How to Deploy OpenClaw on a Cloud Server and Connect It to Google Services with OAuth

OpenClaw is an open-source chatbot framework powered by AI that allows you to create advanced conversational agents with access to external tools and services. When connected to Google services such as Gmail, Calendar, and Drive, OpenClaw can automate workflows including email processing, scheduling, and file management. In this guide, you will set up OpenClaw on a cloud-based Ubuntu server and configure it to use Google services through OAuth (Open Authorization) authentication.

To prepare OpenClaw, you will create a separate Gmail account for security, configure Google Cloud Console to allow API (Application Programming Interface) access, and establish secure OAuth credentials for authentication. You will also learn how to move those credentials to your server, install the required utilities, and create an SSH (Secure Shell) tunnel so browser-based authentication can be completed securely from a remote machine.

By the end of this guide, you will have a working OpenClaw installation on a cloud server with authenticated access to Google services.

Key Takeaways

• OpenClaw is an AI-based chatbot framework that can connect to Google services such as Gmail, Calendar, and Drive to automate tasks.
• Using a dedicated Gmail account for your OpenClaw bot increases security and keeps automation activity separate from personal accounts.
• Google Cloud Console requires OAuth 2.0 credentials and enabled APIs for each service your bot needs to use.
• The gogcli utility makes it easier to authenticate Google services on servers without a graphical interface by using SSH tunneling.
• SSH tunneling makes it possible to complete browser-driven OAuth authentication from a remote server that has no desktop environment.

Warning: Giving OpenClaw permission to access your Google services involves security risks. If your server is compromised, unauthorized parties may be able to access your Gmail, Google Calendar, and other connected services. Because of this, you should avoid using your personal Google account with OpenClaw. Instead, create a Gmail account specifically for your bot so that it remains isolated from your personal data and reduces possible damage in the event of a breach. OpenClaw is not secure by default, so this Google account should not be used for confidential communication, sensitive files, or important calendar events.

Note: This configuration process is extensive and includes multiple steps across different services and platforms. OpenClaw is also actively being developed, which means the application may change and some steps could become outdated over time.

Step 1 – Creating an OpenClaw Server

To get started, sign in to your cloud hosting provider and create a standard Ubuntu server with 4–8 GB of RAM where OpenClaw will be installed manually.

After the server is ready, note its public IP address from your hosting control panel. You will use this address throughout the setup process.

Connect to your server over SSH from a terminal by running the following command, replacing your_server_ip with your server’s IP address:

$ ssh root@your_server_ip

If this is the first time you are connecting to the server, you may be asked to confirm the host authenticity. Type yes to continue.

After logging in, run the following command to install OpenClaw:

$ curl -fsSL https://openclaw.ai/install.sh | bash

Follow the prompts shown in the text-based user interface (TUI). Choose an AI option and enter the API key for the provider you selected. You can optionally connect a communication channel during this stage, although this tutorial focuses on integrating Google services.

Step 2 – Creating a Dedicated Gmail Account

Open Google’s account creation page and complete the steps to register a new Gmail account. Choose a clear and descriptive name that identifies it as your bot account, such as yourproject-openclaw@gmail.com. Do not store personal details, contacts, or sensitive information in this account.

Finish the account setup process, including phone verification if Google requires it. Save the email address and password, since this account will be used for the rest of the Google Cloud Console configuration. You do not need to add any skills yet.

Step 3 – Configuring Google Cloud Console and OAuth

After creating the dedicated Gmail account, the next step is to configure Google Cloud Console so API access is enabled and OAuth credentials can be generated.

Open Google Cloud Console and make sure you are signed in with the Gmail account created for the bot. If more than one Google account is available in your browser, confirm that the correct one is active by checking the profile icon in the top-right corner.

Creating a Google Cloud Project

• Click Select a project at the top of the page.
• Then click New Project in the upper-right corner of the dialog that appears.

Enter a project name such as OpenClaw Google Integration and click Create. After the project is created, which may take a few moments, switch to it by clicking Select a project again and choosing the new project from the list.

Enabling Google APIs

Click the hamburger menu icon in the upper-left corner, hover over APIs & Services, and choose Enabled APIs & Services.

Click + ENABLE APIS AND SERVICES at the top of the page.

Search for and enable these APIs:

• Gmail API: Search for Gmail API, open it, and click Enable.
• Google Calendar API: Search for Google Calendar API, open it, and click Enable.
• Google Drive API: Search for Google Drive API, open it, and click Enable.

You may enable more Google APIs later depending on your requirements. Every enabled API can later be used by your OpenClaw bot.

Configuring the OAuth Consent Screen

After the required APIs are enabled, open OAuth consent screen from the left sidebar under APIs & Services.

Click Get Started and configure the consent screen with the following settings:

• App name: Enter a name such as OpenClaw Google
• User support email: Choose your bot’s email address from the dropdown
• Click Next
• Audience: Select External so the bot can access the account
• Developer contact information: Enter your bot’s email address
• Continue clicking Next through the remaining screens
• Click Create

After the consent screen has been created, click Publish App from the left sidebar under Audience.

Then click Confirm so the application becomes available for use.

Creating OAuth Credentials

1. Return to the left navigation menu and open Credentials under APIs & Services.
2. Click + CREATE CREDENTIALS at the top and choose OAuth client ID.
3. For Application type, select Desktop app, give it a descriptive label such as OpenClaw Desktop Client, and click Create.
4. A dialog will appear showing your client ID and client secret. Click Download JSON to download the credentials file. This file contains your OAuth credentials and must be stored securely.
5. Save the downloaded file on your local computer with an easy-to-recognize name such as google_oauth_client.json.

Step 4 – Transferring Credentials and Installing gogcli

Next, transfer the OAuth credentials file to your server and install gogcli, a command-line tool used to authenticate Google services.

Transferring the Credentials File

Open a new terminal window on your local computer, not the active SSH session to the server, and use scp to copy the JSON file from your local system to the server. Replace path/to/your/file.json with the real path to the downloaded OAuth credentials file and replace your_server_ip with the public IP address of your server:

$ scp "path/to/your/file.json" root@your_server_ip:~/google_oauth_client.json

For example:

$ scp "~/Downloads/client_secret_123456.json" root@203.0.113.10:~/google_oauth_client.json

This command copies the file to the home directory on the server and renames it to google_oauth_client.json.

Installing gogcli

Return to the SSH session connected to your server and install gogcli. This utility helps authenticate Google services on headless systems.

First, download the prebuilt gogcli binary for version 0.11.0:

$ cd /tmp
$ wget https://github.com/steipete/gogcli/releases/download/v0.11.0/gogcli_0.11.0_linux_amd64.tar.gz

Extract the archive:

$ tar -xzf gogcli_0.11.0_linux_amd64.tar.gz

Install the binary to /usr/local/bin so it is available system-wide:

$ sudo install -m 0755 gog /usr/local/bin/gog

Verify that the installation completed successfully:

$ gog --version

You should see output showing version 0.11.0 or a similar version string.

Configuring gogcli with Your Credentials

Create the gogcli configuration directory and move the credentials file into place:

$ mkdir -p ~/.config/gogcli
$ mv ~/google_oauth_client.json ~/.config/gogcli/credentials.json
$ chmod 600 ~/.config/gogcli/credentials.json

The chmod command applies restrictive permissions to the credentials file so only your user account can read it.

Register the credentials with gogcli:

$ gog auth credentials ~/.config/gogcli/credentials.json

Step 5 – Authenticating Google Services Through an SSH Tunnel

The final configuration step is to authenticate the bot’s Google account with the services you enabled. Because this process requires a browser and the server does not provide a graphical interface, you will create an SSH tunnel so authentication can be completed from your local computer.

Initiating Authentication

In the SSH session connected to your server, run the following command. Replace your_bot_gmail_address with the Gmail address created for your bot, and include the services you enabled separated by commas:

$ gog auth add your_bot_gmail_address --services gmail,calendar,drive

For example:

$ gog auth add myproject-openclaw@gmail.com --services gmail,calendar,drive

The command will return a long URL beginning with https://accounts.google.com/o/oauth2/auth?.... Do not open the URL yet.

Extracting the Port Number

Review the URL produced by the command and locate the redirect_uri parameter, which includes a port number. It will look similar to this:

$
Output
https://accounts.google.com/o/oauth2/auth?...redirect_uri=http%3A%2F%2F127.0.0.1%3A35817%2Foauth2%2Fcallback...

The five-digit number after 127.0.0.1%3A is the port number. In this example, it is 35817. Make a note of that number.

Creating the SSH Tunnel

Important: The authentication URL expires quickly, so the next steps should be completed promptly. If the URL expires, run the gog auth add ... command again to generate a new one.

Open another terminal window on your local computer and keep the SSH session to the server open. Then create the SSH tunnel with the following command. Replace PORT with the port number you identified, and replace your_server_ip with the public IP address of the server:

$ ssh -N -L PORT:127.0.0.1:PORT root@your_server_ip

For example:

$ ssh -N -L 35817:127.0.0.1:35817 root@203.0.113.10

This command sets up a tunnel that forwards traffic from a local port on your machine to the same port on the remote server. It will not print any output and may appear to freeze, which is normal. Leave it running.

Completing Browser Authentication

Once the SSH tunnel is active, copy the full authentication URL from the terminal on the server and paste it into a web browser on your local computer.

Complete the authentication flow by following these steps:

• Select your account: Choose the Gmail account created for the bot
• Verification warning: If Google displays a message saying the app is not verified, click Advanced, then choose Go to [Your App Name]
• Permissions: Click Select all to approve access to all requested services, then click Continue
• You should then see a success message confirming authentication is complete

Finalizing Authentication

Return to the SSH terminal connected to your server. You should see this message:

$
Output
Authorization received. Finishing...

The tool will then ask you to enter a passphrase to encrypt the saved credentials. Type a secure passphrase and press ENTER. Save this passphrase because it will be required later.

After that process finishes, your OpenClaw bot will be authenticated and able to access the Google services you configured.

You can now stop the SSH tunnel on your local machine by pressing CTRL + C in the terminal where it is running.

Step 6 – Configuring OpenClaw Environment Variables

After authenticating the Google account with gogcli, you need to configure OpenClaw so it can use those credentials. To do that, set the passphrase you created in Step 5 as an environment variable OpenClaw can read.

Creating the OpenClaw Environment File

First, open the OpenClaw environment file with the nano text editor. This file stores environment variables required by OpenClaw:

$ nano /root/.openclaw/.env

This command opens the .env file in OpenClaw’s configuration directory. If the file does not already exist, nano will create it.

Add the following line to the file, replacing your_password with the actual passphrase created during the gogcli authentication process. If the file already contains another API key, make sure this is placed on a new line.

$ GOG_KEYRING_PASSWORD=your_password

This line stores the gogcli keyring password as an environment variable, allowing OpenClaw to decrypt and use the Google service credentials.

Save the file by pressing CTRL + O, then press ENTER to confirm. Exit the editor by pressing CTRL + X.

Next, apply secure permissions to the environment file so only your user account can read it:

$ chmod 600 /root/.openclaw/.env

The chmod 600 command sets the file permissions to allow read and write access only for the owner, preventing other users on the system from viewing the stored passphrase.

Adding the Variable to Your Shell Environment

Export the environment variable in your shell by appending it to your .bashrc file:

$ echo 'export GOG_KEYRING_PASSWORD=$(grep GOG_KEYRING_PASSWORD /root/.openclaw/.env | cut -d= -f2)' >> ~/.bashrc

This command performs several actions:

• grep GOG_KEYRING_PASSWORD /root/.openclaw/.env searches the .env file for the line containing the password
• cut -d= -f2 extracts only the password value, which is everything after the equals sign
• export GOG_KEYRING_PASSWORD=$() defines it as an environment variable in your shell
• >> ~/.bashrc appends the export command to your .bashrc file so it runs automatically whenever a new shell session starts

Configuring the OpenClaw Gateway Service

The OpenClaw gateway service also requires access to this environment variable. Open the systemd service configuration file:

$ nano ~/.config/systemd/user/openclaw-gateway.service

This opens the systemd unit file that controls how the OpenClaw gateway service is started. Systemd is the process manager used on most Linux systems to control background services.

Scroll to the [Service] section of the file. Add the following new line, replacing your_password with your actual passphrase:

$ Environment=GOG_KEYRING_PASSWORD=your_password

This Environment directive instructs systemd to define the GOG_KEYRING_PASSWORD environment variable when it launches the OpenClaw gateway service, ensuring the service can read your Google credentials.

Save the file with CTRL + O, press ENTER, and exit with CTRL + X.

Restarting the OpenClaw Service

To apply the changes, reload the systemd configuration and restart the OpenClaw gateway service:

$ systemctl --user daemon-reload
$ systemctl --user restart openclaw-gateway

The systemctl --user daemon-reload command tells systemd to reload all unit file definitions, which is necessary after making changes to a service file. Without doing this, systemd would continue using the previous version stored in memory.

The systemctl --user restart openclaw-gateway command stops and starts the OpenClaw gateway service again so the new environment variable is applied. The --user flag ensures the command works with user-level services instead of system-wide services.

Step 7 – Verifying That the Google Connection Works

Now open the text-based user interface with the following command:

$ openclaw tui

Then ask OpenClaw what the most recent email received by the OpenClaw Gmail account was. OpenClaw should display that message. You may need to try the request more than once depending on which LLM is configured in your settings. In some cases, OpenClaw may behave inconsistently or run into API rate limits quickly.

FAQ

Why should I create a dedicated Gmail account for OpenClaw instead of using my personal account?

Using OpenClaw with Google services introduces security risks. If the server is compromised, an attacker could gain access to any Google account connected to OpenClaw, including the ability to read emails, view calendar entries, access stored files, and perform actions on your behalf. A separate account reduces the impact of a possible breach by limiting exposure to the bot account only and protecting your personal data. You should never connect your personal Gmail account to OpenClaw or a similar automation platform unless you fully understand and accept the risks involved.

What happens if the OAuth authentication URL expires before I finish setting up the SSH tunnel?

The authentication URL is only valid for a short time as a security measure. If it expires, simply run the gog auth add command again to create a fresh URL and a new port number. Then recreate the SSH tunnel and complete the browser-based authentication process.

Can I enable additional Google APIs after the initial setup?

Yes, you can return to Google Cloud Console whenever needed and enable more APIs. After activating new APIs, you may need to authenticate again by running the gog auth add... command with the updated list of services.

How secure is it to store OAuth credentials on my server?

The gogcli tool encrypts stored credentials using the passphrase entered during authentication. In addition, file permissions set to 600 ensure that only your user account can read the credentials file. For production deployments, you should also consider stronger security practices such as hardware security modules or dedicated secret management solutions.

What should I do if I get connection errors when trying to use Google services?

Start by confirming that the required APIs are enabled in Google Cloud Console. Check that the OAuth consent screen has been published and is not still in testing mode. Make sure your gogcli authentication is still valid by running gog auth list to review active authentications. If the problem continues, try authenticating again with the gog auth add command.

Can I use OpenClaw with services other than Google?

Yes, OpenClaw can integrate with additional services beyond Google. The exact setup process depends on the authentication model and technical requirements of the service you want to connect. Refer to the OpenClaw documentation for instructions on integrating other platforms.

Conclusion

In this guide, OpenClaw was installed on a cloud-hosted Ubuntu server and connected to Google services such as Gmail, Calendar, and Drive. The setup included creating a separate Gmail account for security purposes, configuring OAuth credentials in Google Cloud Console, installing the gogcli authentication utility, and using SSH tunneling to complete browser-based authentication on the remote server.

Once OpenClaw is set up and authenticated, it can be used to build AI agents that handle tasks such as email automation, calendar planning, document processing, and other workflows within Google’s ecosystem.