Skip to content
nacre.sh
Your bot

Web terminal

A full bash shell on your VM, reachable from the browser. Token-authenticated, auto-refreshed, no SSH keys or passwords to manage.

What it's for

Most of the time you won't need the terminal — the dashboard covers the happy path. It exists for the cases the dashboard doesn't cover yet:

  • Editing OpenClaw config files by hand.
  • Pasting an LLM key directly into /etc/openclaw/env so it never touches our database.
  • Tailing OpenClaw logs live.
  • Running docker compose commands.
  • Restoring a file from the /data volume.

How access works

ttyd runs as a container on your VM, bound to localhost. Caddy fronts it at https://user-<id>.nacre.sh/terminal. Every WebSocket connection must include a short-lived token in the URL query string — your browser passes it automatically. There is no username or password to type.

Token TTL
15 minutes, reissued on demand
Auth method
ttyd --token query-param (no browser Basic Auth dialog)
Transport
WebSocket over TLS (wss)
Session recording
We don&apos;t record your terminal. You do.

Opening the terminal

Dashboard → Terminal. Nacre calls POST /api/dashboard/vm/terminal-token to mint a short-lived token, then loads an iframe at your VM's subdomain with the token in the URL. If you sit idle past 15 minutes, the token expires — refresh the page and a new one is minted.

It's a real shell
You have root on your VM. You can break OpenClaw, corrupt the /data volume, or take the container offline. If that happens: backups run nightly to R2, and the dashboard has a "Restart OpenClaw" button that wipes the container (not the volume) and brings it back. See backups.

Useful commands

Everyday things you might run:

TaskCommand
See running containersdocker compose ps
Tail OpenClaw logsdocker compose logs -f openclaw
Restart OpenClawdocker compose restart openclaw
Edit env filesudo nano /etc/openclaw/env
Check diskdf -h /
Check memoryfree -h
Browse data volumels -la /var/lib/docker/volumes/openclaw_data/_data

Rotating the access token

If you suspect the terminal may have been accessed without your knowledge, rotating the token cuts off any active unauthorised sessions immediately:

  1. Dashboard → Settings → Security → Rotate access token.
  2. The control plane generates a new token, stores it securely, and pushes a rotate_secrets command to the agent on your VM.
  3. The agent updates the env file, writes a Docker Compose override that activates the new token, and force-recreates the ttyd container. Your next terminal page load picks it up automatically.

What if the terminal won't connect?

  • Check dashboard overview — if the VM shows down orunresponsive, the terminal won't load either. The agent is either crashed or the VM is stopped.
  • Try a hard refresh — token caching in a stale iframe is the single most common cause.
  • If the terminal shows a connection error or a ttyd login prompt, rotate the access token (above) and reload the page.
  • Still stuck? Email support@nacre.sh with your VM hostname and we'll check the event log.