Server Config

hub.yaml is your central ElasticClaw Server configuration file for providers, LLM keys, authentication, and server-level settings.

Overview

The server config lives at hub.yaml in your project root (or at ~/.elasticclaw/hub.yaml for global config). It tells ElasticClaw where to provision sandboxes, which credentials to use, and which shared services are available to workspaces.

Workspaces and workflows are not stored inline in hub.yaml. After you push them, ElasticClaw Server keeps them as files next to the config: workspaces/<name>/ for workspaces, with workflow YAML files nested under each workspace's workflows/ directory.

Example hub.yaml

yaml

# Server connection
url: http://localhost:8080
public_url: https://server.example.com # URL agents use to connect back
token: your-server-token               # CLI login token
claw_token: your-agent-token           # token for agent registration
ui_password: ${UI_PASSWORD}           # web UI password (defaults to 'admin' if unset)

# Sandbox providers
providers:
  daytona:
    api_url: https://app.daytona.io
    api_key: ${DAYTONA_API_KEY}
    default_snapshot: daytona-large
  replicated:
    token: ${REPLICATED_TOKEN}
    default_instance_type: r1.large
    default_ttl: 48h

# LLM API keys (named)
llm_keys:
  - name: anthropic-prod
    provider: anthropic
    api_key: ${ANTHROPIC_API_KEY}
    default: true
    default_model: anthropic/claude-sonnet-4-6
  - name: fireworks-kimi
    provider: fireworks
    api_key: ${FIREWORKS_API_KEY}
    default_model: fireworks/accounts/fireworks/models/kimi-k2p6

# Default model (provider/model format)
default_model: anthropic/claude-sonnet-4-6

# Authentication
auth:
  github_oauth:
    client_id: Ov23lixxxxxxxxxxxx
    client_secret: ${GITHUB_OAUTH_SECRET}
    allowed_users: []
    allowed_orgs: []
    allowed_teams: []
  disable_password_auth: false

# Branding (optional white-label)
branding:
  app_name: My Platform
  logo_url: https://example.com/logo.png

# SSH keys added to every sandbox
ssh_public_keys:
  - ssh-ed25519 AAAAC3NzaC...

External workspaces and workflows

ElasticClaw Server creates workspaces/ alongside hub.yaml. Use elasticclaw workspace push to publish workspace files, then elasticclaw workflow push to publish workflow YAML into a workspace.

text

~/.elasticclaw/
  hub.yaml
  workspaces/
    elasticclaw/
      elasticclaw-config.yaml
      AGENTS.md
      TOOLS.md
      workflows/
        feature-workflow.yaml

This is the server storage layout after publishing. Author workspace files under .elasticclaw/workspaces/ and workflow YAML under .elasticclaw/workflows/ before pushing them.

Fields Reference

urlServer URL for CLI connections.

public_urlURL agents use to connect back from remote sandboxes. Falls back to url if not set.

tokenCLI authentication token.

claw_tokenToken for agent registration. Auto-generated if unset.

ui_passwordWeb UI login password. Defaults to 'admin' if not set.

providersSandbox provider configs. See Providers docs.

llm_keysNamed LLM API keys. One can be marked default:true.

default_modelGlobal default model (provider/model format).

secretsNamed server-level secret values for server-managed services. Workspace runtime secrets are managed with elasticclaw secret.

authGitHub OAuth and tag-based access control for the web UI.

brandingWhite-label: app_name, logo_url.

ssh_public_keysExtra SSH keys injected into every provisioned sandbox.

bridge_imageOCI artifact reference for claw-bridge. Defaults to ghcr.io/elasticclaw/claw-bridge:latest.

All ${...} values are resolved from environment variables. Use a .env file or your secrets manager of choice.