Problem

The gateway rejects WebSocket connections with device signature expired (code 1008) when the client's clock is more than 2 minutes ahead or behind the gateway's clock.

The tolerance is hardcoded:

DEVICE_SIGNATURE_SKEW_MS = 120 * 1e3  // 2 minutes

This is a silent failure — the client gets a generic device signature expired error with no indication that a clock skew is the cause. It's also indistinguishable from a genuinely expired/revoked device token, making it very hard to diagnose.

Impact

• Devices on corporate networks or VMs where NTP sync is restricted/unavailable cannot connect at all
• Happens even in browser incognito mode (fresh session, no cached token), making it look like a gateway auth bug
• Error message gives no hint that clock sync is the root cause

Proposed Fix

1. Make the skew tolerance configurable via gateway.auth.deviceSignatureSkewMs (default: keep 120s for security, allow operators to increase)
2. Improve the error message to hint at clock skew when the rejection reason is device-signature-stale (e.g., device signature expired — check system clock sync)

Workaround

Patch the dist file:

// Change in gateway-cli-*.js
DEVICE_SIGNATURE_SKEW_MS = 1800 * 1e3  // 30 minutes

Environment

• OpenClaw v2026.2.22-2
• Client: Windows machine with restricted NTP sync (corporate environment)
• Gateway: macOS