Source-grounded rewrite of 529 published docs pages with per-unit information-loss verification: 1,713 factual corrections cited to src/**, generated surfaces regenerated, frontmatter titles preserved for i18n, release notes pages untouched. All docs gates green. Closes #100141
53 KiB
summary, read_when, title
| summary | read_when | title | |||
|---|---|---|---|---|---|
| Gateway WebSocket protocol: handshake, frames, versioning |
|
Gateway protocol |
The Gateway WS protocol is the single control plane and node transport for OpenClaw. Every client (CLI, web UI, macOS app, iOS/Android nodes, headless nodes) connects over WebSocket and declares a role and scope at handshake time.
Transport and framing
- WebSocket, text frames, JSON payloads.
- First frame must be a
connectrequest. - Pre-connect frames are capped at 64 KiB (
MAX_PREAUTH_PAYLOAD_BYTES). After handshake, followhello-ok.policy.maxPayloadandhello-ok.policy.maxBufferedBytes. With diagnostics enabled, oversized inbound frames and slow outbound buffers emitpayload.largeevents before the gateway closes or drops the frame. These events carrysurface, byte sizes, limits, and a safe reason code, never message bodies, attachment contents, raw frame bytes, tokens, cookies, or secrets.
Frame shapes:
- Request:
{type:"req", id, method, params} - Response:
{type:"res", id, ok, payload|error} - Event:
{type:"event", event, payload, seq?, stateVersion?}
Side-effecting methods require idempotency keys (see schema).
Handshake
Gateway sends a pre-connect challenge:
{
"type": "event",
"event": "connect.challenge",
"payload": { "nonce": "…", "ts": 1737264000000 }
}
Client replies with connect:
{
"type": "req",
"id": "…",
"method": "connect",
"params": {
"minProtocol": 4,
"maxProtocol": 4,
"client": {
"id": "cli",
"version": "1.2.3",
"platform": "macos",
"mode": "operator"
},
"role": "operator",
"scopes": ["operator.read", "operator.write"],
"caps": [],
"commands": [],
"permissions": {},
"auth": { "token": "…" },
"locale": "en-US",
"userAgent": "openclaw-cli/1.2.3",
"device": {
"id": "device_fingerprint",
"publicKey": "…",
"signature": "…",
"signedAt": 1737264000000,
"nonce": "…"
}
}
}
Gateway responds with hello-ok:
{
"type": "res",
"id": "…",
"ok": true,
"payload": {
"type": "hello-ok",
"protocol": 4,
"server": { "version": "…", "connId": "…" },
"features": { "methods": ["…"], "events": ["…"] },
"snapshot": { "…": "…" },
"auth": {
"role": "operator",
"scopes": ["operator.read", "operator.write"]
},
"policy": {
"maxPayload": 26214400,
"maxBufferedBytes": 52428800,
"tickIntervalMs": 15000
}
}
}
server, features, snapshot, policy, and auth are all required by
HelloOkSchema (packages/gateway-protocol/src/schema/frames.ts). auth
reports the negotiated role/scopes even when no device token is issued (shape
above). pluginSurfaceUrls is optional and maps plugin surface names (e.g.
canvas) to scoped hosted URLs; it may expire, so nodes call
node.pluginSurface.refresh with { "surface": "canvas" } for a fresh entry.
The deprecated canvasHostUrl / canvasCapability / node.canvas.capability.refresh
path is not supported; use plugin surfaces.
While the gateway is still finishing startup sidecars, connect can return a
retryable UNAVAILABLE error with details.reason: "startup-sidecars" and
retryAfterMs. Retry within your connection budget instead of treating it as
a terminal handshake failure.
When a device token is issued, hello-ok.auth adds it:
{
"auth": {
"deviceToken": "…",
"role": "operator",
"scopes": ["operator.read", "operator.write"]
}
}
Built-in QR/setup-code bootstrap is a mobile handoff path. A successful baseline setup-code connect returns a primary node token plus one bounded operator token:
{
"auth": {
"deviceToken": "…",
"role": "node",
"scopes": [],
"deviceTokens": [
{
"deviceToken": "…",
"role": "operator",
"scopes": ["operator.approvals", "operator.read", "operator.talk.secrets", "operator.write"]
}
]
}
}
This operator handoff is bounded on purpose: enough to start the mobile
operator loop and native setup, including operator.talk.secrets for Talk
config reads, but no pairing-mutation scopes and no operator.admin. Broader
pairing/admin access needs a separate approved pairing or token flow. Persist
hello-ok.auth.deviceTokens only when bootstrap auth ran over a trusted
transport (wss:// or loopback/local pairing).
Trusted same-process backend clients (client.id: "gateway-client",
client.mode: "backend") may omit device on direct loopback connections when
authenticating with the shared gateway token/password. This path is reserved
for internal control-plane RPCs (e.g. subagent session updates) and avoids
stale CLI/device pairing baselines blocking local backend work. Remote,
browser-origin, node, and explicit device-token/device-identity clients still
go through normal pairing and scope-upgrade checks.
Node connect example
{
"type": "req",
"id": "…",
"method": "connect",
"params": {
"minProtocol": 4,
"maxProtocol": 4,
"client": {
"id": "ios-node",
"version": "1.2.3",
"platform": "ios",
"mode": "node"
},
"role": "node",
"scopes": [],
"caps": ["camera", "canvas", "screen", "location", "voice"],
"commands": ["camera.snap", "canvas.navigate", "screen.record", "location.get"],
"permissions": { "camera.capture": true, "screen.record": false },
"auth": { "token": "…" },
"locale": "en-US",
"userAgent": "openclaw-ios/1.2.3",
"device": {
"id": "device_fingerprint",
"publicKey": "…",
"signature": "…",
"signedAt": 1737264000000,
"nonce": "…"
}
}
}
Nodes declare capability claims at connect time:
caps: high-level categories such ascamera,canvas,screen,location,voice,talk.commands: command allowlist for invoke.permissions: granular toggles (e.g.screen.record,camera.capture).
The gateway treats these as claims and enforces server-side allowlists.
Roles and scopes
For the full operator scope model, approval-time checks, and shared-secret semantics, see Operator scopes.
Roles:
operator: control-plane client (CLI/UI/automation).node: capability host (camera/screen/canvas/system.run).
Operator scopes (src/gateway/operator-scopes.ts), the full closed set:
operator.readoperator.writeoperator.adminoperator.approvalsoperator.pairingoperator.talk.secrets
talk.config with includeSecrets: true requires operator.talk.secrets (or
operator.admin). When secrets are included, read the active Talk provider
credential from talk.resolved.config.apiKey; talk.providers.<id>.apiKey
stays source-shaped and may be a SecretRef object or a redacted string.
Plugin-registered gateway RPC methods may request their own operator scope,
but these reserved core prefixes always resolve to operator.admin
(src/shared/gateway-method-policy.ts): config.*, exec.approvals.*,
wizard.*, update.*.
Method scope is only the first gate. Some slash commands reached through
chat.send apply stricter command-level checks: persistent /config set and
/config unset writes require operator.admin even for gateway clients that
already hold a lower operator scope.
node.pair.approve has an extra approval-time scope check on top of the base
method scope (operator.pairing), based on the pending request's declared
commands (src/infra/node-pairing-authz.ts):
| Declared commands | Required scopes |
|---|---|
| none | operator.pairing |
| non-exec commands | operator.pairing + operator.write |
includes system.run, system.run.prepare, or system.which |
operator.pairing + operator.admin |
Presence
system-presencereturns entries keyed by device identity, includingdeviceId,roles, andscopes, so UIs can show one row per device even when it connects as both operator and node.node.listincludes optionallastSeenAtMsandlastSeenReason. Connected nodes report current connection time with reasonconnect; paired nodes can also report durable background presence via a trusted node event.
Node background alive event
Nodes call node.event with event: "node.presence.alive" to record that a
paired node was alive during a background wake, without marking it connected:
{
"event": "node.presence.alive",
"payloadJSON": "{\"trigger\":\"silent_push\",\"sentAtMs\":1737264000000,\"displayName\":\"Peter's iPhone\",\"version\":\"2026.4.28\",\"platform\":\"iOS 18.4.0\",\"deviceFamily\":\"iPhone\",\"modelIdentifier\":\"iPhone17,1\",\"pushTransport\":\"relay\"}"
}
trigger is a closed enum: background, silent_push, bg_app_refresh,
significant_location, manual, connect. Unknown values normalize to
background (src/shared/node-presence.ts). The event only persists for
authenticated node device sessions; device-less or unpaired sessions return
handled: false.
Successful gateways return a structured result:
{
"ok": true,
"event": "node.presence.alive",
"handled": true,
"reason": "persisted"
}
Older gateways may return only { "ok": true } for node.event; treat that
as an acknowledged RPC, not durable presence persistence.
Broadcast event scoping
Server-pushed broadcast events are scope-gated so pairing-scoped or node-only
sessions do not passively receive session content
(src/gateway/server-broadcast.ts):
- Chat, agent, and tool-result frames (streamed
agentevents, tool-result events) require at leastoperator.read. Sessions without it skip these frames entirely. - Plugin-defined
plugin.*broadcasts are gated tooperator.writeoroperator.adminby default; explicit entries such asplugin.approval.requested/plugin.approval.resolveduseoperator.approvalsinstead. - Status/transport events (
heartbeat,presence,tick, connect/disconnect lifecycle) stay unrestricted so transport health is observable to every authenticated session. - Unknown broadcast event families are scope-gated by default (fail-closed) unless a registered handler explicitly relaxes them.
Each client connection keeps its own per-client sequence number, so broadcasts stay monotonically ordered on that socket even when different clients see different scope-filtered subsets of the event stream.
RPC method families
hello-ok.features.methods is a conservative discovery list built from
src/gateway/server-methods-list.ts plus loaded plugin/channel method
exports — it is not a generated dump of every method, and some methods (for
example push.test, web.login.start, web.login.wait, sessions.usage)
are intentionally excluded from discovery even though they are real, callable
methods. Treat this as feature discovery, not a full enumeration of
src/gateway/server-methods/*.ts.
The setup code embeds a short-lived bootstrap credential. Clients must not
log or persist it beyond the pairing flow.
- `node.pair.request`, `node.pair.list`, `node.pair.approve`, `node.pair.reject`, `node.pair.remove`, and `node.pair.verify` cover node pairing and bootstrap verification.
- `node.list` and `node.describe` return known/connected node state.
- `node.rename` updates a paired node label.
- `node.invoke` forwards a command to a connected node.
- `node.invoke.result` returns the result for an invoke request.
- `node.event` carries node-originated events back into the gateway.
- `node.pending.pull` and `node.pending.ack` are the connected-node queue APIs.
- `node.pending.enqueue` and `node.pending.drain` manage durable pending work for offline/disconnected nodes.
- `exec.approval.request`, `exec.approval.get`, `exec.approval.list`, and `exec.approval.resolve` cover one-shot exec approval requests plus pending approval lookup/replay.
- `exec.approval.waitDecision` waits on one pending exec approval and returns the final decision (or `null` on timeout).
- `exec.approvals.get` and `exec.approvals.set` manage gateway exec approval policy snapshots.
- `exec.approvals.node.get` and `exec.approvals.node.set` manage node-local exec approval policy via node relay commands.
- `plugin.approval.request`, `plugin.approval.list`, `plugin.approval.waitDecision`, and `plugin.approval.resolve` cover plugin-defined approval flows.
- Automation: `wake` schedules an immediate or next-heartbeat wake text injection; `cron.get`, `cron.list`, `cron.status`, `cron.add`, `cron.update`, `cron.remove`, `cron.run`, `cron.runs` manage scheduled work.
- `cron.run` remains an enqueue-style RPC for manual runs. Clients that need completion semantics should read the returned `runId` and poll `cron.runs`.
- `cron.runs` accepts an optional non-empty `runId` filter so clients can follow one queued manual run without racing against other history entries for the same job.
- Skills and tools: `commands.list`, `skills.*`, `tools.catalog`, `tools.effective`, `tools.invoke`. See [Operator helper methods](#operator-helper-methods) below.
Common event families
chat: UI chat updates such aschat.injectand other transcript-only chat events. In protocol v4, delta payloads carrydeltaText;messageremains the cumulative assistant snapshot. Non-prefix replacements setreplace=trueand usedeltaTextas the replacement text.session.message,session.operation,session.tool: transcript, in-flight session operation, and event-stream updates for a subscribed session.sessions.changed: session index or metadata changed.presence: system presence snapshot updates.tick: periodic keepalive/liveness event.health: gateway health snapshot update.heartbeat: heartbeat event stream update.cron: cron run/job change event.shutdown: gateway shutdown notification.node.pair.requested/node.pair.resolved: node pairing lifecycle.node.invoke.request: node invoke request broadcast.device.pair.requested/device.pair.resolved: paired-device lifecycle.voicewake.changed: wake-word trigger config changed.exec.approval.requested/exec.approval.resolved: exec approval lifecycle.plugin.approval.requested/plugin.approval.resolved: plugin approval lifecycle.
Node helper methods
Nodes may call skills.bins to fetch the current list of skill executables
for auto-allow checks.
Task ledger RPCs
Operator clients inspect and cancel gateway background task records through
the task ledger RPCs (packages/gateway-protocol/src/schema/tasks.ts). These
return sanitized task summaries, not raw runtime state.
tasks.listrequiresoperator.read.- Params: optional
status("queued","running","completed","failed","cancelled", or"timed_out") or an array of those statuses, optionalagentId, optionalsessionKey, optionallimitfrom1to500, and optional stringcursor. - Result:
{ "tasks": TaskSummary[], "nextCursor"?: string }.
- Params: optional
tasks.getrequiresoperator.read.- Params:
{ "taskId": string }. - Result:
{ "task": TaskSummary }. - Missing task ids return the gateway not-found error shape.
- Params:
tasks.cancelrequiresoperator.write.- Params:
{ "taskId": string, "reason"?: string }. - Result:
{ "found": boolean, "cancelled": boolean, "reason"?: string, "task"?: TaskSummary }. foundreports whether the ledger had a matching task.cancelledreports whether the runtime accepted or recorded cancellation.
- Params:
TaskSummary includes id, status, and optional metadata: kind,
runtime, title, agentId, sessionKey, childSessionKey, ownerKey,
runId, taskId, flowId, parentTaskId, sourceId, timestamps, progress,
terminal summary, and sanitized error text. agentId identifies the agent
executing the task; sessionKey and ownerKey preserve requester and control
context.
Operator helper methods
commands.list(operator.read) fetches the runtime command inventory for an agent.agentIdis optional; omit it to read the default agent workspace.scopecontrols which surface the primarynametargets:textreturns the primary text command token without the leading/;nativeand the defaultbothpath return provider-aware native names when available.textAliasescarries exact slash aliases such as/modeland/m.nativeNamecarries the provider-aware native command name when one exists.provideris optional and only affects native naming plus native plugin command availability.includeArgs=falseomits serialized argument metadata from the response.
tools.catalog(operator.read) fetches the runtime tool catalog for an agent. The response includes grouped tools and provenance metadata:source:coreorpluginpluginId: plugin owner whensource="plugin"optional: whether a plugin tool is optional
tools.effective(operator.read) fetches the runtime-effective tool inventory for a session.sessionKeyis required.- The gateway derives trusted runtime context from the session server-side instead of accepting caller-supplied auth or delivery context.
- The response is a session-scoped server-derived projection of the active inventory, including core, plugin, channel, and already-discovered MCP server tools.
tools.effectiveis read-only for MCP: it may project a warm session MCP catalog through the final tool policy, but does not create MCP runtimes, connect transports, or issuetools/list. If no matching warm catalog exists, the response may include a notice such asmcp-not-yet-connected,mcp-not-yet-listed, ormcp-stale-catalog.- Effective tool entries use
source="core",source="plugin",source="channel", orsource="mcp".
tools.invoke(operator.write) invokes one available tool through the same gateway policy path as/tools/invoke.nameis required.args,sessionKey,agentId,confirm, andidempotencyKeyare optional.- If both
sessionKeyandagentIdare present, the resolved session agent must matchagentId. - Owner-only core wrappers such as
cron,gateway, andnodesrequire owner/admin identity (operator.admin) even thoughtools.invokeitself isoperator.write. - The response is an SDK-facing envelope with
ok,toolName, optionaloutput, and typederrorfields. Approval or policy refusals returnok:falsein the payload rather than bypassing the gateway tool policy pipeline.
skills.status(operator.read) fetches the visible skill inventory for an agent.agentIdis optional; omit it to read the default agent workspace.- The response includes eligibility, missing requirements, config checks, and sanitized install options without exposing raw secret values.
skills.searchandskills.detail(operator.read) return ClawHub discovery metadata.skills.upload.begin,skills.upload.chunk, andskills.upload.commit(operator.admin) stage a private skill archive before installing it. This is a separate admin upload path for trusted clients, not the normal ClawHub skill install flow, and is disabled by default unlessskills.install.allowUploadedArchivesis enabled.skills.upload.begin({ kind: "skill-archive", slug, sizeBytes, sha256?, force?, idempotencyKey? })creates an upload bound to that slug and force value.skills.upload.chunk({ uploadId, offset, dataBase64 })appends bytes at the exact decoded offset.skills.upload.commit({ uploadId, sha256? })verifies the final size and SHA-256. Commit only finalizes the upload; it does not install the skill.- Uploaded skill archives are zip archives containing a
SKILL.mdroot. The archive's internal directory name never selects the install target.
skills.install(operator.admin) has three modes:- ClawHub mode:
{ source: "clawhub", slug, version?, force? }installs a skill folder into the default agent workspaceskills/directory. - Upload mode:
{ source: "upload", uploadId, slug, force?, sha256?, timeoutMs? }installs a committed upload into the default agent workspaceskills/<slug>directory. The slug and force value must match the originalskills.upload.beginrequest. Rejected unlessskills.install.allowUploadedArchivesis enabled; the setting does not affect ClawHub installs. - Gateway installer mode:
{ name, installId, timeoutMs? }runs a declaredmetadata.openclaw.installaction on the gateway host. Older clients may still senddangerouslyForceUnsafeInstall; this field is deprecated, accepted only for protocol compatibility, and ignored. Usesecurity.installPolicyfor operator-owned install decisions.
- ClawHub mode:
skills.update(operator.admin) has two modes:- ClawHub mode updates one tracked slug or all tracked ClawHub installs in the default agent workspace.
- Config mode patches
skills.entries.<skillKey>values such asenabled,apiKey, andenv.
models.list views
models.list accepts an optional view parameter
(src/agents/model-catalog-visibility.ts):
- Omitted or
"default": ifagents.defaults.modelsis configured, the response is the allowed catalog, including dynamically discovered models forprovider/*entries. Otherwise the response is the full gateway catalog. "configured": picker-sized behavior. Ifagents.defaults.modelsis configured, it still wins, including provider-scoped discovery forprovider/*entries. Without an allowlist, the response uses explicitmodels.providers.<provider>.modelsentries, falling back to the full catalog only when no configured model rows exist."all": full gateway catalog, bypassingagents.defaults.models. Use for diagnostics/discovery UIs, not normal model pickers.
Exec approvals
- When an exec request needs approval, the gateway broadcasts
exec.approval.requested. - Operator clients resolve by calling
exec.approval.resolve(requiresoperator.approvals). - For
host=node,exec.approval.requestmust includesystemRunPlan(canonicalargv/cwd/rawCommand/session metadata). Requests missingsystemRunPlanare rejected. - After approval, forwarded
node.invoke system.runcalls reuse that canonicalsystemRunPlanas the authoritative command/cwd/session context. - If a caller mutates
command,rawCommand,cwd,agentId, orsessionKeybetween prepare and the final approvedsystem.runforward, the gateway rejects the run instead of trusting the mutated payload.
Agent delivery fallback
agentrequests can includedeliver=trueto request outbound delivery.bestEffortDeliver=false(the default) keeps strict behavior: unresolved or internal-only delivery targets returnINVALID_REQUEST.bestEffortDeliver=trueallows fallback to session-only execution when no external deliverable route can be resolved (for example internal/webchat sessions or ambiguous multi-channel configs).- Final
agentresults may includeresult.deliveryStatuswhen delivery was requested, using the samesent,suppressed,partial_failed, andfailedstatuses documented foropenclaw agent --json --deliver.
Versioning
PROTOCOL_VERSIONandMIN_CLIENT_PROTOCOL_VERSIONlive inpackages/gateway-protocol/src/version.ts. Both are currently4.- Clients send
minProtocol+maxProtocol; the gateway accepts a connect whenmaxProtocol >= PROTOCOL_VERSION && minProtocol <= PROTOCOL_VERSION(src/gateway/server/ws-connection/message-handler.ts). Current clients and servers both run protocol v4. - Schemas and models are generated from TypeBox definitions:
pnpm protocol:genpnpm protocol:gen:swiftpnpm protocol:check
Client constants
The reference client implementation lives in packages/gateway-client/src/
(OpenClaw wraps it via the thin src/gateway/client.ts facade). These
defaults are stable across protocol v4 and are the expected baseline for
third-party clients.
| Constant | Default | Source |
|---|---|---|
PROTOCOL_VERSION |
4 |
packages/gateway-protocol/src/version.ts |
MIN_CLIENT_PROTOCOL_VERSION |
4 |
packages/gateway-protocol/src/version.ts |
| Request timeout (per RPC) | 30_000 ms |
packages/gateway-client/src/client.ts (requestTimeoutMs) |
| Preauth / connect-challenge timeout | 15_000 ms |
packages/gateway-client/src/timeouts.ts (OPENCLAW_HANDSHAKE_TIMEOUT_MS env can raise the paired server/client budget) |
| Initial reconnect backoff | 1_000 ms |
packages/gateway-client/src/client.ts (backoffMs) |
| Max reconnect backoff | 30_000 ms |
packages/gateway-client/src/client.ts (scheduleReconnect) |
| Fast-retry clamp after device-token close | 250 ms |
packages/gateway-client/src/client.ts |
Force-stop grace before terminate() |
250 ms |
FORCE_STOP_TERMINATE_GRACE_MS |
stopAndWait() default timeout |
1_000 ms |
STOP_AND_WAIT_TIMEOUT_MS |
Default tick interval (pre hello-ok) |
30_000 ms |
packages/gateway-client/src/client.ts |
| Tick-timeout close | code 4000 when silence exceeds tickIntervalMs * 2 |
packages/gateway-client/src/client.ts |
MAX_PAYLOAD_BYTES |
25 * 1024 * 1024 (25 MB) |
src/gateway/server-constants.ts |
The server advertises the effective policy.tickIntervalMs,
policy.maxPayload, and policy.maxBufferedBytes in hello-ok; clients
should honor those values rather than the pre-handshake defaults.
Auth
- Shared-secret gateway auth uses
connect.params.auth.tokenorconnect.params.auth.password, depending on the configuredgateway.auth.mode("none" | "token" | "password" | "trusted-proxy"). - Identity-bearing modes such as Tailscale Serve (
gateway.auth.allowTailscale: true) or non-loopbackgateway.auth.mode: "trusted-proxy"satisfy the connect auth check from request headers instead ofconnect.params.auth.*. - Private-ingress
gateway.auth.mode: "none"skips shared-secret connect auth entirely; do not expose that mode on public/untrusted ingress. - After pairing, the gateway issues a device token scoped to the connection
role + scopes, returned in
hello-ok.auth.deviceToken. Clients should persist it after any successful connect. - Reconnecting with that stored device token should also reuse the stored approved scope set for that token. This preserves read/probe/status access already granted and avoids silently collapsing reconnects to a narrower implicit admin-only scope.
- Client-side connect auth assembly (
selectConnectAuthinpackages/gateway-client/src/client.ts):auth.passwordis orthogonal and always forwarded when set.auth.tokenis populated in priority order: explicit shared token first, then an explicitdeviceToken, then a stored per-device token (keyed bydeviceId+role).auth.bootstrapTokenis sent only when none of the above resolvedauth.token. A shared token or any resolved device token suppresses it.- Auto-promotion of a stored device token on the one-shot
AUTH_TOKEN_MISMATCHretry is gated to trusted endpoints only: loopback, orwss://with a pinnedtlsFingerprint. Publicwss://without pinning does not qualify.
- Built-in setup-code bootstrap returns the primary node
hello-ok.auth.deviceTokenplus a bounded operator token inhello-ok.auth.deviceTokensfor trusted mobile handoff. The operator token includesoperator.talk.secretsfor native Talk configuration reads, but excludes pairing-mutation scopes andoperator.admin. - While a non-baseline setup-code bootstrap waits for approval,
PAIRING_REQUIREDdetails includerecommendedNextStep: "wait_then_retry",retryable: true, andpauseReconnect: false. Keep reconnecting with the same bootstrap token until the request is approved or the token becomes invalid. - Persist
hello-ok.auth.deviceTokensonly when the connect used bootstrap auth on a trusted transport such aswss://or loopback/local pairing. - If a client supplies an explicit
deviceTokenor explicitscopes, that caller-requested scope set remains authoritative; cached scopes are only reused when the client is reusing the stored per-device token. - Device tokens can be rotated/revoked via
device.token.rotateanddevice.token.revoke(requiresoperator.pairing). Rotating or revoking a node or other non-operator role also requiresoperator.admin. device.token.rotatereturns rotation metadata. It echoes the replacement bearer token only for same-device calls already authenticated with that device token, so token-only clients can persist their replacement before reconnecting. Shared/admin rotations do not echo the bearer token.- Token issuance, rotation, and revocation stay bounded to the approved role set recorded in that device's pairing entry; token mutation cannot expand or target a device role that pairing approval never granted.
- For paired-device token sessions, device management is self-scoped unless
the caller also has
operator.admin: non-admin callers can manage only the operator token for their own device entry. Node and other non-operator token management is admin-only, even for the caller's own device. device.token.rotateanddevice.token.revokealso check the target operator token scope set against the caller's current session scopes. Non-admin callers cannot rotate or revoke a broader operator token than they already hold.- Auth failures include
error.details.codeplus recovery hints:error.details.canRetryWithDeviceToken(boolean)error.details.recommendedNextStep: one ofretry_with_device_token,update_auth_configuration,update_auth_credentials,wait_then_retry,review_auth_configuration(packages/gateway-protocol/src/connect-error-details.ts).
- Client behavior for
AUTH_TOKEN_MISMATCH:- Trusted clients may attempt one bounded retry with a cached per-device token.
- If that retry fails, stop automatic reconnect loops and surface operator action guidance.
AUTH_SCOPE_MISMATCHmeans the device token was recognized but does not cover the requested role/scopes. Do not present this as a bad token; prompt the operator to re-pair or approve the narrower/broader scope contract.
Device identity and pairing
- Nodes should include a stable device identity (
device.id) derived from a keypair fingerprint. - Gateways issue tokens per device + role.
- Pairing approvals are required for new device IDs unless local auto-approval is enabled.
- Pairing auto-approval is centered on direct local loopback connects.
- OpenClaw also has a narrow backend/container-local self-connect path for trusted shared-secret helper flows.
- Same-host tailnet or LAN connects are still treated as remote for pairing and require approval.
- WS clients normally include
deviceidentity duringconnect(operator + node). The only device-less operator exceptions are explicit trust paths:gateway.controlUi.allowInsecureAuth=truefor localhost-only insecure HTTP compatibility.- successful
gateway.auth.mode: "trusted-proxy"operator Control UI auth. gateway.controlUi.dangerouslyDisableDeviceAuth=true(break-glass, severe security downgrade).- direct-loopback
gateway-clientbackend RPCs on the reserved internal helper path.
- Omitting device identity has scope consequences. When a device-less
operator connection is allowed through an explicit trust path, OpenClaw
still clears self-declared scopes to an empty set unless that path has a
named scope-preservation exception. Scope-gated methods then fail with
missing scope. gateway.controlUi.dangerouslyDisableDeviceAuth=trueis a Control UI break-glass scope-preservation path. It does not grant scopes to arbitrary custom backend or CLI-shaped WebSocket clients.- The reserved direct-loopback
gateway-clientbackend helper path preserves scopes only for internal local control-plane RPCs; custom backend IDs do not receive this exception. - All connections must sign the server-provided
connect.challengenonce.
Device auth migration diagnostics
For legacy clients that still use pre-challenge signing behavior, connect
returns DEVICE_AUTH_* detail codes under error.details.code with a stable
error.details.reason.
Common migration failures:
| Message | details.code | details.reason | Meaning |
|---|---|---|---|
device nonce required |
DEVICE_AUTH_NONCE_REQUIRED |
device-nonce-missing |
Client omitted device.nonce (or sent blank). |
device nonce mismatch |
DEVICE_AUTH_NONCE_MISMATCH |
device-nonce-mismatch |
Client signed with a stale/wrong nonce. |
device signature invalid |
DEVICE_AUTH_SIGNATURE_INVALID |
device-signature |
Signature payload does not match v2 payload. |
device signature expired |
DEVICE_AUTH_SIGNATURE_EXPIRED |
device-signature-stale |
Signed timestamp is outside allowed skew. |
device identity mismatch |
DEVICE_AUTH_DEVICE_ID_MISMATCH |
device-id-mismatch |
device.id does not match public key fingerprint. |
device public key invalid |
DEVICE_AUTH_PUBLIC_KEY_INVALID |
device-public-key |
Public key format/canonicalization failed. |
Migration target:
- Always wait for
connect.challenge. - Sign the v2 payload that includes the server nonce.
- Send the same nonce in
connect.params.device.nonce. - Preferred signature payload is
v3(buildDeviceAuthPayloadV3inpackages/gateway-client/src/device-auth.ts), which bindsplatformanddeviceFamilyin addition to device/client/role/scopes/token/nonce fields. - Legacy
v2signatures remain accepted for compatibility, but paired-device metadata pinning still controls command policy on reconnect.
TLS and pinning
- TLS is supported for WS connections (
gateway.tlsconfig). - Clients may optionally pin the gateway cert fingerprint via
gateway.remote.tlsFingerprintor CLI--tls-fingerprint.
Scope
This protocol exposes the full gateway API: status, channels, models, chat,
agent, sessions, nodes, approvals, and more. The exact surface is defined by
the TypeBox schemas re-exported from packages/gateway-protocol/src/schema.ts.