mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-06 19:32:58 +08:00
* feat(android): rework gateway onboarding setup * fix(android): restore protocol mismatch onboarding guidance * fix(android): sync onboarding native i18n * fix(android): preserve LAN manual setup prefill * fix(android): refine onboarding node approval step * fix(android): polish onboarding recovery actions * test(android): cover onboarding protocol mismatch copy * fix(android): separate onboarding node approval * fix(android): guard onboarding node approval transitions * fix(android): keep onboarding approval states reachable * fix(android): wait for node access before onboarding continue * fix(android): refresh node approval after operator handoff * fix(android): refresh onboarding approval states * fix(android): require approval after onboarding permission changes * fix(android): keep onboarding approval gates active * fix(android): preserve permission reapproval state * fix(android): skip node approval on legacy gateways * fix(android): wait for node approval refresh * fix(android): preserve camera setting on upgrade * fix(android): avoid stuck approval check spinner * fix(android): request talk secrets on operator connects * fix(android): avoid missed node approval completion * fix(android): keep nearby LAN setup local * fix(android): complete onboarding after node approval * fix(android): reconcile onboarding with gateway auth plans * chore(android): refresh native i18n inventory after rebase * Fix Android onboarding review edge cases * Fix native i18n onboarding sentinels
57 lines
3.1 KiB
Markdown
57 lines
3.1 KiB
Markdown
---
|
|
summary: "CLI reference for `openclaw qr` (generate mobile pairing QR + setup code)"
|
|
read_when:
|
|
- You want to pair a mobile node app with a gateway quickly
|
|
- You need setup-code output for remote/manual sharing
|
|
title: "QR"
|
|
---
|
|
|
|
# `openclaw qr`
|
|
|
|
Generate a mobile pairing QR and setup code from your current Gateway configuration.
|
|
|
|
## Usage
|
|
|
|
```bash
|
|
openclaw qr
|
|
openclaw qr --setup-code-only
|
|
openclaw qr --json
|
|
openclaw qr --remote
|
|
openclaw qr --url wss://gateway.example/ws
|
|
```
|
|
|
|
## Options
|
|
|
|
- `--remote`: prefer `gateway.remote.url`; if it is unset, `gateway.tailscale.mode=serve|funnel` can still provide the remote public URL
|
|
- `--url <url>`: override gateway URL used in payload
|
|
- `--public-url <url>`: override public URL used in payload
|
|
- `--token <token>`: override which gateway token the bootstrap flow authenticates against
|
|
- `--password <password>`: override which gateway password the bootstrap flow authenticates against
|
|
- `--setup-code-only`: print only setup code
|
|
- `--no-ascii`: skip ASCII QR rendering
|
|
- `--json`: emit JSON (`setupCode`, `gatewayUrl`, `auth`, `urlSource`)
|
|
|
|
## Notes
|
|
|
|
- `--token` and `--password` are mutually exclusive.
|
|
- The setup code itself now carries an opaque short-lived `bootstrapToken`, not the shared gateway token/password.
|
|
- Built-in setup-code bootstrap returns a primary `node` token with `scopes: []` plus a bounded `operator` handoff token for trusted mobile onboarding.
|
|
- The handed-off operator token is limited to `operator.approvals`, `operator.read`, `operator.talk.secrets`, and `operator.write`; pairing mutation scopes and `operator.admin` still require a separate approved operator pairing or token flow.
|
|
- Mobile pairing fails closed for Tailscale/public `ws://` gateway URLs. Private LAN addresses and `.local` Bonjour hosts remain supported over `ws://`, but Tailscale/public mobile routes should use Tailscale Serve/Funnel or a `wss://` gateway URL.
|
|
- With `--remote`, OpenClaw requires either `gateway.remote.url` or
|
|
`gateway.tailscale.mode=serve|funnel`.
|
|
- With `--remote`, if effectively active remote credentials are configured as SecretRefs and you do not pass `--token` or `--password`, the command resolves them from the active gateway snapshot. If gateway is unavailable, the command fails fast.
|
|
- Without `--remote`, local gateway auth SecretRefs are resolved when no CLI auth override is passed:
|
|
- `gateway.auth.token` resolves when token auth can win (explicit `gateway.auth.mode="token"` or inferred mode where no password source wins).
|
|
- `gateway.auth.password` resolves when password auth can win (explicit `gateway.auth.mode="password"` or inferred mode with no winning token from auth/env).
|
|
- If both `gateway.auth.token` and `gateway.auth.password` are configured (including SecretRefs) and `gateway.auth.mode` is unset, setup-code resolution fails until mode is set explicitly.
|
|
- Gateway version skew note: this command path requires a gateway that supports `secrets.resolve`; older gateways return an unknown-method error.
|
|
- After scanning, approve device pairing with:
|
|
- `openclaw devices list`
|
|
- `openclaw devices approve <requestId>`
|
|
|
|
## Related
|
|
|
|
- [CLI reference](/cli)
|
|
- [Pairing](/cli/pairing)
|