theme: dark # or lightYou can move the UI to a different path — useful if you want to obscure it from casual scanners. Set ui.path: /admin-panel and the UI moves to https://your-domain.com/admin-panel.
Dashboard Overview: What Each Panel Shows
The main dashboard has four regions. Understanding what each does will save you from hunting for information.
| Panel | What It Shows | Actions Available |
|---|---|---|
| Overview | Agent count, channel count, message throughput, error rate | None — read only |
| Agents | Each agent's status, uptime, model, connected channels | Send test message, view history, restart |
| Channels | All registered channels, type, assigned agent, last activity | Register new, edit, remove |
| Activity | Live event stream: messages, tool calls, errors, responses | Filter by agent, channel, or event type |
| Memory | All shared memory keys and current values | Read, write, delete keys |
The Activity feed is the panel most builders underuse. It streams every gateway event via WebSocket in real time. When you're debugging why an agent isn't responding, this is faster than tailing log files. You can filter by agent name, channel ID, or event type (message, tool_call, error, response) to zero in on exactly what's happening.
Agent and Channel Management
The Agents panel is your primary workspace for day-to-day operations. Each agent card shows name, current status (online/offline/degraded), assigned model, uptime, and message count. Click any agent to expand it.
The expanded agent view has three tabs. Status shows live metrics — messages per minute, average response time, error rate. History shows the last 50 message exchanges for that agent, searchable by content. Config shows the agent's current configuration as loaded from its config file — read only, but useful for confirming what actually loaded versus what you expected to load.
The test message box at the bottom of the agent view deserves special attention. Type any message and hit Send. The agent processes it exactly as it would a real user message. The response appears inline within seconds. This is the fastest way to verify agent behavior after a config change without setting up a full channel connection.
Every time you update soul.md or gateway config, send a test message from the UI before announcing the change to users. You'll catch broken personalities, misconfigured tools, and model errors in 10 seconds rather than discovering them from user complaints.
Channel registration via the UI works for all supported channel types. Click Register in the Channels panel. Select the channel type from the dropdown. Fill in the required credentials — bot token for Telegram, app credentials for Slack, webhook URL for custom integrations. Assign the target agent. Hit Save. The channel goes live without a gateway restart.
Sound familiar? If you've been registering channels by editing gateway.yaml and restarting, that workflow still works — but the UI is faster and less error-prone for most operations.
Security Configuration for the Control UI
The Control UI has one authentication layer: your gateway token. Anyone who knows the token and can reach the /ui path has full administrative access. That's a significant privilege on a production system.
Three security measures to implement before you expose your gateway to the internet.
- Use a strong gateway token. Generate it with
openssl rand -hex 32. Never use the default example tokens from tutorials or documentation. - Restrict /ui to trusted IPs at the reverse proxy level. In nginx, use a location block with
allowanddeny all. In Caddy, use theremote_ipmatcher. The gateway itself doesn't offer IP allowlisting — that lives in your proxy config. - Put the UI behind VPN for team deployments. If multiple people need UI access, a WireGuard or Tailscale VPN gives you access control without credential sharing.
The gateway token is the only thing standing between an attacker and full control of your agent system. A publicly accessible /ui path is a brute-force target. At minimum, move it to a non-standard path and restrict by IP.
For teams managing multiple gateways, consider setting up a separate reverse proxy entry for each gateway's UI under a single domain — for example, gateway1-ui.internal.yourco.com — with mTLS client certificates for authentication. That gives you audit logging and eliminates shared token exposure.
Common Mistakes With the Control UI
- Leaving the UI on the default path in production.
/uiis the first thing scanners check after finding an open port. Move it to a custom path and save yourself the noise. - Using the UI to make config changes you forget to persist. Channel registrations made via UI write to the gateway's running state. They also update the config file. But if you manually edit gateway.yaml afterward without checking for UI-added entries, you'll create duplicates.
- Not using the Activity feed during debugging. Builders spend 30 minutes tailing logs when the Activity feed would surface the exact error in 10 seconds. Make it your first stop when something isn't working.
- Sharing the gateway token instead of the UI URL. If you're giving a colleague access, give them the token — but do it via a proper secret manager, not Slack or email. Rotate the token after any team member departure.
- Assuming UI changes survive a full gateway config replace. If you redeploy the gateway from a config file in source control, any channels registered only via UI will be missing unless the UI-updated config file was also committed.
Frequently Asked Questions
How do I access the OpenClaw Control UI?
Navigate to your gateway URL followed by /ui — for example http://localhost:8080/ui for a local setup. You'll be prompted for your gateway token. Once authenticated, the full Control UI dashboard loads in your browser.
Is the OpenClaw Control UI enabled by default?
The Control UI is enabled by default on fresh installs. It can be disabled in gateway.yaml by setting ui.enabled: false. On production gateways exposed to the internet, restrict access by IP or place the /ui path behind your reverse proxy's auth layer.
Can I manage multiple agents from the Control UI?
Yes. The Agents panel shows every registered agent with status, uptime, and recent activity. Click any agent to view its channel connections, memory state, and message history. You can send test messages to any agent directly from the UI.
How do I secure the Control UI on a production server?
Set a strong gateway token in gateway.yaml — this is the only authentication layer. For production, restrict the /ui path to trusted IPs in your reverse proxy config. Avoid exposing the Control UI on a public URL without IP allowlisting or VPN gating.
Can I use the Control UI to register new channels?
Yes. The Channels panel has a Register button that walks you through adding Telegram, WhatsApp, Slack, or custom webhook channels. Fill in the required tokens, assign the target agent, and the channel is live without restarting the gateway.
Does the Control UI show real-time agent activity?
Yes. The Activity feed updates in near-realtime via WebSocket. You see incoming messages, agent responses, tool calls, and errors as they happen. Use this to debug agent behavior without tailing log files manually.
A. Larsen has deployed OpenClaw gateways for production systems handling thousands of daily agent interactions. Specializes in gateway security hardening, reverse proxy configuration, and multi-tenant agent deployments. Has connected OpenClaw to enterprise environments across SaaS, fintech, and healthcare.