Skip to content

[Bug]: [Bug]: Gateway probe limited despite paired device + operator token (macOS, 2026.3.13) #48113

Open
#48950
Open
[Bug]: [Bug]: Gateway probe limited despite paired device + operator token (macOS, 2026.3.13)#48113
#48950
Labels
bugSomething isn't workingregressionBehavior that previously worked and now fails
@ekonomi-ux

Description

@ekonomi-ux
ekonomi-ux
opened on Mar 16, 2026

Bug type

Regression (worked before, now fails)

Summary

Summary

On macOS, openclaw gateway probe connects successfully but all RPC calls are limited with missing scope: operator.read, even though both OPENCLAW_GATEWAY_TOKEN and OPENCLAW_TOKEN are injected via 1Password and env.secrets.op.

Environment

  • OpenClaw: 2026.3.13 (61d171a)
  • OS: macOS 15.7.4 (x64)
  • Node: 25.7.0
  • Gateway service: LaunchAgent (ai.openclaw.gateway.plist)
  • Gateway bind: local loopback ws://127.0.0.1:18789

Device + token setup

  • openclaw devices list shows one paired device:
    • role: operator
    • scopes: operator.read, operator.write, operator.admin, operator.approvals, operator.pairing
  • Both tokens exported:
    • OPENCLAW_GATEWAY_TOKEN=<set>
    • OPENCLAW_TOKEN=<set>

What happens

  • openclaw gateway probe: 
    Gateway Status
Reachable: yes
Probe budget: 3000ms

Warning:
- Probe diagnostics are limited by gateway scopes (missing operator.read). Connection succeeded, but status details may be incomplete. Hint: pair device identity or use credentials with operator.read.

Targets
Local loopback ws://127.0.0.1:18789
  Connect: ok (10ms) · RPC: limited - missing scope: operator.read
  • Gateway logs (truncated): 
    [ws] ⇄ res ✗ status ... errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
[ws] ⇄ res ✗ config.get ... errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
[ws] ⇄ res ✗ system-presence ... errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read

What I expected

If a paired device with operator.read/other scopes is present and its token is injected, probe/status/config.get should work.

Troubleshooting done

  • Rotated operator token; placed in 1Password (vault "OpenClaw", item "openclaw.operator", field "credential").
  • Confirmed token readable with op read.
  • Used op run --env-file ~/.openclaw/env.secrets.op to inject tokens; confirmed both vars set in environment.
  • Restarted gateway service.
  • Still: probe and status both fail due to missing operator.read.

Is this related to #17187?

Symptoms are similar, but device already has the correct scopes. Not an auto-paired dashboard/webchat device.

Questions

  • Is there any config, env var, or CLI flag required for the gateway/node process for it to associate the device token with ws/RPC?
  • Can you provide instructions or debug flags to see how scopes/identity are resolved per connection?
  • Is there any known launchd/macOS-specific bug for token resolution?

Additional data available

Config files (redacted), LaunchAgent plist, logs, diagnostic output, all available if needed.

Steps to reproduce

Steps to reproduce

  1. On macOS, run the OpenClaw gateway as a LaunchAgent (local loopback bind to ws://127.0.0.1:18789).
  2. Ensure a paired device exists:
    • Run openclaw devices list and confirm there is a paired device with role operator and scopes including operator.read and operator.write.
  3. Configure 1Password env injection:
    • In ~/.openclaw/env.secrets.op, set:
      • OPENCLAW_GATEWAY_TOKEN=op://.../credential
      • OPENCLAW_TOKEN=op://.../credential
    • Verify both are set inside op run:
      • op run --env-file "$HOME/.openclaw/env.secrets.op" -- sh -lc 'env | egrep "OPENCLAW_(GATEWAY_TOKEN|TOKEN)=" | sed "s/=.*/=<set>/"'
  4. Run:
    • op run --env-file "$HOME/.openclaw/env.secrets.op" -- openclaw gateway probe
    • (optional) op run --env-file "$HOME/.openclaw/env.secrets.op" -- openclaw status

Expected behavior

Expected behavior

openclaw gateway probe should return full RPC diagnostics (not “RPC limited”), and openclaw status should show the gateway as reachable without the error missing scope: operator.read.

Actual behavior

Actual behavior

openclaw gateway probe connects successfully, but RPC remains limited:

  • RPC: limited - missing scope: operator.read

openclaw status reports:

  • Gateway ... unreachable (missing scope: operator.read)

Gateway logs show repeated:

  • errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
    for RPC methods like status, system-presence, and config.get.

OpenClaw version

OpenClaw 2026.3.13 (61d171a)

Operating system

macOS 15.7.4 (x64)

Install method

Install method pnpm/npm install (stable channel), gateway managed via LaunchAgent (~/Library/LaunchAgents/ai.openclaw.gateway.plist).

Model

anthropic/claude-sonnet-4-6

Provider / routing chain

openclaw gateway (local) -> anthropic (api_key)

Config file / key location

  • ~/.openclaw/openclaw.json (gateway auth token + gateway bind/port) - ~/Library/LaunchAgents/ai.openclaw.gateway.plist (launchd service definition) - 1Password env: ~/.openclaw/env.secrets.op

Additional provider/model setup details

Additional provider/model setup details

  • Gateway bound to local loopback (ws://127.0.0.1:18789)
  • Auth is token-based; tokens are injected via 1Password op run --env-file.
  • Paired operator device shows scopes: operator.read, operator.write, operator.admin, operator.approvals, operator.pairing.
  • Despite this, gateway treats the connection as missing operator.read for some RPC methods.

Logs, screenshots, and evidence

## Logs, screenshots, and evidence
### `openclaw gateway probe` (via 1Password env injection)

op run --env-file "$HOME/.openclaw/env.secrets.op" -- openclaw gateway probe
Gateway Status
Reachable: yes
Probe budget: 3000ms

Warning:
- Probe diagnostics are limited by gateway scopes (missing operator.read). Connection succeeded, but status details may be incomplete. Hint: pair device identity or use credentials with operator.read.

Discovery (this machine)
Found 1 gateway(s) via Bonjour (local.)

Targets
Local loopback ws://127.0.0.1:18789
  Connect: ok (10ms) · RPC: limited - missing scope: operator.read

### Gateway log excerpt

tail -n 80 ~/.openclaw/logs/gateway.log | egrep 'missing scope: operator.read|conn='
2026-03-16T10:01:57.996+01:00 [ws] ⇄ res ✗ status 0ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read conn=a7bdc64e…abdb id=14fe8b5a…e761
2026-03-16T10:01:57.998+01:00 [ws] ⇄ res ✗ system-presence 0ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read conn=a7bdc64e…abdb id=b5d115f2…40eb
2026-03-16T10:01:58.001+01:00 [ws] ⇄ res ✗ config.get 0ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read conn=a7bdc64e…abdb id=a43ac78d…74e2
...


## Impact and severity
Affected: Local operator on macOS using gateway + dashboard/CLI.
Severity: High (blocks gateway status/config/system RPC; dashboard becomes non-functional for operator features).
Frequency: 100% on this machine after setup (always reproducible).
Consequence: Cannot use dashboard/CLI features that require operator.read; troubleshooting and normal operation are blocked.

## Additional information
- Note: `chat.history` sometimes

Impact and severity

No response

Additional information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingregressionBehavior that previously worked and now fails

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions