Bug type

Regression (worked before, now fails)

Summary

Bug Report

Description

After upgrading to v2026.3.7, the Control UI WebSocket connection fails with device identity required on every page refresh, even when dangerouslyDisableDeviceAuth: true is configured.

The first login works, but any subsequent refresh triggers the error and requires re-authentication.

Steps to Reproduce

1. Upgrade OpenClaw to v2026.3.7
2. Configure gateway.auth.mode: "token" with a valid token
3. Configure controlUi.dangerouslyDisableDeviceAuth: true
4. Open Control UI and authenticate successfully with the token
5. Refresh the page

Expected Behavior

Page refresh should maintain the authenticated session without requiring re-authentication, consistent with behavior in v2026.3.2.

Actual Behavior

WebSocket handshake fails immediately on refresh with:

cause: "device-required"
handshake: "failed"
reason: "device identity required"
code: 1008

Gateway Config

"gateway": {
  "port": 18788,
  "mode": "local",
  "bind": "lan",
  "controlUi": {
    "dangerouslyAllowHostHeaderOriginFallback": true,
    "allowInsecureAuth": true,
    "dangerouslyDisableDeviceAuth": true
  },
  "auth": {
    "mode": "token",
    "token": "[REDACTED]"
  }
}

Logs

warn gateway/ws {"cause":"device-required","handshake":"failed","durationMs":32,
"lastFrameType":"req","lastFrameMethod":"connect","client":"openclaw-control-ui",
"mode":"webchat","version":"2026.3.7"} closed before connect code=1008 
reason=device identity required

Environment

• OpenClaw version: 2026.3.7
• Node.js: v24.13.0
• OS: Ubuntu (Linux)
• Browser: Chrome 145
• Install method: npm global (npm install -g openclaw)

Workaround

Downgrading to v2026.3.2 resolves the issue:

npm install -g [email protected]
openclaw gateway install --force
openclaw gateway restart

Additional Notes

This appears to be a regression introduced in v2026.3.7. The dangerouslyDisableDeviceAuth: true flag no longer suppresses the device identity check during WebSocket handshake. Possibly related to the auth hardening changes in this release:

• Gateway/browser auth reconnect hardening (fix(gateway): prevent browser rate-limit self-DoS on missing credentials #38725)
• Gateway/auth follow-up hardening (gateway: harden shared auth resolution across systemd, discord, and node host #39241)
• Gateway/service token drift repair (Fix gateway daemon token drift after token rotation #28428)

Steps to reproduce

1. Upgrade OpenClaw to v2026.3.7
2. Configure gateway.auth.mode: "token" with a valid token
3. Configure controlUi.dangerouslyDisableDeviceAuth: true
4. Open Control UI and authenticate successfully with the token
5. Refresh the page

Expected behavior

Page refresh should maintain the authenticated session without requiring re-authentication, consistent with behavior in v2026.3.2.

Actual behavior

WebSocket handshake fails immediately on refresh with:

cause: "device-required"
handshake: "failed"
reason: "device identity required"
code: 1008

Gateway Config

"gateway": {
  "port": 18788,
  "mode": "local",
  "bind": "lan",
  "controlUi": {
    "dangerouslyAllowHostHeaderOriginFallback": true,
    "allowInsecureAuth": true,
    "dangerouslyDisableDeviceAuth": true
  },
  "auth": {
    "mode": "token",
    "token": "[REDACTED]"
  }
}

OpenClaw version

2026.3.7

Operating system

OS: Ubuntu (Linux)

Install method

Install method: npm global (npm install -g openclaw)

Logs, screenshots, and evidence

### Logs

warn gateway/ws {"cause":"device-required","handshake":"failed","durationMs":32,
"lastFrameType":"req","lastFrameMethod":"connect","client":"openclaw-control-ui",
"mode":"webchat","version":"2026.3.7"} closed before connect code=1008 
reason=device identity required

Impact and severity

No response

Additional information

No response