Authentication and login security

Every sign-in to MultiClaw goes through MultiClaw Cloud, which manages your credentials, sessions, and lockout protection. You can sign in with an email and password or through Multiplai SSO. This article explains how each method works, what protections are in place, and what you are responsible for.

Email and password

You can create an account with your email and a password. Passwords are hashed with bcrypt before storage — MultiClaw never stores your password in plain text.

Your password must be at least 8 characters. For the strongest protection, use a unique password that you don't reuse across other services. A password manager makes this easier.

Sign in with Multiplai

If your organisation uses Multiplai, you can sign in with Multiplai SSO instead of a separate password. Click Continue with multiplai.app on the sign-in screen. MultiClaw redirects you to Multiplai to authenticate — MultiClaw never receives or stores your Multiplai password.

When you sign in through Multiplai, your Multiplai account controls the authentication experience. Password policies, session rules, and any additional protections (such as multi-factor authentication) are managed by Multiplai, not by MultiClaw.

Session security

After you sign in, the desktop app stores a session token in local storage. This token identifies you for all requests to MultiClaw Cloud.

Session tokens are short-lived and rotate automatically. Because tokens expire and refresh without action on your part, a captured token has a limited window of usefulness. The session token is separate from any OpenClaw gateway configuration on your machine — compromising one does not affect the other.

Signing out

Signing out of the desktop app revokes the session token on the server immediately. If you use MultiClaw on more than one device, sign out of each device individually. Always sign out when using a shared or untrusted machine.

If you suspect a compromised session

If you believe someone else has accessed your account:

1. Sign out of the desktop app on every device you have access to.
2. Reset your password from the sign-in screen.
3. Contact MultiClaw through the website to report the suspected unauthorised access.

Under the Terms of Service (§4.3), you are required to notify MultiClaw promptly of any suspected unauthorised access to your account.

Account lockout

MultiClaw rate-limits sign-in attempts to protect against brute-force attacks. If you enter too many incorrect passwords in a short window, you see a "Too many requests" error.

Wait a minute and try again — the limit resets automatically. No admin action is required to restore access.

What this article does not cover

Authentication for the local OpenClaw gateway is handled separately from your MultiClaw Cloud sign-in. The gateway uses its own short-lived signed tokens that rotate automatically. See Security overview for how the trust zones connect.

Credential and secret storage (API keys, config values) is covered in How credentials and secrets are stored.

Your security responsibilities

MultiClaw secures the authentication infrastructure: password hashing, token rotation, rate limiting, and TLS for all connections. You are responsible for:

• Choosing a strong password: use at least 8 characters and avoid reusing passwords from other services.
• Keeping credentials confidential: don't share your password or session details with others.
• Signing out on shared devices: always sign out after using MultiClaw on a machine you don't control.
• Reporting unauthorised access promptly: notify MultiClaw through the website if you suspect your account has been compromised.
• Managing workspace membership: if you are the workspace owner, periodically review the member list on your workspace's Users page and remove users who no longer need access.

For the full breakdown of what MultiClaw secures versus what you own, see Shared responsibility model.