Can OpenClawMU be the only multi-tenant primitive in my platform?

It can be the messaging + agent layer. You'll still need your own customer-facing auth (mapping users to tenant tokens), billing UI, and product features. OpenClawMU provides the gateway, isolation, sandboxes, and meter — the rest is your differentiated work.

How do I issue tokens dynamically when a new customer signs up?

Call the control-plane HTTP API: POST /v1/tenants {name, quota}. The response includes the plaintext token to store in your customer record. The admin key authenticates this call — keep it in your backend, never in browser code.

Can I white-label the web terminal?

Yes. The xterm.js UI is served by the gateway at /terminal/embed and can be iframed into your app. CSS variables on the iframe page accept overrides; the page itself is single-file and ~30 KB. Pass your own brand color and font via query params if you want to skip CSS overrides.

For platform builders

You're already past prototype

You have a working single-user demo of your AI product. The next step is multi-customer, and you've already started writing your own isolation logic. Right now your TODO list looks like this:

Per-customer session and memory storage
Per-customer LLM key proxying or per-customer cost accounting on shared keys
Sandboxed code execution for customer-provided agents
Channel pairing (WhatsApp, Slack, your own webhook)
An admin API to provision customers and rotate their credentials
Backup and restore for customer data portability
A web terminal so support can actually help when something goes sideways

Each of those is a week of engineering and a week of debugging edge cases. OpenClawMU has shipped all of it.

What you stop owning

Tenant directory layout and the assumption that it's correct on every code path.
Token hashing, rotation, and constant-time verification.
Path-traversal hardening on every API that takes a path string.
Bubblewrap vs Docker decision, plus the seccomp filter and the cgroup limits.
WebSocket-based terminal session management.
OpenAI / OpenResponses compatibility shims.
S3 backup with the same path-traversal protection.
The CSV report generator your finance team will ask for in week three.

What you still own

Your customer-facing auth (Auth0, Clerk, your own).
The mapping from your customer record → OpenClawMU tenant.
Your billing UI and your invoicing.
Your domain logic — the prompts, the tools, the system prompts, the brand voice.
Your distribution and your customer relationships.

A concrete integration sketch

When a customer signs up in your app:

Your signup handler calls POST /v1/tenants on the OpenClawMU control plane with the admin key, passing the customer's quota.
You store the returned token in your customer record (encrypted, of course).
For chat in the customer's browser, your backend issues a short-lived signed cookie that proxies to OpenClawMU with the tenant token attached.
For channel pairing (WhatsApp etc.), you redirect the customer to the gateway's pairing flow URL with their tenant token.
Nightly, your billing cron calls GET /v1/tenants/<id>/usage for each customer and pushes the result into Stripe Billing.

That's the whole integration. The product you're actually differentiating on lives entirely above this layer.

Migration off — if you ever need to

Apache-2.0 means you can fork and run forever. The data model is boring filesystem state plus a small SQLite DB; even if Neul Labs disappeared tomorrow, you'd have your tenants' state on your own disks in formats anyone with a half-decent backend background can read.

Stop building tenant isolation from scratch.

You're already past prototype

What you stop owning

What you still own

A concrete integration sketch

Migration off — if you ever need to

Run your own gateway today.