Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix VPS Gateway: WebSocket Pairing Authentication Blocks Control UI Login [3 comments, 4 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#49293Fetched 2026-04-08 00:56:50
View on GitHub
Comments
3
Participants
4
Timeline
12
Reactions
0
Author
larrybuckalewlarrybuckalew
Participants
ArtyomkunArtyomkunlarrybuckalewlarrybuckalewmehulbhardwajmehulbhardwajRyceRyce
Timeline (top)
cross-referenced ×6commented ×3subscribed ×2mentioned ×1

Root Cause

The pairing handshake happens at WebSocket connection time, BEFORE token authentication. Browser can't store persistent device ID across WebSocket connections, creating a catch-22:

  1. WebSocket connects
  2. Gateway checks: "Is this device paired?"
  3. Browser/client hasn't sent token yet (hasn't authenticated)
  4. Connection rejected with "pairing required"
  5. Never reaches token auth phase

Fix Action

Fix / Workaround

Workaround Status

RAW_BUFFERClick to expand / collapse

Problem

OpenClaw gateway runs on VPS but Control UI login is blocked by pairing requirement that cannot be disabled.

Environment

  • Host: InterServer VPS
  • OS: Ubuntu 24.04 LTS
  • OpenClaw Version: 2026.3.13
  • RAM: 3.8GB available
  • Storage: 54GB free

Setup Details

Issue

When accessing Control UI at https://openclaw.aisetuppros.com:

  1. Page loads
  2. WebSocket connects
  3. Fails with: "disconnected (1006): no reason" and "pairing required"
  4. Never reaches token auth step

What We've Tried

❌ Config flags:

  • controlUi.allowedOrigins: ['*']
  • controlUi.dangerouslyAllowHostHeaderOriginFallback: true
  • controlUi.requirePairing: false
  • controlUi.skipPairingCheck: false
  • gateway.requirePairing: false

❌ Environment variables:

  • OPENCLAW_GATEWAY_CONTROLUI_REQUIREPAIRING=false

❌ Manual pairing approval:

  • Approved devices in pending.json → paired.json
  • Browser generates new device ID on each connection
  • Pairing handshake fails before token can be sent

✅ What Works:

  • Gateway HTTP responses
  • Nginx reverse proxy
  • Paperclip dashboard (no pairing issues)
  • CLI access (if available)

Root Cause Analysis

The pairing handshake happens at WebSocket connection time, BEFORE token authentication. Browser can't store persistent device ID across WebSocket connections, creating a catch-22:

  1. WebSocket connects
  2. Gateway checks: "Is this device paired?"
  3. Browser/client hasn't sent token yet (hasn't authenticated)
  4. Connection rejected with "pairing required"
  5. Never reaches token auth phase

Questions for Maintainers

  1. Is there a way to disable pairing requirement for token-based auth?
  2. Should the tokenized dashboard URL (openclaw dashboard --no-open) bypass pairing?
  3. Is this a known limitation or design issue?
  4. What's the intended flow for remote VPS access?

Workaround Status

  • Paperclip accessible ✅
  • CRM automation working ✅
  • AI briefing cron jobs running ✅
  • OpenClaw Control UI blocked ❌

Reported by: @larrybuckalew

extent analysis

Fix Plan

To resolve the pairing requirement issue for token-based authentication in OpenClaw Control UI, follow these steps:

  1. Modify Config Flags: Update config.json to include the following settings: 
    "controlUi": {
  "requirePairing": false,
  "skipPairingCheck": true
}
  2. Environment Variable: Ensure the environment variable OPENCLAW_GATEWAY_CONTROLUI_REQUIREPAIRING is set to false. This can be done by running: 
    export OPENCLAW_GATEWAY_CONTROLUI_REQUIREPAIRING=false
    before starting the OpenClaw gateway.
  3. Tokenized Dashboard URL: Use the tokenized dashboard URL generated by openclaw dashboard --no-open to bypass pairing. This URL typically includes a token that authenticates the user, allowing access without pairing.
  4. WebSocket Connection Handling: Modify the WebSocket connection handling to send the token as part of the initial connection request. This may require customizing the client-side code to include the token in the WebSocket connection headers or query parameters.

Example of sending token in WebSocket connection headers using JavaScript:

const token = 'your_token_here';
const ws = new WebSocket('wss://openclaw.aisetuppros.com', {
  headers: {
    'Authorization': `Bearer ${token}`
  }
});

Verification

To verify that the fix worked:

  1. Restart the OpenClaw gateway after applying the configuration changes.
  2. Access the Control UI using the tokenized dashboard URL.
  3. Check if the pairing requirement is bypassed and token authentication is successful.

Extra Tips

  • Ensure that the token is properly validated on the server-side to prevent unauthorized access.
  • Consider implementing a more robust authentication mechanism, such as OAuth or JWT, to enhance security.
  • If issues persist, check the OpenClaw gateway logs for any errors or warnings related to authentication or pairing.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#installation#tensor shape#environment setup#docker error#permission error#memory optimization#environment variable

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING