@knotie/openclaw-channel-knotie

OpenClaw plugin — Secure portal chat channel that connects the Knotie AI whitelabel portal to an OpenClaw agent running on a customer VPS.

What this plugin does

When you deploy OpenClaw through Knotie's VPS catalog, your customers get an agent that runs on their infrastructure — but you need a way for the Knotie whitelabel portal to chat with it securely over the public internet.

This plugin registers a hardened HTTP channel (/knotie-channel) on the OpenClaw instance. The Knotie portal's server-side proxy calls this channel to forward customer messages and receive agent replies — without any Tailscale or shared VPN required.

Endpoints

| Method | Path | Auth | Description | |--------|------|------|-------------| | GET | /knotie-channel/health | None | Liveness check — used by the portal's status indicator | | POST | /knotie-channel/chat | Bearer + HMAC | Send a message, receive an agent reply | | POST | /knotie-channel/clear-session | Bearer + HMAC | Clear agent session history for a given session ID |

Security model — 5 layers, defence-in-depth

The channel is designed to be exposed on a public VPS port without becoming a liability. Each layer independently limits what an attacker can do:

| Layer | Where | What it stops | |-------|-------|---------------| | TLS | nginx (self-signed cert) | Traffic interception — all data is encrypted in transit | | Silent 444 drop | nginx | Port scanning — every path except /knotie-channel/ returns no response; the port appears closed to scanners | | Knock header (X-Knotie-Gateway) | nginx | Drive-by requests — nginx returns 444 (no response) if this per-instance secret is missing or wrong | | Bearer token | This plugin | Credential brute-force — constant-time (timingSafeEqual) verification of the 32-byte hex shared secret | | HMAC request nonce | This plugin | Replay attacks — every request must include X-Knotie-Timestamp + X-Knotie-Nonce + X-Knotie-Signature (HMAC-SHA256); the plugin rejects requests outside a ±5-minute window |

The knock header and HMAC secret are generated per-deployment (not shared across instances) and stored only in the Knotie DB — never exposed to the browser.

About Knotie AI

Knotie AI is a white-label AI platform built for agencies and developers who want to resell AI products under their own brand.

What agencies get on Knotie:

• One-click deploy templates for AI Receptionist, Voice SDR, Support Bot, Cloud Setup, and more — fully white-labeled under your domain
• A VPS marketplace where customers can deploy self-hosted AI tools (OpenClaw, n8n, Open WebUI, etc.) and manage them from your portal
• An AI Gateway (OpenAI-compatible, 50+ models) you can sell as a standalone product
• Multi-provider voice support: VAPI, Retell, ElevenLabs, LiveKit, Ultravox
• Built-in billing: Stripe Connect, credit system, metered usage — you set the margin

OpenClaw deployed through Knotie gets a fully automated setup: SSH deploy, nginx TLS proxy, this channel plugin, the customizer plugin, and all secrets generated and stored without any manual steps.

Installation

openclaw plugin add @knotieaipro/openclaw-channel-knotie

Note: When deploying OpenClaw through Knotie's VPS catalog, this plugin is installed and configured automatically as part of the deploy script. Manual installation is only needed for self-managed instances that you want to connect to a Knotie portal.

Configuration

| Variable | Required | Description | |---|---|---| | KNOTIE_CHANNEL_TOKEN | Yes | 32-byte hex shared secret — generated by Knotie at deploy time |

The token is injected into /etc/environment and /root/.openclaw/channel.env during the catalog deploy so it survives daemon restarts.

Network topology

Customer browser
    │
    ▼
Knotie whitelabel portal (Next.js)
    │  POST /api/whitelabel/vps/instances/[id]/openclaw/chat
    ▼
Portal server-side proxy (Node.js)
    │  HTTPS · Bearer token · Knock header · HMAC nonce
    ▼
VPS public IP : 18790 (nginx TLS proxy)
    │  444 drop on unknown paths
    │  Rate-limited: 10 req/min, 3 concurrent
    ▼
loopback : 18789 (OpenClaw)
    │  This plugin validates Bearer + HMAC
    ▼
Agent reply → reverse through the same chain → browser

The customer connects their OpenClaw agent (and its control UI) via their own Tailscale network. The Knotie portal uses the public nginx channel — no shared VPN required.

How the HMAC signature works

The portal signs every request before sending it:

// Portal side (simplified)
const timestamp = String(Date.now());
const nonce     = randomBytes(16).toString('hex');
const message   = `${timestamp}:${nonce}`;
const signature = createHmac('sha256', channelToken).update(message).digest('hex');

headers['X-Knotie-Timestamp'] = timestamp;
headers['X-Knotie-Nonce']     = nonce;
headers['X-Knotie-Signature'] = signature;

The plugin verifies:

1. All three headers are present
2. Timestamp is within ±5 minutes of the VPS clock
3. HMAC-SHA256 matches (constant-time comparison)

A captured request is useless after 5 minutes — even if the attacker has the exact headers.

Requirements

• OpenClaw ≥ 3.0.0
• Node.js ≥ 18 (ESM)

License

MIT — see LICENSE

Links

• Knotie AI Platform — white-label AI for agencies
• OpenClaw — self-hosted AI agent runtime
• Knotie Partner Dashboard — manage your deployments
• @knotieaipro/openclaw-customizer — white-label branding plugin