Skip to content

[Bug]: still reproducing missing scope: operator.read on 2026.3.13 after full re-auth + token/device resets #46422

Open
#48950
Open
[Bug]: still reproducing missing scope: operator.read on 2026.3.13 after full re-auth + token/device resets#46422
#48950
Labels
bugSomething isn't workingregressionBehavior that previously worked and now fails
@ammosleybooking-helix

Description

@ammosleybooking-helix
ammosleybooking-helix
opened on Mar 14, 2026

Bug type

Regression (worked before, now fails)

Summary

openclaw status --all and openclaw security audit --deep continue to report:

gateway.probe_failed
missing scope: operator.read
What I already tried

Re-auth OpenAI Codex OAuth successfully:
bashCopyCopied!
openclaw models auth login --provider openai-codex --method oauth
Restarted gateway multiple times:
bashCopyCopied!
openclaw gateway stop
openclaw gateway install
openclaw gateway start
Rotated gateway auth token (gateway.auth.token) and reopened dashboard via openclaw dashboard.
Cleared/rotated paired devices and tokens:
openclaw devices clear --yes --pending
openclaw devices remove
openclaw devices rotate --device --role operator --scope operator.read --scope operator.write --scope operator.admin --scope operator.approvals --scope operator.pairing
Verified paired device scopes now include read/write/admin/approvals/pairing.
Disabled tailscale auth fallback:
bashCopyCopied!
openclaw config set gateway.auth.allowTailscale false
Observed behavior in logs

Device is auto-approved as operator and webchat connects:
[gateway] device pairing auto-approved ... role=operator
[ws] webchat connected ... client=openclaw-control-ui webchat v2026.3.13
Immediately after, scope errors continue:
[ws] ... errorMessage=missing scope: operator.read for status, system-presence, config.get
CLI evidence

openclaw devices list shows paired device with full operator scopes including operator.read.
openclaw status --all still says:
Gateway ... unreachable (missing scope: operator.read)
This looks like a regression in session/pairing scope resolution rather than provider OAuth or token setup.

Steps to reproduce

Re-auth OpenAI Codex OAuth successfully:
bashCopyCopied!
openclaw models auth login --provider openai-codex --method oauth
Restarted gateway multiple times:
bashCopyCopied!
openclaw gateway stop
openclaw gateway install
openclaw gateway start
Rotated gateway auth token (gateway.auth.token) and reopened dashboard via openclaw dashboard.
Cleared/rotated paired devices and tokens:
openclaw devices clear --yes --pending
openclaw devices remove
openclaw devices rotate --device --role operator --scope operator.read --scope operator.write --scope operator.admin --scope operator.approvals --scope operator.pairing
Verified paired device scopes now include read/write/admin/approvals/pairing.
Disabled tailscale auth fallback:
bashCopyCopied!
openclaw config set gateway.auth.allowTailscale false
Observed behavior in logs

Device is auto-approved as operator and webchat connects:
[gateway] device pairing auto-approved ... role=operator
[ws] webchat connected ... client=openclaw-control-ui webchat v2026.3.13
Immediately after, scope errors continue:
[ws] ... errorMessage=missing scope: operator.read for status, system-presence, config.get
CLI evidence

openclaw devices list shows paired device with full operator scopes including operator.read.
openclaw status --all still says:
Gateway ... unreachable (missing scope: operator.read)
This looks like a regression in session/pairing scope resolution rather than provider OAuth or token setup.

Expected behavior

openclaw status --all should report the Gateway as reachable and authenticated, with no missing scope: operator.read errors.
openclaw security audit --deep should complete without gateway.probe_failed for operator scope.
After successful pairing/token auth, Control UI and CLI calls (status, config.get, system-presence) should have operator-read access and return normal data.
Re-authentication, token rotation, or device re-pairing should consistently restore/retain full operator scopes (operator.read, operator.write, operator.admin, operator.approvals, operator.pairing) instead of leaving sessions in a scope-missing state.

Actual behavior

Device is auto-approved as operator and webchat connects:
[gateway] device pairing auto-approved ... role=operator
[ws] webchat connected ... client=openclaw-control-ui webchat v2026.3.13
Immediately after, scope errors continue:
[ws] ... errorMessage=missing scope: operator.read for status, system-presence, config.get

OpenClaw version

2026.03.13

Operating system

macOS 26.3 arm64

Install method

manual

Model

openai-codex/gpt-5.3-codex

Provider / routing chain

openai-codex/gpt-5.3-codex openai-codex/gpt-5.1-codex openai/gpt-5.4o-mini anthropic/claude-opus-4-5 anthropic/claude-sonnet-4-5 anthropic/claude-sonnet-4-6

Config file / key location

~/.openclaw/openclaw.json (absolute: /Users/helix/.openclaw/openclaw.json)

Additional provider/model setup details

Auth/token key locations in config:

Gateway auth mode: gateway.auth.mode
Gateway token: gateway.auth.token
Tailscale auth toggle: gateway.auth.allowTailscale
Trusted proxies: gateway.trustedProxies
Model auth profiles: auth.profiles
Default model + fallbacks: agents.defaults.model.primary and agents.defaults.model.fallbacks
If you want, I can also format this as a one-line YAML snippet for GitHub issue templates.

Logs, screenshots, and evidence



Impact and severity


No response


Additional information


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingregressionBehavior that previously worked and now fails
    Type
    No type
    Fields
    No fields configured for issues without a type.
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions