The OpenClaw dashboard (Control UI): what it is and how to open it
OpenClaw ships a web dashboard for chatting with and managing your agent. Where it lives, how sign-in works, and how to reach it safely from anywhere.
The dashboard — OpenClaw calls it the Control UI — is the web interface to your agent: chat, sessions, skills, scheduled jobs, and settings in one place. openclaw dashboard opens it; by default it’s served by the Gateway at http://127.0.0.1:18789/ on the machine the agent runs on, reachable only from that machine — which is the safe default doing its job.
What’s actually in it
The Control UI is a window onto the Gateway — not a separate system. In current builds (the UI got a substantial overhaul in the 2026.7 line) you get:
- Chat — a full conversation surface with your agent, useful even if you do your daily talking in Telegram or WhatsApp.
- Sessions — the running contexts of your conversations, inspectable per channel and sender.
- Skills — what your agent can do, and what each skill still needs (keys, dependencies) before it works.
- Cron / scheduled jobs — the standing work your agent does without being asked.
- Overview and settings — status, model config, channels, and how the Gateway is being reached (it will tell you, for instance, when you’re authenticated via a trusted proxy).
Opening it, and how sign-in works
On the machine running OpenClaw: openclaw dashboard opens your browser at the Gateway’s address — http://127.0.0.1:18789/ by default. What happens next depends on your setup:
- Token sign-in. Setups like the official Docker flow generate a Gateway token (written to
.env) that you paste on first visit. - Device pairing. New browsers may need a one-time device approval (
openclaw devices approve) before they get full access — an intentional second gate, so a leaked URL alone doesn’t equal control of your agent.
Reaching it when you’re not at the machine
Here’s where every OpenClaw operator eventually lands: the dashboard lives on loopback, your agent lives on a server, and you want the dashboard on your phone. The wrong answer is binding the Gateway to a public interface — that’s the one mistake with no safe version. The right answers, in rising order of polish: do your daily talking through chat channels (they need no exposed ports at all), use an SSH tunnel when you administer the box anyway, or put an identity-checking proxy in front of the private Gateway so you sign in with your own identity from anywhere. That last pattern is what an Everpod pod gives you out of the box: your agent’s native dashboard, on any device, behind your email sign-in, with no Gateway port on the internet.