Skip to content

Control UI "device identity required" error after page navigation in 2026.3.7 #39611

Closed
Closed
Control UI "device identity required" error after page navigation in 2026.3.7#39611
Labels
bugSomething isn't workingregressionBehavior that previously worked and now fails
@flyyangX

Description

@flyyangX
flyyangX
opened on Mar 8, 2026

Bug type

Regression (worked before, now fails)

Summary

Control UI works on initial load with token URL, but after navigating to different pages (e.g., /sessions, /config) or clicking session links, the WebSocket connection drops with "device identity required" error.

Steps to reproduce

  1. Generate token URL: openclaw dashboard --no-open
  2. Open URL in browser: http://127.0.0.1:18789/#token=<token>
  3. Initial load works fine (shows version 2026.3.7, status "正常")
  4. Click on "会话" (Sessions) link in sidebar
  5. Click on any session link (e.g., agent:main:main)
  6. WebSocket disconnects, page shows "device identity required", version "不适用", status "离线"

Expected behavior

Token should persist across page navigation within the same browser session. WebSocket should remain connected.

Actual behavior

Token is lost after navigation, WebSocket disconnects with device identity error. Browser console shows: disconnected (1008): device identity required

OpenClaw version

2026.3.7

Operating system

macOS (Darwin 25.3.0 arm64)

Install method

npm global

Logs, screenshots, and evidence



Impact and severity


Affected: All Control UI users on 2026.3.7

Severity: High (blocks multi-page workflows)

Frequency: 100% reproducible

Consequence: Control UI is unusable for session management, configuration changes, or any multi-page navigation. Users must regenerate token URL and reload for every page.


Additional information


Related issues: #11590 (2026.2.6), #29801 (2026.2.26), #24238 (2026.2.22)


This appears to be a regression or incomplete fix in 2026.3.7. The CHANGELOG mentions:




Control UI/auth token separation: keep the shared gateway token in browser auth validation while reserving cached device tokens for signed device payloads




But the issue persists. The dangerouslyDisableDeviceAuth: true config setting appears to be ignored during page navigation.


Config used:


{
  "gateway": {
    "controlUi": {
      "enabled": true,
      "dangerouslyDisableDeviceAuth": true
    },
    "auth": {
      "mode": "token"
    }
  }
}
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingregressionBehavior that previously worked and now fails
    Type
    No type
    Fields
    No fields configured for issues without a type.
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions