What
By default, ClawHive's API and dashboard are open. Anyone on the network can launch sessions, edit files, run skills, and read agent memory.
Who this is fine for
- Personal homelab behind Tailscale or VPN
- localhost-only use
- Trusted LAN
Who this is NOT fine for
- Public internet exposure
- Shared multi-user environments
- Anywhere untrusted clients can reach the dashboard
Opt-in fix (already shipped)
Set CLAWHIVE_TOKEN environment variable to require Bearer auth on all write endpoints:
CLAWHIVE_TOKEN=your-secret npx tsx server/index.ts
The dashboard will prompt for the token on first load and store it in localStorage.
Long-term fix
Real OAuth, multi-user accounts with per-agent permissions, audit logging. Not on the immediate roadmap — ClawHive is opinionated about being a single-user tool.
What
By default, ClawHive's API and dashboard are open. Anyone on the network can launch sessions, edit files, run skills, and read agent memory.
Who this is fine for
Who this is NOT fine for
Opt-in fix (already shipped)
Set
CLAWHIVE_TOKENenvironment variable to require Bearer auth on all write endpoints:The dashboard will prompt for the token on first load and store it in localStorage.
Long-term fix
Real OAuth, multi-user accounts with per-agent permissions, audit logging. Not on the immediate roadmap — ClawHive is opinionated about being a single-user tool.