Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Gateway fails to start when allowedSessionKeyPrefixes contains only sub-prefixes (e.g. hook:ao:) [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#61496Fetched 2026-04-08 02:57:58
View on GitHub
Comments
0
Participants
1
Timeline
0
Reactions
0
Author
priyanshuharshbodhi1priyanshuharshbodhi1
Participants
priyanshuharshbodhi1priyanshuharshbodhi1

When hooks.allowedSessionKeyPrefixes is set to a sub-prefix like ["hook:ao:"] without a defaultSessionKey, the gateway refuses to start with:

Gateway failed to start: Error: hooks.allowedSessionKeyPrefixes must include 'hook:' when hooks.defaultSessionKey is unset

This is a usability issue because "hook:ao:" is a strict subset of "hook:" — it logically satisfies the requirement — but the validator rejects it. More importantly, the ao setup openclaw wizard writes exactly ["hook:ao:"] as the recommended prefix, meaning the wizard's own output produces a broken config.

Error Message

Gateway failed to start: Error: hooks.allowedSessionKeyPrefixes must include 'hook:' when hooks.defaultSessionKey is unset

Root Cause

The ao setup openclaw wizard is the recommended setup path. It writes ["hook:ao:"] as the prefix. A user who follows the wizard exactly ends up with a gateway that won't start, with an error message that doesn't mention ao setup openclaw or the wizard as the source of the problem. This makes it very hard to debug without prior knowledge of the validation rules.

Fix Action

Workaround

Add both "hook:" and "hook:ao:" to the prefix list, and set a defaultSessionKey:

{
  "hooks": {
    "enabled": true,
    "token": "<your-token>",
    "allowRequestSessionKey": true,
    "defaultSessionKey": "hook:ao:default",
    "allowedSessionKeyPrefixes": ["hook:", "hook:ao:"]
  }
}

Code Example

Gateway failed to start: Error: hooks.allowedSessionKeyPrefixes must include 'hook:' when hooks.defaultSessionKey is unset

---

{
  "hooks": {
    "enabled": true,
    "token": "<your-token>",
    "allowRequestSessionKey": true,
    "allowedSessionKeyPrefixes": ["hook:ao:"]
  }
}

---

Gateway failed to start: Error: hooks.allowedSessionKeyPrefixes must include 'hook:' when hooks.defaultSessionKey is unset

---

{
  "hooks": {
    "enabled": true,
    "token": "<your-token>",
    "allowRequestSessionKey": true,
    "defaultSessionKey": "hook:ao:default",
    "allowedSessionKeyPrefixes": ["hook:", "hook:ao:"]
  }
}
RAW_BUFFERClick to expand / collapse

Summary

When hooks.allowedSessionKeyPrefixes is set to a sub-prefix like ["hook:ao:"] without a defaultSessionKey, the gateway refuses to start with:

Gateway failed to start: Error: hooks.allowedSessionKeyPrefixes must include 'hook:' when hooks.defaultSessionKey is unset

This is a usability issue because "hook:ao:" is a strict subset of "hook:" — it logically satisfies the requirement — but the validator rejects it. More importantly, the ao setup openclaw wizard writes exactly ["hook:ao:"] as the recommended prefix, meaning the wizard's own output produces a broken config.

Environment

  • OpenClaw version: 2026.4.2
  • OS: Ubuntu Linux 6.17.0 (x64)
  • Node: 24.13.1
  • Integration: Agent Orchestrator (AO) notifier plugin

Steps to Reproduce

  1. Run ao setup openclaw (or manually set config below)
  2. Set openclaw.json hooks config to:
{
  "hooks": {
    "enabled": true,
    "token": "<your-token>",
    "allowRequestSessionKey": true,
    "allowedSessionKeyPrefixes": ["hook:ao:"]
  }
}
  1. Start the gateway: openclaw gateway start or via systemd
  2. Gateway exits immediately with:
Gateway failed to start: Error: hooks.allowedSessionKeyPrefixes must include 'hook:' when hooks.defaultSessionKey is unset

Expected Behavior

One of:

Option A: The validator should accept sub-prefixes of "hook:" (e.g. "hook:ao:", "hook:myapp:") as satisfying the "hook:" requirement, since any session key matching "hook:ao:..." also starts with "hook:".

Option B: The ao setup openclaw wizard should automatically add defaultSessionKey (e.g. "hook:ao:default") when writing sub-prefixes, so the output config is always valid.

Option C: The error message should clearly say both options: "add 'hook:' to allowedSessionKeyPrefixes OR set defaultSessionKey" — right now it only implies the first option.

Actual Behavior

Gateway crashes on startup. The only fix is to manually add "hook:" to allowedSessionKeyPrefixes AND/OR set defaultSessionKey, which is not obvious from the error message.

Workaround

Add both "hook:" and "hook:ao:" to the prefix list, and set a defaultSessionKey:

{
  "hooks": {
    "enabled": true,
    "token": "<your-token>",
    "allowRequestSessionKey": true,
    "defaultSessionKey": "hook:ao:default",
    "allowedSessionKeyPrefixes": ["hook:", "hook:ao:"]
  }
}

Why This Matters

The ao setup openclaw wizard is the recommended setup path. It writes ["hook:ao:"] as the prefix. A user who follows the wizard exactly ends up with a gateway that won't start, with an error message that doesn't mention ao setup openclaw or the wizard as the source of the problem. This makes it very hard to debug without prior knowledge of the validation rules.

extent analysis

TL;DR

To fix the issue, add both "hook:" and the desired sub-prefix (e.g., "hook:ao:") to allowedSessionKeyPrefixes and set a defaultSessionKey.

Guidance

  • The error occurs because the validator requires "hook:" to be explicitly included in allowedSessionKeyPrefixes when defaultSessionKey is unset.
  • To resolve the issue, update the openclaw.json configuration to include both the required "hook:" prefix and the specific sub-prefix (e.g., "hook:ao:") in allowedSessionKeyPrefixes.
  • Additionally, set a defaultSessionKey to ensure the configuration is valid.
  • Verify the fix by starting the gateway after applying the configuration changes.

Example

{
  "hooks": {
    "enabled": true,
    "token": "<your-token>",
    "allowRequestSessionKey": true,
    "defaultSessionKey": "hook:ao:default",
    "allowedSessionKeyPrefixes": ["hook:", "hook:ao:"]
  }
}

Notes

The provided workaround is a direct solution to the issue, ensuring the gateway starts correctly. However, it would be beneficial for the ao setup openclaw wizard to generate a valid configuration or for the error message to provide clearer guidance on resolving the issue.

Recommendation

Apply the workaround by adding both the required prefix and the sub-prefix to allowedSessionKeyPrefixes and setting a defaultSessionKey, as this directly addresses the validation issue and allows the gateway to start.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#authentication issue#prompt issue#agent setup#task chaining#parallel task

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING