Skip to content

[Bug]: OPENCLAW_GATEWAY_TOKEN in systemd service file not updated on config change or update, causing device_token_mismatch #17223

New issue
New issue
Open
Open
[Bug]: OPENCLAW_GATEWAY_TOKEN in systemd service file not updated on config change or update, causing device_token_mismatch#17223
@cadugevaerd

Description

@cadugevaerd
cadugevaerd
opened on Feb 15, 2026

Summary

After changing gateway.auth.token in openclaw.json, the systemd service file retains the old token hardcoded in Environment=OPENCLAW_GATEWAY_TOKEN=<old_token>. Since the env var overrides the config file value, the gateway process uses a different token than what's in the config — causing device_token_mismatch for all internal tool calls (cron, sessions, etc.) and CLI connections.

Steps to reproduce

  1. Install OpenClaw gateway as systemd service (openclaw gateway install)
  2. Change gateway.auth.token in ~/.openclaw/openclaw.json
  3. Restart gateway (systemctl --user restart openclaw-gateway)
  4. Try any CLI command or wait for agent tool calls

Expected behavior

Gateway should use the token from openclaw.json. Either:

  • The service file should not hardcode OPENCLAW_GATEWAY_TOKEN (read from config at runtime), or
  • openclaw gateway install / openclaw update should re-sync the service file, or
  • openclaw doctor should detect the mismatch and warn

Actual behavior

  • Gateway uses the old token from the systemd env var
  • CLI and agent backend fail with unauthorized: device token mismatch (rotate/reissue device token)
  • openclaw status shows unreachable (connect failed: unauthorized: device token mismatch)
  • openclaw doctor does not detect the config vs service token divergence
  • The error message suggests rotating/reissuing device tokens, which does not help since the root cause is the env var override

Root cause

systemctl --user cat openclaw-gateway reveals:

Environment=OPENCLAW_GATEWAY_TOKEN=<old_token_from_install_time>

While openclaw.json has:

"gateway": { "auth": { "mode": "token", "token": "<new_token>" } }

The env var takes precedence, so the gateway authenticates against the old token internally.

Workaround

Create a systemd override to match the current config token:

mkdir -p ~/.config/systemd/user/openclaw-gateway.service.d/
cat > ~/.config/systemd/user/openclaw-gateway.service.d/override.conf << 'EOF'
[Service]
Environment=OPENCLAW_GATEWAY_TOKEN=<your_current_config_token>
EOF
systemctl --user daemon-reload
systemctl --user restart openclaw-gateway

OpenClaw version

2026.2.14

Operating system

Linux (arm64)

Install method

npm global

Impact and severity

OpenClaw is completely unusable — all agent tools (cron, exec, sessions) fail, CLI cannot connect. Only channel message relay continues working since it does not go through device auth.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions