Bug type

Regression (worked before, now fails)

Summary

Describe the bug
Setting gateway.controlUi.dangerouslyDisableDeviceAuth: true does not disable device identity requirement for WebSocket connections. Remote connections still fail with "device identity required" (code 1008).

To Reproduce

1. Set in ~/.openclaw/openclaw.json:

   {
     "gateway": {
       "controlUi": {
         "dangerouslyDisableDeviceAuth": true
       },
       "auth": {
         "mode": "none"
       }
     }
   }
   

2. Restart gateway
3. Connect from remote browser
4. WebSocket fails: code=1008 reason=device identity required

Steps to reproduce

1. Set gateway.controlUi.dangerouslyDisableDeviceAuth: true in openclaw.json
2. Set gateway.auth.mode: "none" in openclaw.json
3. Restart gateway: pkill -f "openclaw gateway" && openclaw gateway
4. Connect from remote browser to gateway URL
5. WebSocket connection fails with: code=1008 reason=device identity required

Expected behavior

Remote WebSocket connections should succeed without device identity requirement when dangerouslyDisableDeviceAuth is set to true. The gateway should accept the connection and allow dashboard access.

Actual behavior

WebSocket connection is closed with code 1008 and reason "device identity required" despite dangerouslyDisableDeviceAuth: true being set. No pairing request is created in openclaw devices list. Logs show: {"cause":"device-required","handshake":"failed","code":1008}

OpenClaw version

• OpenClaw: 2026.3.12 (6472949)

Operating system

OS: Linux (Docker on Hostinger VPS)

Install method

No response

Model

z.ai glm5

Provider / routing chain

N/A - Gateway authentication issue, not model-related

Config file / key location

No response

Additional provider/model setup details

Gateway: OpenClaw 2026.3.12 (self-hosted on Docker/Hostinger VPS)
No specific model involved - this is a WebSocket authentication issue

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response