Glossary
Forward authentication is a pattern where a reverse proxy delegates access decisions to an external identity provider before forwarding requests to backend services.
In a forward auth setup, the reverse proxy (Traefik, Nginx, or Caddy) intercepts every incoming request and sends a sub-request to an identity provider. If the provider returns a success response, the proxy forwards the original request to the backend. If not, the user gets redirected to a login page.
This means your backend application never sees unauthenticated traffic. The auth boundary sits at the network edge, not inside your application code.
HiClaw runs Traefik as a per-node reverse proxy on each ECS EC2 instance. Every request to a user's OpenClaw web gateway is routed by Traefik to the correct container based on the subdomain.
Each OpenClaw deployment is protected by a unique gateway token. Users authenticate via this token (provided through the dashboard link), ensuring only the deployment owner can access their OpenClaw web interface.
Application-level auth runs inside your app code. Forward auth runs at the reverse proxy, so unauthenticated requests never reach your application. The proxy checks with an identity provider before forwarding traffic.
HiClaw uses Google OAuth directly for dashboard authentication. Each OpenClaw web gateway is protected by a unique gateway token, so only the deployment owner can access their instance.
The auth check adds a few milliseconds per request. Traefik caches session state, so subsequent requests from the same session skip the full verification round-trip.
