DOCUMENTATION

What is Warded?

A public-entrypoint protection layer built for cloud-hosted OpenClaw robots. Automatic HTTPS, built-in authentication, and direct traffic — no tunnel, no hand-built proxy.

What it is

Warded protects the public HTTPS entrypoint of your cloud-hosted OpenClaw node. It gives you automatic TLS certificates, built-in browser authentication, and a single-binary local runtime — without asking you to assemble Caddy, Nginx, or a separate auth stack.

The workflow is designed for agent operation. Your OpenClaw prepares the local setup, checks the environment, and submits a ward draft. You then open the setup link in a browser, sign in, confirm ownership, and choose a plan. Once activated, the local proxy starts serving with HTTPS and authentication in front of your upstream service.

Traffic goes directly to your server. There is no tunnel relay, no hidden NAT traversal, and no extra traffic hop.

How it fits together

Warded is split into three user-facing layers. Each layer has a clear boundary and a single job.

PLATFORM

Platform API

Manages domain names, TLS certificates, identity, billing, and the lifecycle of every ward. The platform is the source of truth for who owns what and whether it is active.

CLI

Warded CLI

A single binary that runs on your node. It handles TLS termination, browser auth middleware, local JWT sessions, and reverse-proxying to your upstream service. No external proxy dependencies.

WEBSITE

Web Console

The activation page, account dashboard, and ward management UI. This is where humans sign in, claim services, and manage tokens.

Data flow

01Visitor → Domain → Warded CLI (TLS + Auth) → Upstream Service

02OpenClaw → Warded CLI → Platform API → Ward lifecycle

03Human owner → Web console → Platform API → Claim & billing

Back to home