diff --git a/api-reference/agents.mdx b/api-reference/agents.mdx
index 64ad812..c7d2b1e 100644
--- a/api-reference/agents.mdx
+++ b/api-reference/agents.mdx
@@ -1289,6 +1289,32 @@ If the agent service is already running, returns the existing deployment details
| 401 | Unauthorized |
| 500 | Deployment failed. When the Railway API is not reachable, the error message indicates that provisioning is unavailable. Check the [backend health endpoint](/api-reference/health#backend-health-check) to verify Railway API availability before deploying. |
+## OpenClaw proxy (backend)
+
+```http
+ALL /api/openclaw/proxy/:agentId/*
+```
+
+Transparently proxies HTTP and WebSocket requests to an agent's OpenClaw Control UI running on the internal network. The proxy forwards requests to the agent's internal address and rewrites the path so the OpenClaw UI receives requests at its expected root.
+
+**No bearer token authentication is required.** This route is exempt from the backend API key middleware. OpenClaw handles its own token and password authentication on the proxied service, so users can access the Control UI directly.
+
+WebSocket connections to this path are also proxied, allowing real-time communication with the OpenClaw instance.
+
+### Path parameters
+
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `agentId` | string | Agent identifier (alphanumeric, hyphens, and underscores only) |
+
+### Errors
+
+| Code | Description |
+|------|-------------|
+| 502 | The OpenClaw instance is unreachable |
+
+The `agentId` parameter is sanitized to alphanumeric characters, hyphens, and underscores. Any other characters are stripped before the proxy target is resolved.
+
## OpenClaw version (backend)
```http
diff --git a/api-reference/auth.mdx b/api-reference/auth.mdx
index 9d2d3c3..bb93f20 100644
--- a/api-reference/auth.mdx
+++ b/api-reference/auth.mdx
@@ -15,6 +15,8 @@ The backend uses two authentication patterns depending on the endpoint.
Endpoints such as `/api/deployments`, `/api/openclaw/instances`, and per-agent lifecycle routes require a shared API key passed as a bearer token. The key is compared against the configured `INTERNAL_API_KEY` using a timing-safe comparison.
+The `/api/openclaw/proxy/*` route is exempt from bearer token authentication. OpenClaw's own token and password authentication handles access control on the proxied service. See the [OpenClaw proxy](/api-reference/agents#openclaw-proxy-backend) endpoint for details.
+
```bash
curl -X GET https://backend.example.com/api/openclaw/instances \
-H "Authorization: Bearer YOUR_INTERNAL_API_KEY"
diff --git a/api-reference/overview.mdx b/api-reference/overview.mdx
index c2e2169..63f060d 100644
--- a/api-reference/overview.mdx
+++ b/api-reference/overview.mdx
@@ -249,6 +249,7 @@ curl -X POST https://agentbot.raveculture.xyz/api/ai/chat \
| `/api/openclaw/version` | GET | Get OpenClaw runtime version (backend only) |
| `/api/openclaw/instances` | GET | List running agent instances (backend only, requires auth) |
| `/api/openclaw/instances/:id/stats` | GET | Get instance container stats (backend only, requires auth) |
+| `/api/openclaw/proxy/:agentId/*` | ALL | Proxy to an agent's OpenClaw Control UI (backend only, no auth — OpenClaw handles its own authentication) |
| `/api/deployments` | POST | Deploy an agent container (backend only, requires auth) |
| `/api/models` | GET | List available OpenRouter AI models |
| `/api/coinbase` | GET | Get Coinbase CDP configuration and supported features |