text
Copy
Security trust model:

* By default, OpenClaw is a personal agent: one trusted operator boundary.
* Shared/multi-user setups require lock-down (split trust boundaries, keep tool access minimal, and follow [Security](/gateway/security)).
* Local onboarding now defaults new configs to `tools.profile: "coding"` so fresh local setups keep filesystem/runtime tools without forcing the unrestricted `full` profile.
* If hooks/webhooks or other untrusted content feeds are enabled, use a strong modern model tier and keep strict tool policy/sandboxing.

text
Copy
Where does the **Gateway** run?

* **This Mac (Local only):** onboarding can configure auth and write credentials
  locally.
* **Remote (over SSH/Tailnet):** onboarding does **not** configure local auth;
  credentials must exist on the gateway host.
* **Configure later:** skip setup and leave the app unconfigured.

<Tip>
  **Gateway auth tip:**

  * The wizard now generates a **token** even for loopback, so local WS clients must authenticate.
  * If you disable auth, any local process can connect; use that only on fully trusted machines.
  * Use a **token** for multi‑machine access or non‑loopback binds.
</Tip>

text
Copy
Onboarding requests TCC permissions needed for:

* Automation (AppleScript)
* Notifications
* Accessibility
* Screen Recording
* Microphone
* Speech Recognition
* Camera
* Location

The app can install the global `openclaw` CLI via npm, pnpm, or bun. It prefers npm first, then pnpm, then bun if that is the only detected package manager. For the Gateway runtime, Node remains the recommended path.

After setup, the app opens a dedicated onboarding chat session so the agent can introduce itself and guide next steps. This keeps first‑run guidance separate from your normal conversation. See [Bootstrapping](/start/bootstrapping) for what happens on the gateway host during the first agent run.