OpenClaw Deployment Checklist: Production-Ready in 14 Steps

Don't Go Live Without This Checklist

Deploying OpenClaw to production is more than running npm start. This checklist covers every critical step — skip any one of them and you risk downtime, security vulnerabilities, or unreliable AI responses. We use this exact checklist for every deployment we manage.

Infrastructure (Steps 1-4)

1. Server Properly Sized

• Minimum: 2GB RAM, 1 vCPU, 20GB SSD for single-channel deployment
• Recommended: 4GB RAM, 2 vCPU, 40GB SSD for multi-channel with automation
• Heavy usage: 8GB RAM, 4 vCPU for browser automation and local AI models
• Verify available disk space is sufficient for logs and database growth

2. SSL Certificate Active

• Let's Encrypt certificate installed and auto-renewing via Certbot
• All webhook endpoints accessible over HTTPS only
• HTTP redirects to HTTPS configured in reverse proxy

3. Domain/Subdomain Configured

• DNS A record pointing to server IP
• TTL set appropriately (300-3600 seconds)
• Subdomain recommended (e.g., ai.yourdomain.com) to isolate from main website

4. Firewall Locked Down

• UFW or iptables active with default deny incoming
• Only ports 443 (HTTPS) and custom SSH port allowed
• OpenClaw gateway port NOT exposed directly — reverse proxy only

Application Configuration (Steps 5-8)

5. Environment Variables Secured

• All API keys in .env file (never in source code)
• .env file has restricted permissions (chmod 600)
• .gitignore includes .env
• All required variables are set (no empty placeholders)

6. AI Model Connection Verified

• Primary AI provider connected and responding to test prompts
• Response quality verified (test with real customer questions)
• Response latency acceptable (<5 seconds for most queries)
• Token limits configured per channel (WhatsApp: 4096 chars, Discord: 2000 chars)
• Failover model configured (if primary provider is unavailable)

7. System Prompt Finalized

• Brand voice and personality defined
• Knowledge boundaries set (what the AI should/shouldn't discuss)
• Escalation triggers configured (when to offer a human agent)
• Response format defined per channel
• Tested with 20+ real customer questions and verified accuracy

8. Rate Limiting Configured

• Per-user message rate limits set (10-20 messages/minute)
• Global rate limits for API calls to prevent cost runaway
• Graceful rate limit responses ("Please wait a moment...")

Integration Testing (Steps 9-11)

9. Channel Integrations Verified

• Each connected platform tested with real messages (not just API tests)
• Message delivery confirmed (sent AND received on both ends)
• Media handling tested (images, voice notes, documents per platform)
• Response formatting verified per platform
• Group chat behavior tested (if enabled)

10. Webhook Endpoints Tested

• All webhook URLs accessible from the internet
• Webhook signatures verified (platform-specific validation)
• Error responses return appropriate HTTP status codes
• Webhook retry behavior understood for each platform

11. Error Handling Validated

• AI provider timeout → graceful error message to user ("I'm having trouble right now, let me try again...")
• Invalid user input → helpful guidance, not cryptic errors
• Rate limit exceeded → friendly message with retry indication
• Channel-specific errors handled (e.g., WhatsApp session expiry)

Operations & Monitoring (Steps 12-14)

12. Process Management Active

• PM2 or systemd configured for auto-restart on crash
• Auto-start on server reboot verified (reboot and check)
• Log rotation configured to prevent disk space exhaustion
• Memory limits set to prevent OOM kills

13. Monitoring Configured

• Uptime monitoring (UptimeRobot, BetterUptime) checking health endpoint
• Alert notifications configured (email, Slack, or SMS)
• Resource usage monitoring (CPU, RAM, disk)
• AI provider status page bookmarked (for diagnosing third-party outages)

14. Backup Strategy Active

• Automated daily database backups
• Configuration backup (including .env and system prompt)
• Backups stored off-server (different provider or local download)
• Restore procedure tested at least once (you have a backup, but can you restore it?)

Go-Live Verification

After all 14 steps pass, run a full end-to-end test:

1. Send a message on each connected channel
2. Verify AI response quality and timing
3. Test escalation flow (ask for a human agent)
4. Check server logs for errors
5. Verify monitoring alerts fire correctly (trigger a test alert)
6. Confirm backups ran successfully in the last 24 hours

If all checks pass — you're production-ready.