diff --git a/hosts/fw/modules/web/default.nix b/hosts/fw/modules/web/default.nix
index 73c72a3..06121f7 100644
--- a/hosts/fw/modules/web/default.nix
+++ b/hosts/fw/modules/web/default.nix
@@ -109,6 +109,8 @@ in
           matrix-authentication-service # mas-cli for migration
         ];
 
+        security.sudo.enable = true;
+
         networking.hostName = hostname;
 
         services.openssh = {
diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix
index 967a6b1..71c136d 100644
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@@ -571,6 +571,36 @@ in {
     '';
   };
 
+  # Provision an OpenClaw bot user in MAS and issue a long-lived compatibility
+  # access token.  Runs once; the token is persisted in /var/lib/mas/.
+  systemd.services.matrix-bot-provision = {
+    description = "Provision Matrix bot user for OpenClaw";
+    after = [ "matrix-authentication-service.service" ];
+    before = [ "podman-openclaw.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ "/run/wrappers" ];
+    script = ''
+      TOKEN_FILE="/persist/openclaw-token"
+      if [ ! -f "$TOKEN_FILE" ]; then
+        sudo -u mas ${masPackage}/bin/mas-cli manage register-user \
+          --config /run/mas/config.yaml \
+          --username openclaw \
+          --display-name "OpenClaw Bot" \
+          --yes 2>/dev/null || true
+        TOKEN=$(sudo -u mas ${masPackage}/bin/mas-cli manage issue-compatibility-token \
+          --config /run/mas/config.yaml \
+          openclaw OPENCLAW 2>&1 \
+          | ${pkgs.gnugrep}/bin/grep -oP 'token issued: \K\S+')
+        echo "$TOKEN" > "$TOKEN_FILE"
+        chmod 0444 "$TOKEN_FILE"
+      fi
+    '';
+  };
+
   # Mattermost bridge (bridgev2 — attrs replace entirely, so include all needed fields)
   services.mautrix-mattermost = {
     enable = true;