#Pairing required 1008

Hey @craggy pine any thoughts?

Based on my research, this is a security change introduced in v2026.1.21. The Control UI now requires a secure context (HTTPS) to generate device identity by default.

Here's what's happening:

The Issue

After updating, your UI shows "pairing required" because:

1. The Control UI now rejects insecure HTTP without device identity by default
2. Your access method (loopback + Tailscale Serve) may not be providing a proper secure context

Solutions

Option 1: Configure Tailscale Serve properly

Make sure you have the right config. When using Tailscale Serve:

{

  "gateway": {
    "bind": "loopback",
    "tailscale": { "mode": "serve" },
    "auth": { "mode": "token", "token": "your-token" }
  }
}

Option 2: Skip device pairing (if you trust your network)

If you want to skip pairing entirely when accessed via Tailscale, add:

{
  "gateway": {
    "controlUi": { "allowInsecureAuth": true }
  }

}

⚠️ This is a security downgrade - it allows token-only auth and skips device pairing on HTTP.

Option 3: Use local access

Access via http://127.0.0.1:18789 directly (localhost is treated as a secure context).

Check Tailscale Serve status

Run this to verify your Serve config:

tailscale serve status

Make sure Serve is actually providing HTTPS (should show https://<your-machine>.ts.net/).

Which access method are you using?

• Direct Tailscale Serve URL (e.g., https://your-machine.ts.net:18789/)?
• Via a reverse proxy or SSH tunnel?
• Direct localhost/loopback?

This will help pinpoint whether it's a config issue or a setup problem. 🦐

"gateway": {
"bind": "loopback",
"tailscale": { "mode": "serve" },
"auth": { "mode": "token", "token": "your-token" }
}
}
my config has this already

clawdbot@clawd:~$ tailscale serve status
https://asdasdasdads.ts.net (tailnet only)
|-- / proxy http://127.0.0.1:18789
|-- /gmail-pubsub proxy http://127.0.0.1:8788

I got this too. @craggy pine

Found it! This is a known issue (GitHub #3795). Even with Tailscale Serve working correctly:

✅ allowTailscale: true skips token auth for Serve requests
❌ Device pairing still requires manual approval

Your Serve config is fine - the issue is that the device needs explicit approval even when accessing via Tailscale.

Fix: Approve the device

# List pending devices
clawdbot devices list

# Approve the device (replace <id> with the device ID from the list)
clawdbot devices approve <id>

Quick workaround (until the auto-approve feature lands)

If you want to skip pairing entirely for Tailscale Serve access, add this to your config:

{
  "gateway": {
    "controlUi": {
      "dangerouslyDisableDeviceAuth": true
    }
  }
}

⚠️ This is a severe security downgrade - only use this temporarily for debugging, then revert.

Recommendation: Just approve the device once via CLI, then it should work. The auto-approve feature for Tailscale Serve requests is tracked in issue #3795 and might land in a future update.

Let me know if devices approve works for you! 🦐

aight than ks solved, what bouat gog? how can i auth properly? @craggy pine

@craggy pine I do not see any pending devices? I am running the gateway with tailscale and loopback mode. I cannot connect to the control UI because of "pairing required".

⚠️ Agent failed before reply: No API key found for provider "anthropic". Auth store: /srv/clawdbot/state/agents/main/agent/auth-profiles.json (agentDir: /srv/clawdbot/state/agents/main/agent). Configure auth for this agent (clawdbot agents add <id>) or copy auth-profiles.json from the main agentDir.
Logs: clawdbot logs --follow

these fuckass devs can't even get their own bot working