Skip to content

[Bug]: openclaw configure writes literal string "undefined" as gateway.auth.token #13756

New issue
New issue
Closed
#13809
#13767
Closed
[Bug]: openclaw configure writes literal string "undefined" as gateway.auth.token#13756
#13809
#13767
@calvinguo721

Description

@calvinguo721
calvinguo721
opened on Feb 11, 2026

Bug Description

When running openclaw configure (v2026.2.6-3) on Windows, the gateway auth token in openclaw.json is set to the literal string "undefined" instead of a proper random token. This causes gateway.cmd to contain OPENCLAW_GATEWAY_TOKEN=undefined, which can lead to authentication anomalies and potential gateway hangs under load.

Steps to Reproduce

  1. Run openclaw configure on Windows (local mode, token auth)
  2. Check ~/.openclaw/openclaw.json
  3. Observe gateway.auth.token is the string "undefined"
  4. Check ~/.openclaw/gateway.cmd — confirms OPENCLAW_GATEWAY_TOKEN=undefined

Root Cause

In the configure wizard, buildGatewayAuthConfig directly assigns params.token without a null/undefined guard:

// buildGatewayAuthConfig
if (params.mode === "token") return {
    ...base,
    mode: "token",
    token: params.token  // if params.token is JS undefined, JSON.stringify writes "undefined"
};

When params.token (or params.gatewayToken) is JS undefined, it gets written into the config object. JSON.stringify then serializes it as the string "undefined".

The fallback chain in daemon-cli:

token: opts.token || cfg.gateway?.auth?.token || process.env.OPENCLAW_GATEWAY_TOKEN

...picks up "undefined" (truthy string) from cfg.gateway.auth.token, so the fallback to env var or random generation never triggers.

Expected Behavior

buildGatewayAuthConfig should guard against undefined/null/empty token values:

if (params.mode === "token") return {
    ...base,
    mode: "token",
    token: params.token || randomToken()  // fallback to random if undefined/empty
};

Or normalizeGatewayTokenInput should reject the string "undefined":

function normalizeGatewayTokenInput(value) {
    if (typeof value !== "string") return "";
    const trimmed = value.trim();
    return trimmed === "undefined" ? "" : trimmed;
}

Impact

  • Gateway runs with a known/guessable "token" (the literal word "undefined")
  • Security: anyone who guesses the token can access the gateway
  • May cause internal auth logic issues under high load (multiple concurrent subagent sessions)
  • Observed: gateway became unresponsive after heavy parallel workload, possibly related

Environment

  • OpenClaw: v2026.2.6-3
  • OS: Windows 10 (19045)
  • Node: v24.13.0
  • Mode: local, token auth
  • Channel: Telegram

Workaround

Manually patch the config via gateway API or edit ~/.openclaw/openclaw.json directly, replacing "undefined" with a proper random hex string, then restart the gateway.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions