What is the OpenClaw gateway token?

The gateway token is a secret generated when OpenClaw starts its gateway process. Every request the Control UI dashboard makes to the gateway must include this token. It ensures only you can access your gateway admin interface, even if someone else can reach the port.

How do I find my OpenClaw gateway token?

The token is printed in the dashboard URL when you run "openclaw gateway" or start your Docker container. Look for a line like "Dashboard URL: http://localhost:3000/?token=oc_tk_..." in your terminal or container logs. The value after "?token=" is your gateway token.

How do I fix "unauthorized: gateway token missing" in OpenClaw?

Open the dashboard URL that was printed when the gateway started — the token is embedded in that URL and will authenticate you automatically. If Control UI is already open in another browser tab, go to Settings, paste the token into the Gateway Token field, save, and reload the page.

How do I regenerate or change the OpenClaw gateway token?

Stop and restart the gateway. OpenClaw generates a new token at each startup unless you pin one via the OPENCLAW_GATEWAY_TOKEN environment variable. The new token appears in the dashboard URL printed to the terminal after restart.

← Home

Troubleshooting

Fix "unauthorized: gateway token missing" in OpenClaw

The gateway token is the secret that authenticates the OpenClaw Control UI so only you can reach your running gateway. If you see unauthorized: gateway token missing, this guide walks you through finding the token, pasting it into Control UI settings, and regenerating it when it is wrong or leaked.

What the Gateway Token Is and Why It Exists

When OpenClaw starts its gateway process it generates (or reads) a secret token and binds it to the local server. Every request that the Control UI dashboard makes to the gateway must carry this token in its headers. Without a valid token the gateway returns an unauthorized error and refuses the request.

This design means that even if someone else can reach the port your gateway listens on, they cannot interact with your agent without the token. The token is your gateway's access credential — treat it like a password.

Where to Find Your Gateway Token

There are two places OpenClaw surfaces the token:

1. The Dashboard URL Printed at Startup

When you run openclaw gateway (or the equivalent Docker command), the gateway prints a dashboard URL to the terminal. The token is embedded directly in that URL as a query parameter:

$ openclaw gateway
Gateway started.
Dashboard URL:
  http://localhost:3000/?token=oc_tk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Open that URL in your browser to access Control UI.

Copy everything after ?token=. That string is your gateway token.

2. Control UI Settings Page

If you already have the Control UI open and authenticated, you can view or copy the active token from the Settings section of the dashboard. Look for a "Gateway Token" or "Connection Token" field.

Fixing "unauthorized: gateway token missing"

The full error message you will typically see is:

unauthorized: gateway token missing
(open the dashboard url and paste the token in control ui settings)

OpenClaw itself tells you exactly what to do. Follow these steps:

Look at the terminal where you started openclaw gateway (or your Docker container logs) and find the dashboard URL that was printed at startup.
Open that URL in your browser. The token in the URL will authenticate you automatically for that session.
If Control UI is already open in another tab without the token, go to Settings and paste the token into the "Gateway Token" field, then save.
Reload the page. The unauthorized error should be gone and you will have full access to your gateway dashboard.

With Docker, the startup URL appears in the container logs:

docker run --rm -p 3000:3000 ghcr.io/openclaw/openclaw:latest openclaw gateway
# look for the Dashboard URL line in the output

How to Regenerate or Change the Token

You may need a new token if the current one was leaked, if you rotated secrets, or if the token was lost and you cannot retrieve it from the startup logs.

Regenerate via the CLI

Stop the gateway, then restart it. OpenClaw generates a fresh token at each startup unless you supply one explicitly via the OPENCLAW_GATEWAY_TOKEN environment variable. The new token will appear in the dashboard URL printed to the terminal.

# Stop the running gateway, then:
openclaw gateway
# A new token appears in the printed dashboard URL.

Pin a Specific Token

If you want the same token across restarts (useful for automation or reverse-proxy setups), set it as an environment variable before starting the gateway:

export OPENCLAW_GATEWAY_TOKEN="your-chosen-secret"
openclaw gateway

Keep this value secret. Anyone who obtains it can fully control your gateway.

Plain HTTP and Insecure Auth

By default, token-based authentication requires a secure context (HTTPS). If you are running OpenClaw over plain HTTP (for example on a local network without TLS), the gateway may reject the token handshake. Add the following to your OpenClaw config to allow it:

{
  "gateway": {
    "controlUi": {
      "allowInsecureAuth": true
    }
  }
}

Only use allowInsecureAuth: true on networks you trust. Over the public internet, always use HTTPS so the token cannot be intercepted in transit.

Token vs Pairing — They Are Different Things

OpenClaw uses two distinct authentication concepts that are easy to confuse:

Gateway token — authenticates YOUR browser (or another client) to the Control UI dashboard. It is what this guide covers. You use it once to unlock the gateway admin interface.
Pairing — links a chat platform (Telegram, Discord, WhatsApp, etc.) to your running gateway so messages flow between the platform and your agent. A user starts a pairing session, gets a short code, and approves it in the gateway UI. See the pairing guide for details.

If you are trying to connect Telegram or Discord, you do not need to worry about the gateway token — you need the pairing flow instead.