fix(browser): accept query-param token on relay /json endpoints by Sid-Qin · Pull Request #26015 · openclaw/openclaw

Sid-Qin · 2026-02-25T02:32:01Z

Summary

Problem: the Chrome extension relay /json path auth guard only checks the x-openclaw-relay-token header, while WebSocket endpoints (/extension, /cdp) also accept ?token= query params. This causes all /json/version requests via curl or browser to get HTTP 401 if they use query-param auth.
Why it matters: users cannot authenticate to /json/version or /json/list unless they set the custom header — breaking curl-based debugging and some Chrome DevTools clients.
What changed: replaced the header-only check with getRelayAuthTokenFromRequest(req, url) which checks both the header and URL query param — the same helper already used by WebSocket endpoints.
What did NOT change: the set of accepted tokens is unchanged; WebSocket auth is unchanged.

Change Type (select all)

Bug fix

Scope (select all touched areas)

Integrations

Linked Issue/PR

Closes Browser relay /json/version and /extension endpoints reject all tokens (HTTP 401) #25928

User-visible / Behavior Changes

curl http://127.0.0.1:18792/json/version?token=<relay-token> now returns 200 instead of 401.
Header-based auth continues to work unchanged.

Security Impact (required)

New permissions/capabilities? No
Secrets/tokens handling changed? No — same tokens accepted, same validation
New/changed network calls? No
Command/tool execution surface changed? No
Data access scope changed? No
Query-param tokens are already accepted on WebSocket endpoints; this just makes HTTP endpoints consistent.

Repro + Verification

Steps

Start the gateway with token auth
curl -s "http://127.0.0.1:18792/json/version?token=<relay-token>"
Before fix: 401; after fix: 200 with JSON payload

Evidence

Failing test/log before + passing after
New test "accepts /json endpoints with relay token query param" in extension-relay.test.ts.

Human Verification (required)

Verified scenarios: query param auth, header auth, no auth (401)
Edge cases checked: token with special characters (URL-encoded), empty token
What you did not verify: live Chrome extension connection

Compatibility / Migration

Backward compatible? Yes
Config/env changes? No
Migration needed? No

Failure Recovery (if this breaks)

Revert commit; restore src/browser/extension-relay.ts

Risks and Mitigations

None — strictly additive; query-param auth was already supported on WS endpoints.

Greptile Summary

Made the /json endpoint auth guard consistent with WebSocket endpoints by accepting both header and query-param tokens. Previously, /json/version and /json/list only accepted authentication via HTTP header, while /extension and /cdp WebSocket endpoints accepted both header and query-string authentication. This inconsistency broke curl-based debugging and some Chrome DevTools clients that rely on query-param authentication.

Replaced direct header check with getRelayAuthTokenFromRequest(req, url) helper at src/browser/extension-relay.ts:370
Added test coverage for query-param auth on /json endpoints
No security changes: same tokens accepted, same validation logic
Backward compatible: header-based auth continues to work unchanged

Confidence Score: 5/5

This PR is safe to merge with minimal risk
The change is a straightforward consistency fix that uses an existing, well-tested helper function. The implementation maintains the same security posture by checking the same token set, just via an additional transport mechanism already supported on WebSocket endpoints. Test coverage validates both query-param and header-based auth, and backwards compatibility is preserved.
No files require special attention

_{Last reviewed commit: b0f7167}

The /json path auth guard only checked the x-openclaw-relay-token header, while the WebSocket endpoints (/extension, /cdp) also accepted ?token= query params via getRelayAuthTokenFromRequest. Use the same helper for /json so curl and browser clients can authenticate via either mechanism. Closes openclaw#25928 Co-authored-by: Cursor <[email protected]>

@Sid-Qin

Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR #26015). Co-authored-by: SidQin-cyber <[email protected]>

steipete · 2026-02-26T14:17:52Z

Landed on main via 42cf32c38.

What I changed while landing:

kept your /json query-token auth fix (getRelayAuthTokenFromRequest(req, url)) so HTTP relay auth matches websocket behavior
kept regression coverage for /json/version?token=...
added unreleased changelog entry with PR attribution

SHA mapping:

original PR commit: e7a9d9135894be9adf72e8ba823459ec9cc14756
landed commit: 42cf32c38

Thanks for the fix, @Sid-Qin.

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 9b0cafc)

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]>

@Sid-Qin

… routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 42cf32c)

@Sid-Qin

… auth for /json relay routes (#1108) * fix(browser): land PR openclaw#26015 query-token auth for /json relay routes Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR openclaw#26015). Co-authored-by: SidQin-cyber <[email protected]> (cherry picked from commit 42cf32c) * fix: adapt cherry-pick to rebranded relay-token header name The cherry-picked test used x-openclaw-relay-token but the fork has rebranded this header to x-remoteclaw-relay-token. --------- Co-authored-by: Peter Steinberger <[email protected]> Co-authored-by: SidQin-cyber <[email protected]>

openclaw-barnacle bot added size: XS experienced-contributor labels Feb 25, 2026

This was referenced Feb 25, 2026

[Bug] Chrome Extension Relay authentication failed #26777

Closed

[Bug] Chrome Extension Relay authentication failed #26778

Closed

steipete closed this Feb 26, 2026

gemini-code-assist bot mentioned this pull request Feb 27, 2026

chore(sync): replay rollup fixes on upstream/main MillionthOdin16/openclaw#94

Merged

alexey-pelykh mentioned this pull request Mar 10, 2026

Cherry-pick: Browser relay fixes (CORS, auth, races, URI safety) remoteclaw/remoteclaw#628

Closed

alexey-pelykh mentioned this pull request Mar 12, 2026

Cherry-pick 42cf32c38: fix(browser): land PR #26015 query-token auth for /json relay routes remoteclaw/remoteclaw#1108

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(browser): accept query-param token on relay /json endpoints#26015

fix(browser): accept query-param token on relay /json endpoints#26015
Sid-Qin wants to merge 1 commit intoopenclaw:mainfrom
Sid-Qin:fix/browser-relay-json-auth-25928

Sid-Qin commented Feb 25, 2026 •

edited

Loading

Uh oh!

steipete commented Feb 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

Sid-Qin commented Feb 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Change Type (select all)

Scope (select all touched areas)

Linked Issue/PR

User-visible / Behavior Changes

Security Impact (required)

Repro + Verification

Steps

Evidence

Human Verification (required)

Compatibility / Migration

Failure Recovery (if this breaks)

Risks and Mitigations

Greptile Summary

Confidence Score: 5/5

Uh oh!

steipete commented Feb 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Sid-Qin commented Feb 25, 2026 •

edited

Loading