SokkoSokko
← Back to blog

Managed vs Self-Hosting OpenClaw: Cost, Security, Uptime

Sokko Team9 min read

Managed vs self hosting OpenClaw: the short answer

The managed vs self hosting OpenClaw question usually gets answered with a gut feeling, and the gut is often wrong. Here is the honest framing before any numbers: self-hosting looks cheaper because the only line item is the server, while a managed runtime looks expensive because the bill names a price for the work you were already doing by hand. Most teams undercount that hidden work by a factor of three.

OpenClaw is a real open-source gateway assistant — one always-on agent you reach across chat channels like WhatsApp, Telegram, Slack, and Discord, backed by 1,000+ community skills and full tool-use. The repository is at https://github.com/openclaw/openclaw, the container ships as ghcr.io/openclaw/openclaw, and the CLI binary is openclaw. None of it is tied to a vendor. You can run the same image on a spare laptop, a $4/month Hetzner box, or a twelve-node cluster, and the agent behaves identically. What changes between those setups is everything wrapped around the process: certificates, secrets, restarts, upgrades, and who gets paged when it falls over.

Here is the trade-off in one view.

FactorSelf-host on a VPSManaged runtime
Cost$4 to $20/month for the box, plus your time$20 to $80+/month, time included
SecurityYou own patching, TLS, secrets, egressProvider ships a private authenticated endpoint, secrets, RBAC by default
UptimeYou are the on-call engineerRestarts and health checks are automatic
EffortOngoing: image pins, memory plugin, certsNear zero after the first launch

The rest of this article puts real dollars and real commands behind each row. If you have not yet decided whether a server is even the right home for your agent, start with where to run your agents and come back.

What self-hosting OpenClaw actually costs

The server is the easy part. A single always-on OpenClaw assistant handling chat channels and skills wants roughly 2 vCPU and 4 GB of RAM once you account for the agent, its tool subprocesses, and the files it keeps in /workspace. On Hetzner Cloud (https://www.hetzner.com/cloud) a CX22 at about $4 to $6/month covers that comfortably. A DigitalOcean equivalent runs around $12/month for 2 GB. Call the raw compute $5 to $12/month and move on, because that is not where the money goes.

Here is a realistic self-host launch:

# Pull a pinned version. Never run :latest in production.
docker pull ghcr.io/openclaw/openclaw:v0.9.4

docker run -d \
  --name openclaw \
  --restart unless-stopped \
  -v /srv/openclaw/workspace:/workspace \
  -v /srv/openclaw/config:/config \
  -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
  -e OPENCLAW_MEMORY_BACKEND=sqlite \
  -e OPENCLAW_MEMORY_PATH=/workspace/.memory.db \
  -p 127.0.0.1:8080:8080 \
  ghcr.io/openclaw/openclaw:v0.9.4

That command works. Keeping it working is the actual job. The recurring chores look like this:

  • Pinning and updating the image. You pinned v0.9.4 above, which is correct. But OpenClaw ships fixes on a regular cadence, and running a four-month-old agent image means missing tool-safety patches. Someone has to watch releases, test the bump on a staging box, and roll it forward. Budget an hour a month, more when a release renames a config key.

  • Wiring the memory plugin. OpenClaw's persistent memory does not configure itself. You pick a backend (SQLite on the volume for a single instance, Postgres if you want memory shared across several), mount it, and make sure it survives a container recreate. Get the mount path wrong and the agent forgets everything on the next restart.

  • TLS and exposure. The docker run above binds to 127.0.0.1 on purpose, because publishing OpenClaw's terminal on an open port with no certificate is how you hand a stranger a root shell. To reach it safely from anywhere else you add a reverse proxy with a real certificate.

# /etc/caddy/Caddyfile: terminate TLS in front of the agent
agent.example.com {
    reverse_proxy 127.0.0.1:8080
    # Caddy fetches and renews a Let's Encrypt cert automatically,
    # but you still own the DNS record, the firewall, and renewals if it breaks.
}
  • Secrets. That ANTHROPIC_API_KEY is sitting in your shell history and probably in a plaintext .env file on the box. Rotating it, restricting who can read it, and keeping it out of logs is all manual.

  • Backups. The /workspace volume holds real work: scratch files, saved output, the memory database. If the droplet dies, so does the volume unless you snapshot it on a schedule.

Add it up. The compute is $5 to $12. The labor, at even a modest $60/hour and three to five hours a month across all of these chores, is $180 to $300 of real cost that never appears on the Hetzner invoice. That gap is the whole argument.

For a full step-by-step of the DIY path, we wrote host an AI agent on a server, which walks the Docker and systemd side end to end.

Security: who holds the keys

Self-hosting means you are the security team. That is a fine arrangement when you have one and a liability when you do not. The concrete attack surface for an OpenClaw box is short but sharp:

  • The agent terminal. An autonomous agent with shell access is a powerful thing to leave reachable. mTLS or a private network is not a nice-to-have here.

  • Egress. OpenClaw makes outbound calls, and it can run code it wrote itself. With no firewall rules that code can reach anything on the internet, which is exactly the moment you want a deny-by-default policy.

  • Secrets at rest. API keys, GitHub tokens, and cloud credentials all live somewhere on the host.

  • The audit trail. When something goes sideways, can you answer "what did the agent do, and when"? On a bare VPS the honest answer is often "grep the logs and hope."

On a hand-rolled server every one of those is your responsibility, forever. A managed runtime ships them as defaults instead. Sokko, for instance, keeps the OpenClaw terminal private by default: every agent is reachable only by you and the people you invite, never open to the public internet. Egress is deny-by-default with self-serve allow rules in a Networking tab. Your API keys are kept in secure storage and injected per instance rather than pasted into a shell. Every action lands in an audit log, and access is gated by three roles: owner, admin, and dev. You can build all of that yourself. The real question is whether you want to own the upkeep of it after you build it.

It is worth being blunt about the flip side. A managed provider does see that your workload exists, and your data transits their control plane. If that is a dealbreaker, self-hosting is not a compromise, it is the requirement. More on that below.

Uptime and the 3am restart

Uptime is where self-hosting quietly costs the most, and it is the row people discount the hardest. A single VPS is a single point of failure. When the process crashes, --restart unless-stopped brings the container back, which is great. It does nothing when the kernel panics, the disk fills, the host reboots for maintenance, or the OOM killer decides your agent is the fattest target.

The realistic self-host uptime story:

  1. --restart handles a clean process crash. Good.

  2. Host reboots need the Docker daemon enabled on boot and the container set to restart. Usually fine, occasionally not, and you find out the hard way.

  3. Disk-full, OOM kills, and network partitions need monitoring that you install and then actually watch.

  4. Nobody pages you when it dies. You learn the agent stopped when your messages sit unanswered and the morning digest it usually sends never arrives.

That last point is the one that bites. When an agent is halfway through a long task and the box drops, you get a half-finished job, a stale memory database, and no notification. A managed runtime treats a dead instance as a routine event: it notices the failure, restarts the agent, re-attaches its storage, and the agent picks up with its files intact. You did not wake up, and the work continues. For the mechanics of that first managed launch, see deploying your first agent.

None of this makes self-hosting fragile by nature. Plenty of people run a single agent on a single box for a year with no drama. It makes self-hosting a thing you have to babysit, and babysitting is a cost even when nothing breaks.

When self-hosting still wins

Managed is not the answer to every version of this question, and pretending otherwise would be dishonest. The managed vs self hosting OpenClaw call flips hard in a few situations, and self-hosting is the right choice in every one of them:

  • Full data control. If a contract, a regulator, or an internal policy says no third party may ever touch the workload or its data, a managed SaaS is off the table. Run it yourself.

  • Air-gapped or on-prem networks. If the agent has to operate with no path to the public internet, a hosted control plane is a non-starter by definition. Self-hosting is not a preference here, it is the only option.

  • Deep customization. If you are running a patched fork of OpenClaw, a custom kernel, or unusual hardware, you want the whole stack under your hands.

  • True hobby scale. One agent, occasional use, on a $4/month Hetzner box, where a 3am death costs you nothing but a re-run. Managed billing would be pure overkill.

  • Learning. Sometimes the point is to understand every layer yourself. Doing it by hand once is the best way to know what a managed runtime is actually buying you.

If any of those describe you, the host an AI agent on a server walkthrough will get you to a solid DIY setup without cutting the security corners.

The bottom line

The managed vs self hosting OpenClaw decision is not really about the software, because the software is the same open-source image either way. It is about who absorbs the operational work: patching, TLS, secrets, egress rules, backups, and the 3am restart. Self-hosting on a $4 to $6/month Hetzner CX22 is genuinely cheaper in dollars and is the right choice when you need full data control, an air-gapped network, or you are just tinkering. A managed runtime like Sokko wraps that same OpenClaw image with a pinned version, built-in memory, per-agent persistent storage, and a private terminal only you and your team can reach, so the recurring chores disappear and the price you pay is a predictable line item instead of scattered hours.

Pick the box if control is the priority. Pick the managed runtime if uptime and your own time are. Either way, decide it deliberately, because the version you regret in six months is the one you drifted into without pricing the hidden column.