← Back to docs

Bot Deployment

How getbot deploys an OpenClaw AI agent from zero to a live HTTPS URL.

demo
Demo: Bot Deployment

The deploy pipeline

After setup confirms your server is ready, getbot runs a multi-step deploy pipeline. Each step depends on the previous one, and getbot shows progress along the way.

Step 1: Identity derivation

Your email and team name are used to derive a unique identity for the bot:

  • Organization — from your email domain (alice@acme.comacme)
  • DomainORG.getbot.run (e.g., acme.getbot.run)
  • URL path/TEAM (e.g., /marketing)

This identity determines the container name, DNS record, Caddy route, and auth scope. You never configure these separately — they're all derived from your email.

Step 2: Container creation

If your organization doesn't already have an Incus container, getbot creates one. See Container Isolation for details on what this container provides. If the container already exists (e.g., you're adding a second bot), this step is skipped.

Step 3: Docker image

getbot builds the OpenClaw Docker image inside the container. This includes the agent runtime, configuration, and any dependencies. The image is built locally — nothing is pulled from a third-party registry at runtime.

Step 4: Volume setup

Two directories are created inside the container for persistent data:

  • openclaw-config — agent configuration files
  • openclaw-workspace — the agent's working directory (conversations, files, state)

Both are owned by UID 1000 (the non-root user inside the container). Data persists across container restarts and bot upgrades.

Step 5: Bot launch

getbot renders a Docker Compose file with your LLM provider's environment variable and API key, then runs docker compose up inside the container. The compose file includes health checks — getbot waits up to 60 seconds for the bot to report healthy before continuing.

  Deploying bot acme/marketing (~1 minute)...
  Waiting for bot to become healthy...

Step 6: Auth setup

For the first bot in an organization, getbot sets up the authentication infrastructure:

  1. Generates a 256-bit signing key for JWT tokens
  2. Generates a code exchange secret for the OAuth callback
  3. Writes auth config to /etc/getbot/auth.json on the host
  4. Deploys the getbot-auth systemd service
  5. Registers the auth callback route in Caddy

For additional bots in the same org, getbot updates the existing auth config with the new bot's allowed emails and signals the auth service to reload.

See Authentication for how the auth flow works.

Step 7: Route registration

getbot registers a route in Caddy that maps your bot's subdomain to the container:

  • Externalhttps://acme.getbot.run/marketing
  • Internal — proxied to the container's internal IP and port
  • Auth — every request passes through getbot-auth forward_auth before reaching the bot

Caddy handles HTTPS certificate provisioning automatically via Let's Encrypt. You don't configure TLS — it just works.

After deployment

  Setup complete!

  Your bot is live at: https://acme.getbot.run/marketing
  Sign in with Google using: alice@acme.com

  What's next:
    getbot bots list          — see your deployed bots
    getbot bots describe      — bot details and status
    getbot setup              — deploy another bot

Visit the URL, sign in with Google, and you're talking to your AI agent. The entire flow — from getbot setup to a live, authenticated bot — takes about 5 minutes.