Skip to content

Pairing scope-upgrade loop: repeated 'pairing required' reconnects for same device #21688

Closed as not planned
Closed as not planned
Pairing scope-upgrade loop: repeated 'pairing required' reconnects for same device#21688
Labels
staleMarked as stale due to inactivity
@dddabtc

Description

@dddabtc
dddabtc
opened on Feb 20, 2026

Summary

devices pairing/scope upgrade can get into a loop where the same device repeatedly triggers scope-upgrade and pairing required on every reconnect, even after approval/rotation attempts.

In this state, local commands (for example openclaw status) can keep failing with gateway connect failed: pairing required and the gateway logs show repeated upgrade requests every ~1s.

Environment

  • OpenClaw: 2026.2.19-2
  • Gateway service: systemd, local loopback ws://127.0.0.1:18789
  • OS: Linux (WSL2)
  • Observed on: 2026-02-20 (UTC)

Reproduction (deterministic)

Device ID used below (from openclaw devices list --json):
<device-id-redacted>

  1. Start from a healthy paired state.
  2. Intentionally rotate the device token to a narrower scope (remove read/write):
openclaw devices rotate \
  --device <device-id-redacted> \
  --role operator \
  --scope operator.admin \
  --scope operator.approvals \
  --scope operator.pairing \
  --json
  1. Run a command that requires gateway access:
openclaw status
  1. Check logs:
rg -n "scope-upgrade|pairing required" <gateway-log-file> -S | tail -n 40

Actual behavior

  • CLI output includes:
    • gateway connect failed: Error: pairing required
  • Gateway logs repeatedly show:
    • security audit: device access upgrade requested reason=scope-upgrade ...
    • closed before connect ... cause=pairing-required ... reason=scope-upgrade
  • A pending repair request for the same device can keep reappearing.
  • During the loop, devices list output can appear temporarily inconsistent across calls (pending/paired scopes changing non-atomically).

Expected behavior

  • One of these should happen (deterministically):
    1. automatic scope upgrade and stable reconnect, or
    2. a single pending request that, once approved/rotated, does not immediately re-trigger for the same device.
  • No repeated per-second reconnect/pairing loop for the same device.

Relevant log samples

From <gateway-log-file>:

  • 2026-02-20T07:17:46.647Z: device access upgrade requested reason=scope-upgrade ... scopesFrom=operator.admin,operator.approvals,operator.pairing scopesTo=operator.write
  • 2026-02-20T07:17:46.650Z: gateway connect failed: Error: pairing required
  • 2026-02-20T07:17:46.656Z: gateway/ws ... cause=pairing-required ... reason=scope-upgrade

This pattern repeats every ~1 second until manual intervention.

Temporary workaround

  • Approve latest pending repair request:
openclaw devices approve --latest --json
  • Rotate token to include full scopes used by local client:
openclaw devices rotate \
  --device <device-id> \
  --role operator \
  --scope operator.read \
  --scope operator.write \
  --scope operator.admin \
  --scope operator.approvals \
  --scope operator.pairing \
  --json

Even with this, the system can briefly re-enter pending/repair churn before converging.

Metadata

Metadata

Assignees

No one assigned

    Labels

    staleMarked as stale due to inactivity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions