Inspired by open-source projects and built on the shoulders of giants, I put this together after plenty of tinkering. Some code is derived from the open-source community, now shared back. If you find it useful, a star would mean a lot. Issues and feedback are welcome.
Upgrade OpenClaw's single-user agents into a multi-tenant agent platform with a unified entry, user isolation, shared instances, dynamic sandboxes, and security governance. Built for small teams to spin up an internal agent platform quickly.
AgentClaw provides multi-user agent runtime and governance. Each user runs their own agent sessions and workflows inside an isolated Docker sandbox.
Built on OpenClaw with a multi-tenant architecture — shared OpenClaw instances plus dynamic agent sandboxes for tenant isolation.
- 🧩 Multi-User Agent Platform - Unified entry for small teams, user isolation, agent lifecycle management
- 🐳 Strict Sandbox Isolation - Per-user Docker containers with preinstalled Python/Node/toolchains
- 🌐 Network Access - API calls, package installs, web crawling supported
- 🔒 Security Governance - Automated security checks and least-privilege capabilities
- 📦 Asset Reuse - Skills/workflows/tools can be reused and shared across the platform
- 🧩 Composable Agents - Customize agents for yourself or your team, and freely combine reusable skill packs
- 🔌 Zero-Intrusion Integration - No OpenClaw source modifications; multi-user via Bridge layer
Try it now: https://agent.428916.xyz
| Role | Username | Password |
|---|---|---|
| Admin | admin | 123456 |
| User | user | 123456 |
Note: Demo branch limits to 3 users (1 admin + 2 regular users). Source code
- Docker & Docker Compose
- At least one LLM API key (Anthropic/OpenAI/DashScope, etc.)
cp .env.example .env
# edit .env and add LLM API keys# optional: environment check
python prepare.py
# build (if needed) and start services
# first run (or when Dockerfile/source changed)
docker compose up -d --build
# if images are already built
docker compose up -dVisit http://127.0.0.1:3080
- AgentClaw is based on the official OpenClaw packages and does not require any OpenClaw source modifications.
- You can deploy directly with Docker Compose;
--buildensures images are rebuilt when Dockerfiles or source change. prepare.pyhelps validate Docker and.envbefore starting.- User files are persisted on the host (for example
~/.openclawand Docker volumes). Removing those will delete data. - Default OpenClaw version is 2026.3.8 (build arg
OPENCLAW_VERSION). To change it, setOPENCLAW_VERSIONin.envand rerundocker compose up -d --build.
Note: The first registered user becomes admin by default.
AgentClaw uses a multi-tenant architecture on top of OpenClaw: shared OpenClaw instances + dynamic agent sandboxes:
┌─────────────────────────────────────────────────────────────────┐
│ User Browser │
│ Frontend (React + Vite) │
└───────────────────────────┬─────────────────────────────────────┘
│ HTTP / WebSocket
┌───────────────────────────▼─────────────────────────────────────┐
│ Platform Gateway │
│ FastAPI + PostgreSQL │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │
│ │ JWT Auth │ │ LLM Proxy │ │ Shared Instance Manager │ │
│ └─────────────┘ └─────────────┘ └─────────────────────────┘ │
└───────────────────────────┬─────────────────────────────────────┘
│
┌───────────────────────────▼─────────────────────────────────────┐
│ OpenClaw Shared Instance │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Bridge (HTTP API) ◄──► OpenClaw Gateway (Agent Engine)│ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌────────────────────┼────────────────────┐ │
│ │ │ │ │
│ ┌────▼────┐ ┌────▼────┐ ┌────▼────┐ │
│ │ Sandbox │ │ Sandbox │ │ Sandbox │ │
│ │ User A │ │ User B │ │ main │ │
│ └─────────┘ └─────────┘ └─────────┘ │
└─────────────────────────────────────────────────────────────────┘
AgentClaw does not modify OpenClaw source. Multi-tenancy is achieved through a Bridge adapter layer:
OpenClaw (upstream)
│
│ Native WebSocket / RPC
│
▼
Bridge (adapter) ───► HTTP API + multi-tenant routing
│
│ Config injection
│
▼
Platform Gateway (auth/proxy)
Bridge responsibilities:
- Convert OpenClaw WebSocket RPC to REST APIs
- Inject multi-tenant config (
X-Agent-Idrouting) - Manage per-agent workspace directories
- Forward LLM requests to the Platform Gateway
This lets AgentClaw track upstream OpenClaw updates without maintaining a fork.
OpenClaw supports multiple agents natively. AgentClaw uses that to achieve tenant isolation:
| Concept | Description |
|---|---|
| Agent ID | Unique user identifier (e.g. 08f95579-5ad0-48f6-a945-1233309a4fc0) |
| Workspace | Per-agent directory ~/.openclaw/workspace-{agentId}/ |
| Sandbox | Docker container created on demand; destroyed after execution |
| Session | Routed as agent:{agentId}:{sessionKey} |
Default sandbox image config:
{
"sandbox": {
"mode": "all", // all sessions use sandbox
"scope": "agent", // per-agent sandbox
"workspaceAccess": "rw", // read/write workspace
"docker": {
"image": "openclaw-sandbox:agentclaw",
"readOnlyRoot": false,
"network": "bridge",
"user": "0:0",
"memory": "2g",
"cpus": 2,
"pidsLimit": 256,
"capDrop": ["ALL"]
}
}
}skills/
└── my-skill/
├── SKILL.md # description, triggers, usage
├── scripts/
│ └── main.py # executable script
└── references/ # references
Agent executes scripts inside the sandbox:
# install deps
apt-get update && apt-get install -y some-package
pip install requests
# run test
timeout 30 python3 scripts/main.pyCreating/updating a skill triggers automated security checks.
- Submit to the curated skill library
- Other users can install into any agent with one click
.
├── bridge/ # Bridge adapter
│ ├── config.ts # OpenClaw multi-tenant config generation
│ ├── server.ts # HTTP API + WebSocket relay
│ └── routes/ # Agents, Skills, Files APIs
│
├── platform/ # Platform gateway (Python FastAPI)
│ ├── auth.py # JWT auth + agent lifecycle
│ ├── proxy.py # Route requests to shared instance
│ └── shared_manager.py # Shared OpenClaw instance manager
│
├── frontend/ # Web frontend (React + Vite)
│ └── pages/ # Chat, Agents, Skills, FileManager
│
├── sandbox/ # Sandbox image Dockerfile
│ └── Dockerfile # Multi-user agent execution environment
│
└── docker-compose.yml # Multi-service composition
| Layer | Measure |
|---|---|
| API Key Isolation | All LLM API keys live only in Gateway env vars |
| Sandbox Execution | Code runs in Docker with resource limits, no escape |
| File Isolation | Per-user workspace; cross-user access blocked |
| Network Isolation | Outbound allowed; inbound blocked |
| Capability Limits | capDrop: ALL, optional read-only root |
AgentClaw architecture highlights:
- Zero-Intrusion Integration - No OpenClaw source changes; Bridge adapter only
- Shared Instance - Single OpenClaw Gateway serving multiple users efficiently
- Dynamic Sandbox - On-demand Docker environments
- Security Isolation - JWT auth, API key proxying, filesystem isolation
This architecture can be adapted to other agent engines for internal agent platforms or multi-tenant AI platforms.
- WeChat:
wdyt1008521 - Email:
wuding129@163.com
MIT
This project is inspired by and derived from:
- OpenClaw - Copyright (c) OpenDILab
- nanobot - Copyright (c) HKUDS
- MultiUserClaw - Copyright (c) johnson7788