Skip to content

[Bug]: dangerouslyDisableDeviceAuth not working in v2026.3.11 #43909

Open
#44034
Open
[Bug]: dangerouslyDisableDeviceAuth not working in v2026.3.11#43909
#44034
Labels
bugSomething isn't workingbug:behaviorIncorrect behavior without a crash
@javamagong

Description

@javamagong
javamagong
opened on Mar 12, 2026

Bug type

Behavior bug (incorrect output/state without crash)

Summary

The gateway.controlUi.dangerouslyDisableDeviceAuth: true configuration is not working as expected in OpenClaw 2026.3.11. The Gateway still requires device identity authentication even when this flag is explicitly enabled, causing WebSocket handshake failures when accessing Control UI from iframe environments (e.g., Coze/扣子 platform).

Steps to reproduce

  1. Upgrade to OpenClaw 2026.3.11
  2. Configure Gateway with bind: lan to allow external access
  3. Set gateway.controlUi.dangerouslyDisableDeviceAuth: true
  4. Access Control UI from an iframe environment (e.g., Coze platform)
  5. Observe WebSocket connection failure

Expected behavior

When dangerouslyDisableDeviceAuth: true is set, the Gateway should skip device identity checks and allow Control UI connections from any authorized origin without requiring a device token.

Actual behavior

WebSocket handshake fails with error:

"cause":"device-required","handshake":"failed"

Full log entry:

{
  "subsystem": "gateway/ws",
  "cause": "device-required",
  "handshake": "failed",
  "origin": "https://dev.coze.site",
  "host": "9.129.26.56:9000",
  "client": "openclaw-control-ui",
  "version": "2026.3.11"
}

Downgrading to OpenClaw 2026.3.8 resolves the issue. The same configuration works correctly in v2026.3.8.

pnpm add -g [email protected]

OpenClaw version

OpenClaw 2026.3.8

Operating system

Linux 5.15.120.byteatom-ck.13 (Sandbox/Container)

Install method

pnpm global

Model

coze/kimi-k2-5-260127

Provider / routing chain

OpenClaw Gateway → Coze Integration → Moonshot AI

Config file / key location

/workspace/projects/openclaw.json

Additional provider/model setup details

Coze Coding sandbox environment, iframe access from dev.coze.site

Logs, screenshots, and evidence



Impact and severity


No response


Additional information


    

  • The issue appears to be a regression introduced in v2026.3.11
    • 

  • All other "dangerous" flags (allowInsecureAuth, dangerouslyAllowHostHeaderOriginFallback) are correctly recognized and logged as enabled
    • 

  • The security warning log confirms all flags are enabled:

    security warning: dangerous config flags enabled: 
gateway.controlUi.allowInsecureAuth=true, 
gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true, 
gateway.controlUi.dangerouslyDisableDeviceAuth=true

    

    • 

  • Despite the configuration being recognized, the Gateway still enforces device identity checks
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingbug:behaviorIncorrect behavior without a crash
    Type
    No type
    Fields
    No fields configured for issues without a type.
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions