Fly.io

Deploy globally on Fly.io with persistent volumes, automatic HTTPS, and optional private deployment with no public IP.

Fly.io is a container-based PaaS that runs OpenClaw on Firecracker microVMs globally, with automatic HTTPS, persistent volumes, and the option to deploy privately with no public IP. It's the recommended cloud PaaS for users who want a managed deployment without the complexity of provisioning and securing a VPS themselves. The deployment flow uses Fly's standard tooling: create an app, provision a persistent volume for state, set secrets (gateway token, API keys, channel tokens), customize fly.toml for your configuration, and deploy with fly deploy. First deploy builds the Docker image on Fly's builders (~2-3 minutes), subsequent deploys are faster. The gateway runs with --bind lan so Fly's proxy can reach it, and auto_stop_machines = false keeps it running 24/7. Fly.io's key advantage is its global edge network. You can deploy to any of 30+ regions and get automatic HTTPS with zero configuration. For privacy-sensitive deployments, Fly offers private networking — your OpenClaw instance gets a .flycast address accessible only from within your Fly organization or via WireGuard tunnel, with no public IP at all. The fly.private.toml template in the OpenClaw repo configures this hardened mode automatically. Persistent storage is handled through Fly volumes mounted at /data, where OpenClaw stores its configuration, workspace, and channel state. Volumes are region-pinned, so your data stays in one datacenter. The recommended configuration is shared-cpu-2x with 2GB RAM — the 512MB option is too small for the gateway and will OOM during builds. Fly's pricing is usage-based, typically landing at $10-15/month for an always-on OpenClaw instance. Post-deploy configuration happens via SSH (fly ssh console) or the Control UI. You can SSH into the running machine to create openclaw.json, add channels, or run the onboarding wizard. For ongoing management, the Control UI is accessible at your app's public URL with the gateway token. Fly's built-in metrics and logging integrate with the gateway's health check endpoints for monitoring.

Tags: paas, global, containers, https

Use Cases

Always-on cloud AI assistant with automatic HTTPS and no server management
Global deployment where you want low-latency access from any region
Privacy-focused cloud deployment using Fly's private networking with no public IP
Quick cloud deploy for users who want managed infrastructure without VPS administration
Teams that need a shared AI agent accessible from anywhere with built-in HTTPS

Tips

Use fly.private.toml for private deployments with no public IP — access via WireGuard tunnel only
Choose a region close to your primary messaging servers for lowest latency: iad (US East), lhr (London), nrt (Tokyo)
Set all API keys and tokens as Fly secrets (fly secrets set) rather than in config files — secrets are encrypted at rest
Use fly ssh console to access the running container for configuration and troubleshooting
Monitor with fly logs -a my-openclaw for real-time gateway logs
Set OPENCLAW_STATE_DIR=/data in fly.toml env to persist state on the volume — without this, state is lost on redeploy
Use fly scale count 1 to ensure exactly one instance runs — multiple instances with shared volumes cause conflicts

Known Issues & Gotchas

The default fly.toml exposes a public URL — use fly.private.toml for hardened deployments with no public IP
Volumes are region-pinned: your app and volume must be in the same region, and you can't move volumes between regions
shared-cpu-1x with 256MB will OOM during builds — use shared-cpu-2x with 2GB minimum
auto_stop_machines must be false or the gateway will be killed during idle periods, dropping all channel connections
Non-loopback binding (--bind lan) requires OPENCLAW_GATEWAY_TOKEN to be set — Fly won't start without it
Fly's free tier includes limited compute — check current free allowances as they change frequently
First deploy builds the image on Fly's builders which may be slow depending on builder availability

Alternatives

Railway
Hetzner VPS
Render
DigitalOcean Droplet
Docker (self-hosted)

Community Feedback

For a solo developer wanting Docker containers with predictable pricing and European servers, Fly.io is the easiest to set up but Hetzner wins on raw cost.
— Reddit r/Hosting

Fly.io gives you HTTPS and global deployment for free. No nginx, no certbot, no reverse proxy config. Just fly deploy and it works.
— Reddit r/selfhosted

The private deployment option on Fly is underrated. No public IP, accessible only through WireGuard — perfect for an AI agent you don't want exposed.
— Reddit r/AI_Agents

Frequently Asked Questions

How much does Fly.io cost for OpenClaw?

Typically $10-15/month for a shared-cpu-2x with 2GB RAM running 24/7. Costs include compute, volume storage (1GB ~$0.15/mo), and outbound bandwidth. Check Fly's pricing page for current rates.

Can I deploy without a public URL?

Yes. Use the fly.private.toml template or set auto_stop_machines=true with no http_service section. Access via WireGuard tunnel (fly wireguard) or Fly's internal .flycast addresses.

How do I update OpenClaw on Fly.io?

Pull the latest code, then fly deploy. Fly builds a new image and performs a rolling deploy. Your volume data persists across deploys.

What happens if the machine crashes?

Fly automatically restarts crashed machines. The gateway's health check endpoint (/healthz) triggers restarts if the process becomes unresponsive. Volume data survives crashes.

Can I use WhatsApp on Fly.io?

Yes. SSH into the container (fly ssh console) and run the WhatsApp QR code flow. After initial linking, WhatsApp runs headlessly. Some users report needing to re-link after deploys — persist the auth state in the volume.

Why is 2GB RAM recommended?

The gateway itself needs ~256-512MB, but the Docker image build step and agent tool execution can spike memory usage. 2GB provides headroom for builds and concurrent operations without OOM kills.