[Bug]: Gateway CLI authentication fails with token_mismatch when gateway.auth.token is configured #38617
Description
Bug type
Regression (worked before, now fails)
Summary
Gateway rejects CLI connection with token_mismatch error when gateway.auth.token is manually configured, even though the token is valid.
Steps to reproduce
- Configure gateway.auth.token in openclaw.json
- Pair a CLI device (openclaw pair)
- Start gateway
- Observe token_mismatch error in logs:
[ws] unauthorized conn=... reason=token_mismatch
Expected behavior
CLI should connect successfully when using a manually configured gateway.auth.token that matches the paired device token.
Actual behavior
Gateway rejects connection with: [ws] unauthorized conn=... reason=token_mismatch. CLI cannot connect to Gateway.
OpenClaw version
2026.3.2
Operating system
Windows 11
Install method
No response
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
Root Cause: When a device is paired via openclaw pair, it receives a unique token stored in devices/paired.json. However, when gateway.auth.token is manually configured in openclaw.json, Gateway uses this static token for authentication. The CLI client uses the token from paired.json, causing a mismatch.
Suggested Fix: Either:
- Make Gateway use the paired device token for authentication instead of gateway.auth.token
- Or sync gateway.auth.token with the paired device token automatically
- Or prevent deletion of gateway.auth.token when devices are paired