mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-06 19:32:58 +08:00
Source-grounded rewrite of 529 published docs pages with per-unit information-loss verification: 1,713 factual corrections cited to src/**, generated surfaces regenerated, frontmatter titles preserved for i18n, release notes pages untouched. All docs gates green. Closes #100141
5.5 KiB
5.5 KiB
summary, read_when, title
| summary | read_when | title | |
|---|---|---|---|
| Gateway dashboard (Control UI) access and auth |
|
Dashboard |
The Gateway dashboard is the browser Control UI served at / by default (override with gateway.controlUi.basePath).
Quick open (local Gateway):
- http://127.0.0.1:18789/ (or http://localhost:18789/)
- With
gateway.tls.enabled: true, usehttps://127.0.0.1:18789/andwss://127.0.0.1:18789for the WebSocket endpoint.
Key references:
- Control UI for usage and UI capabilities.
- Tailscale for Serve/Funnel automation.
- Web surfaces for bind modes and security notes.
Auth is enforced at the WebSocket handshake via the configured gateway auth path:
connect.params.auth.tokenconnect.params.auth.password- Tailscale Serve identity headers when
gateway.auth.allowTailscale: true - trusted-proxy identity headers when
gateway.auth.mode: "trusted-proxy"
See gateway.auth in Gateway configuration.
Fast path (recommended)
- After onboarding, the CLI auto-opens the dashboard and prints a clean (non-tokenized) link.
- Re-open anytime:
openclaw dashboard(copies the link, opens a browser if possible, prints an SSH hint if headless). - If clipboard and browser delivery both fail,
openclaw dashboardstill prints the clean URL and tells you to append your token (fromOPENCLAW_GATEWAY_TOKENorgateway.auth.token) as the URL fragment keytoken; it never prints the token value in logs. - If the UI prompts for shared-secret auth, paste the configured token or password into Control UI settings.
Auth basics (local vs remote)
- Localhost: open
http://127.0.0.1:18789/. - Gateway TLS: when
gateway.tls.enabled: true, dashboard/status links usehttps://and Control UI WebSocket links usewss://. - Shared-secret token source:
gateway.auth.token(orOPENCLAW_GATEWAY_TOKEN).openclaw dashboardcan pass it via URL fragment for one-time bootstrap; the Control UI keeps it in sessionStorage for the current tab and selected gateway URL, not localStorage. - If
gateway.auth.tokenis SecretRef-managed,openclaw dashboardprints/copies/opens a non-tokenized URL by design, to avoid exposing externally managed tokens in shell logs, clipboard history, or browser-launch arguments. If the ref is unresolved in your current shell, it still prints the non-tokenized URL plus actionable auth setup guidance. - Shared-secret password: use the configured
gateway.auth.password(orOPENCLAW_GATEWAY_PASSWORD). The dashboard does not persist passwords across reloads. - Identity-bearing modes: Tailscale Serve satisfies Control UI/WebSocket auth via identity headers when
gateway.auth.allowTailscale: true; a non-loopback identity-aware reverse proxy satisfiesgateway.auth.mode: "trusted-proxy". Neither needs a pasted shared secret for the WebSocket. - Not localhost: use Tailscale Serve, a non-loopback shared-secret bind, a non-loopback identity-aware reverse proxy with
gateway.auth.mode: "trusted-proxy", or an SSH tunnel. HTTP APIs still use shared-secret auth unless you intentionally run private-ingressgateway.auth.mode: "none"or trusted-proxy HTTP auth. See Web surfaces.
If you see "unauthorized" / 1008
- Confirm the gateway is reachable: local
openclaw status; remote, SSH tunnelssh -N -L 18789:127.0.0.1:18789 user@gateway-hostthen openhttp://127.0.0.1:18789/. - For
AUTH_TOKEN_MISMATCH, clients may do one trusted retry with a cached device token when the gateway returns retry hints; that retry reuses the token's cached approved scopes (explicitdeviceToken/scopescallers keep their requested scope set). If auth still fails after that retry, resolve token drift manually. - For
AUTH_SCOPE_MISMATCH, the device token was recognized but does not carry the requested scopes; re-pair or approve the new scope set instead of rotating the shared gateway token. - Outside that retry path, connect auth precedence is: explicit shared token/password, then explicit
deviceToken, then stored device token, then bootstrap token. - On the async Tailscale Serve path, failed attempts for the same
{scope, ip}are serialized before the failed-auth limiter records them, so a second concurrent bad retry can already showretry later. - For token drift repair steps, see Token drift recovery checklist.
- Retrieve or supply the shared secret from the gateway host:
- Token:
openclaw config get gateway.auth.token - Password: resolve the configured
gateway.auth.passwordorOPENCLAW_GATEWAY_PASSWORD - SecretRef-managed token: resolve the external secret provider, or export
OPENCLAW_GATEWAY_TOKENin this shell and rerunopenclaw dashboard - No shared secret configured:
openclaw doctor --generate-gateway-token
- Token:
- In the dashboard settings, paste the token or password into the auth field, then connect.
- The UI language picker lives in Overview -> Gateway Access -> Language, not under Appearance.