Remote OpenClaw Blog
OpenClaw Browser Relay: What It Is & How to Set It Up (2026)
7 min read ·
OpenClaw Browser Relay is the connection layer that lets an OpenClaw agent drive a real Chrome, Brave, or Edge tab over the Chrome DevTools Protocol (CDP) instead of only using a clean browser OpenClaw spawns itself. In practice it means your agent can navigate pages, read the accessibility tree, click, type, and screenshot — either in an isolated profile it manages, or attached to a browser you are already signed into.
What OpenClaw Browser Relay Actually Is
OpenClaw Browser Relay is the path you use when you want OpenClaw to act against a browser — including one you are already logged into — rather than a throwaway session. According to the official OpenClaw browser documentation, the gateway runs a loopback-only control service that speaks to a Chromium-based browser over the Chrome DevTools Protocol.
The practical use case is simple: you already have a logged-in tab, a messy workflow, or a human-in-the-loop browsing context, and you want OpenClaw to inspect or act on that live session. That is what people are actually trying to unlock when they search for OpenClaw Browser Relay.
- Live, signed-in browser control — not just a clean managed browser
- Driven over CDP, the same protocol Chrome DevTools uses
- More setup than default onboarding, but far more capable
How OpenClaw Browser Relay Works
Browser Relay works by running a small loopback-only HTTP control service inside the OpenClaw gateway that connects to a Chromium browser over CDP. The control port is derived from the gateway port (the gateway defaults to 18791), it binds only to localhost, and it requires shared-secret authentication — a bearer token, an x-openclaw-password header, or HTTP Basic auth.
There are three ways the relay can attach to a browser, and choosing the right one is most of the battle:
| Mode | What it does | When to use it |
|---|---|---|
| Managed local browser | OpenClaw launches a dedicated, isolated Chromium profile with its own user-data directory on a CDP port in the 18800–18899 range. | Clean automation with no risk to your personal browser. |
| Existing session | Attaches to your already-running Chrome/Brave/Edge via the official Chrome DevTools MCP, reusing your logged-in tabs (driver: "existing-session", attachOnly: true). | Working inside authenticated apps you are already signed into. |
| Remote CDP | Connects to an external Chromium (e.g. Browserless, Browserbase, Notte) via a cdpUrl WebSocket endpoint. | Headless cloud browsers or browsers running on another machine. |
Once attached, the agent works in a snapshot-and-act loop: it captures the page's accessibility/DOM tree, decides on an action, executes it, and re-snapshots. OpenClaw bundles a browser-automation skill that teaches the agent this stable-tab and stale-ref recovery loop, loaded on demand to avoid token overhead.
How to Set Up OpenClaw Browser Relay
You set up Browser Relay by adding a browser block to ~/.openclaw/openclaw.json, then verifying the connection with the openclaw browser CLI. A minimal config that defines both a managed profile and an attach-to-existing-Chrome profile looks like this:
{
browser: {
enabled: true,
defaultProfile: "openclaw",
profiles: {
openclaw: { cdpPort: 18800, color: "#FF4500" },
user: { driver: "existing-session", attachOnly: true, color: "#00AA00" }
}
}
}
Then run the health-check and basic commands against your chosen profile:
openclaw browser --browser-profile openclaw doctor
openclaw browser --browser-profile openclaw start
openclaw browser --browser-profile openclaw open https://example.com
openclaw browser --browser-profile openclaw snapshot
To let an agent actually use the browser, grant the tool explicitly — for example tools: { alsoAllow: ["browser"] } on the agent or profile. If the openclaw browser command is missing entirely, add a root plugins: { allow: ["browser"] } block and restart the gateway. For a broader walkthrough of getting OpenClaw productive with browser tasks, see our OpenClaw browser automation guide and the complete OpenClaw use-cases guide.
Common Setup Problems
Most Browser Relay friction comes from auth, ports, and remote topologies — not the browser itself. The official docs are explicit that loopback identity tricks do not count as authentication: "Tailscale Serve identity headers and gateway.auth.mode: \"trusted-proxy\" do not authenticate this standalone loopback browser API." Shared-secret auth is mandatory.
| What tends to go wrong | Why it matters |
|---|---|
| Token / auth mismatch | The browser API needs its own shared secret; proxy-identity modes do not satisfy it, so the call is rejected even when the gateway looks healthy. |
| Port confusion | The control port is derived from the gateway port, and managed CDP ports live in 18800–18899 — easy to mix up. |
| SSRF blocks on navigation | Browser config is fail-closed by default; private-network or non-allowlisted hosts are blocked until you opt in. |
| Remote gateway fragility | Remote-control flows (gateway and browser on different machines) are more fragile than fully local ones. |
A quick way to localize a failure is the three-command path: if start and tabs succeed but open fails, the problem is navigation policy (SSRF), not CDP startup.
When Browser Relay Is Actually Worth It
Use Browser Relay when controlling an already-open or authenticated tab is the whole point: signed-in apps, continuity with an active browsing session, or workflows where reopening a browser context would break the task.
Do not make it your first OpenClaw milestone if your real goal is simply getting OpenClaw useful. Start with the managed profile, get the gateway stable, then add existing-session or remote modes when you know you need them.
- Good fit: existing authenticated tabs and real-session continuity
- Bad fit: first install or onboarding, before basic OpenClaw stability
- Best mindset: add it after the core gateway is already healthy
Bottom Line
The right mental model is: Browser Relay is powerful, but it is not the default easy path. The official docs make clear you should expect a more technical setup, especially around shared-secret auth, port derivation, and the limits of existing-session mode.
If you are trying to get productive quickly, get OpenClaw stable first on a managed profile. Then add the relay deliberately when a specific live-tab workflow justifies the extra moving parts.
Primary sources
- Official OpenClaw browser tool documentation
- OpenClaw documentation home
- The main OpenClaw repository
Recommended products for this use case
- Operator Launch Kit — Best fit if you want a cleaner first OpenClaw setup before you add Browser Relay complexity.
- Session Supervisor — Useful once you start layering longer-running agent sessions and browser-driven workflows.
- Founder Ops Bundle — Choose the ready-made stack if your real goal is useful operator workflows, not relay debugging.
Limitations and Tradeoffs
Existing-session mode is the most constrained: actions require snapshot refs rather than CSS selectors (except click-coords), element screenshots by selector are unsupported, wait --load networkidle is not available, and it requires browser version 144 or newer. Managed profiles are more capable but launch a separate browser.
Security defaults are strict on purpose: the browser config ships a fail-closed SSRF policy, so reaching private networks requires an explicit dangerouslyAllowPrivateNetwork: true (trust-only) or a hostname allowlist. These behaviors can change as OpenClaw evolves — always confirm against the current docs.
Related Guides
- OpenClaw Browser Automation Guide
- Browser MCP for OpenClaw
- Complete OpenClaw Use-Cases Guide
- Best OpenClaw VPS in 2026
Go deeper
The operator playbooks
Production-ready PDF guides for OpenClaw and Hermes Agent — $19.99 each.
Skills for this topic
Browse all skills →Frequently Asked Questions
Can it control a browser I am already logged into?
Yes — use an existing-session profile ( driver: "existing-session" , attachOnly: true ), which attaches to your running Chrome/Brave/Edge via the Chrome DevTools MCP and reuses your logged-in tabs. Note it requires browser version 144+ and uses snapshot refs instead of CSS selectors.




