Skip to content

Control UI: dangerouslyDisableDeviceAuth not working (device identity required) #11590

Closed
Closed
Control UI: dangerouslyDisableDeviceAuth not working (device identity required)#11590
Labels
bugSomething isn't working
@pepelaskov

Description

@pepelaskov
pepelaskov
opened on Feb 8, 2026

Environment

  • OpenClaw Version: 2026.2.6-3 (beta)
  • OS: macOS (Darwin 25.2.0 arm64)
  • Node: v25.5.0
  • Gateway Mode: local (loopback bind, port 18789)

Issue

Control UI WebSocket connection fails with "device identity required" error despite having both dangerouslyDisableDeviceAuth: true and allowInsecureAuth: true set in the config.

Config Settings (Confirmed)

{
  "gateway": {
    "controlUi": {
      "enabled": true,
      "allowInsecureAuth": true,
      "dangerouslyDisableDeviceAuth": true
    },
    "auth": {
      "mode": "token",
      "token": "<redacted>"
    }
  }
}

Gateway Logs

{
  "cause": "device-required",
  "handshake": "failed",
  "lastFrameMethod": "connect",
  "client": "openclaw-control-ui",
  "mode": "webchat",
  "code": 1008,
  "reason": "device identity required"
}

Browser Console

Dashboard shows:

Health: Offline
disconnected (1008): device identity required

All Control UI features are disabled (Status/Health/Heartbeat show {}).

Reproduction

  1. Set gateway.controlUi.dangerouslyDisableDeviceAuth: true in config
  2. Set gateway.controlUi.allowInsecureAuth: true
  3. Restart gateway (openclaw gateway restart)
  4. Open Control UI at http://localhost:18789
  5. WebSocket connection fails with device-required error

Expected Behavior

With dangerouslyDisableDeviceAuth: true, the Control UI should connect without device identity checks (using only token auth).

Actual Behavior

WebSocket handshake is rejected with "cause":"device-required" despite the config setting.

Workaround Attempts

  • ✅ Config validated with openclaw gateway config.get (settings present)
  • ✅ Gateway restart attempted
  • ❌ Browser cache clear (not yet attempted)
  • ❌ Incognito/private window (not yet attempted)

Impact

Control UI is completely unusable. Gateway functions normally for all other channels (Telegram, Discord, etc.).

Additional Context

The dangerouslyDisableDeviceAuth setting appears to be ignored by the WebSocket auth layer in this version. The setting exists in the schema and validates correctly, but has no effect on runtime behavior.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions