Guide

OpenClaw Gateway Token

Name: ClawSquire
Author: ClawSquire

The gateway token authenticates your Dashboard access. Here's how to find it, generate a new one, and fix "unauthorized" errors.

What is the gateway token?

When you access the OpenClaw Dashboard (Control UI), it connects via WebSocket to the gateway process. The token proves you're authorized. Without it, you'll see "Unauthorized" or a 1008 WebSocket error.

Get your token

Find your existing token

If OpenClaw is already set up, retrieve the token from config:

openclaw config get gateway.auth.token

This prints the token to your terminal. Copy it and paste into the Dashboard's token field.

Generate a new token

If no token exists or you need a fresh one, the doctor command generates one:

openclaw doctor --generate-gateway-token

This creates a new random token and saves it to your config. The gateway needs a restart to pick it up:

openclaw gateway restart

Create API keys (for programmatic access)

For scripts or remote management tools that need gateway access, create named API keys:

# Create a key with expiration
openclaw gateway keys create --name "my-script" --expires 90d

# List all keys
openclaw gateway keys list

# Check which keys expire soon
openclaw gateway keys list --expiring 30d

# Rotate a key
openclaw gateway keys rotate --key <key-id>

Access Dashboard remotely

The Dashboard runs on localhost by default. To access it from another machine (e.g., your laptop connecting to a VPS), use an SSH tunnel:

# From your local machine
ssh -N -L 18789:127.0.0.1:18789 user@your-server-ip

# Then open in browser
# http://localhost:18789

Paste your gateway token when the Dashboard asks for authentication. The token is stored in sessionStorage (current tab only) and is stripped from the URL after loading.

🔒 Security best practice

Never expose port 18789 to the public internet. Always use SSH tunnels or Tailscale for remote access. The gateway is an admin surface with full control over your AI agent.

Troubleshooting

Dashboard shows "Unauthorized" or "Disconnected"

Your token is missing or wrong. Run: openclaw config get gateway.auth.token — and paste the output into the Dashboard's token field. If no token exists, generate one: openclaw doctor --generate-gateway-token

WebSocket error 1008

Same as unauthorized — the token in your browser doesn't match the gateway config. Generate a fresh token and restart the gateway.

Token works locally but not remotely

Make sure your SSH tunnel is active and forwarding port 18789. The browser must connect to localhost:18789, not the server's public IP directly.

gateway.auth.mode error on upgrade

OpenClaw 2026.3.7+ requires explicit auth mode if both token and password are configured. Set it: openclaw config set gateway.auth.mode token

🖱️ Skip the token hassle

ClawSquire handles gateway authentication automatically. It stores your connection details securely, reconnects on startup, and manages SSH tunnels for remote servers — so you never have to copy-paste tokens from the terminal again.

Download ClawSquire — Free Get Gateway Working — from $199

Dashboard guide · CLI reference · Search issues