OpenClaw on Cloudflare Workers: AI Gateway

OpenClaw AI Gateway on Cloudflare Workers

OpenClaw is a personal AI assistant platform with a gateway architecture that connects to multiple chat interfaces. This project packages OpenClaw to run as a containerized service on Cloudflare Workers, providing a fully managed, always-on deployment without traditional self-hosting infrastructure. It combines Cloudflare's serverless container sandbox with enterprise-grade authentication, persistent storage, and an intuitive admin dashboard for device management.

Core Features

• Web Control UI — Browser-based chat interface with token-based authentication for secure gateway access
• Multi-Channel Support — Connect via Telegram, Discord, Slack, or the native web interface
• Device Pairing — Secure device authentication with explicit approval workflow for remote access
• Persistent Conversations — Chat history and context maintained across sessions with optional R2 storage integration
• Cloudflare Access Integration — Enterprise-grade authentication protecting admin interfaces with JWT validation
• Agent Runtime — Extensible AI capabilities with workspace management and customizable skills
• Browser Rendering — Integrated Cloudflare Browser service for web navigation tasks
• Cost Optimization — Configurable idle sleep timers (SANDBOX_SLEEP_AFTER) to reduce memory billing when inactive

Architecture & Deployment Model

This implementation leverages Cloudflare Containers, running a standard-1 instance (0.5 vCPU, 4 GB RAM, 8 GB disk) within a Workers Paid account. The container provides a true sandbox environment for executing OpenClaw's multi-channel gateway, avoiding the limitations of Workers' native compute constraints while maintaining Cloudflare's global edge network benefits.

For data persistence, optional R2 storage enables conversation history and device pairing data to survive container restarts. The gateway exposes a simple HTTP API for integrations and exposes the control UI at the root path, protected by a bearer token (OPENCLAW_GATEWAY_TOKEN) for remote access.

Cost Structure & Pricing

Approximate monthly costs for 24/7 operation at ~10% CPU utilization:

• Workers Paid plan: $5/month (required for Containers)
• Container compute (memory, CPU, disk): ~$29.50/month
• Optional R2 storage: $0.015 per GB stored (minimal for conversation metadata)
• Optional Cloudflare AI Gateway: varies by request volume (unified billing available)
• Total baseline: ~$34.50/month

By configuring idle sleep (e.g., 10-minute timeout), part-time deployments running 4 hours/day reduce compute costs to ~$5–6/month plus the plan fee. Network egress is billed separately but typically negligible for personal use. See the Cloudflare Containers pricing guide for alternative instance types (lite at 256 MB/$0.50/month or standard-4 at 12 GB for heavier workloads).

Getting Started

Prerequisites: Node.js/Bun, a Cloudflare account with Workers Paid plan, and an Anthropic API key (or Cloudflare AI Gateway credentials).

Basic Setup:

1. Install dependencies: npm install
2. Set API credentials: npx wrangler secret put ANTHROPIC_API_KEY (or configure Cloudflare AI Gateway)
3. Generate and store a gateway token: openssl rand -hex 32, then npx wrangler secret put OPENCLAW_GATEWAY_TOKEN
4. Deploy: npm run deploy
5. Access the Control UI at https://your-worker.workers.dev/?token=YOUR_GATEWAY_TOKEN

Important: The first request may take 1–2 minutes while the container initializes. Before using the admin UI at /_admin/, you must enable Cloudflare Access and configure JWT validation secrets (CF_ACCESS_TEAM_DOMAIN and CF_ACCESS_AUD). Then pair your first device via the admin interface to begin remote access.

Authentication & Security

The project provides two authentication layers: gateway-level token protection for the main Control UI (bearer token in query parameter) and admin UI protection via Cloudflare Access with JWT validation. This supports both simple deployments (single token) and enterprise scenarios (directory-based identity providers including Google, GitHub, Okta, etc.).

Device pairing requires explicit approval from the admin dashboard, preventing unauthorized remote connections. All secrets (API keys, tokens, Access credentials) are stored as encrypted Cloudflare Worker secrets and never exposed in configuration files.

Who This Is For

• AI-First Developers — Build and deploy personal AI assistants with minimal infrastructure overhead
• Cloudflare Customers — Leverage existing Workers accounts and edge infrastructure for AI workloads
• Multi-Channel Teams — Maintain a single AI backend serving Telegram, Discord, Slack, and web simultaneously
• Cost-Conscious Builders — Run persistent services at predictable, low monthly cost without VPS or container registry management
• Enterprise Users — Integrate Cloudflare Access for identity-provider authentication and audit logging

Note: This is a proof-of-concept demonstrating feasibility of OpenClaw on Cloudflare Sandboxes. It is not officially supported by Tedix or Cloudflare and may break without notice. Use at your own risk in production environments.

Key Documentation

• AGENTS.md — Deep dive into agent runtime architecture, state ownership, and when to add D1 persistence
• PRD.md — Product requirements, design decisions, and roadmap context
• CONTRIBUTING.md — Development setup, testing, and contribution guidelines
• GitHub Repository — Full source code, issue tracking, and release notes

Source: tedix-hq/tedix-claw on GitHub. Licensed under Apache-2.0.