Token mismatch | Friends of the Crustacean 🦞🤝 | Page 1

split sleet Feb 15, 2026, 5:46 PM

#

I cloned the repo, updated the env vars for config And workspace, chownd them to 1000:100 -R. Then I ran the docker setup sh. It went fine with no errors. I tunneled into the machine from another device on my network per the outputted instructions. I went to the web UI on the other client with the provided token. It said pairing required, so I ran docker exec -it openclaw-openclaw-gateway-1 bash from the host machine, then ran npx openclaw devices list and got "unauthorized: token mismatch"

spice compassBOT Feb 15, 2026, 5:46 PM

#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

split sleet Feb 15, 2026, 5:47 PM

#

Sorry, chown was 1000:1000

#

@stray fiber any ideas?

stray fiberBOT Feb 15, 2026, 5:50 PM

#

Chown 1000:1000 is fine — this one isn’t a filesystem perms issue.

unauthorized: token mismatch in the Docker setup usually means the CLI you ran is looking at a different OpenClaw home/config/token than the gateway (most commonly because docker exec drops you in as root, so OpenClaw uses /root/.openclaw instead of /home/node/.openclaw).

Do this from the repo root on the host (the “Docker way”):

docker compose run --rm openclaw-cli dashboard --no-open
docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestId>

Then refresh the Control UI. “pairing required” is expected until you approve that browser device.

If you insist on docker exec, at least exec as the node user:

#

docker exec -it -u node openclaw-openclaw-gateway-1 bash
openclaw devices list

If it still mismatches, paste the output of:

docker compose run --rm openclaw-cli status
docker compose run --rm openclaw-cli gateway status

(you can redact tokens/urls).

#

That error is almost always “you’re running the CLI with a different home/config than the gateway”, so it’s sending the wrong token.

In your case the giveaway is:

docker exec ... bash drops you into the container as root by default
OpenClaw then looks in /root/.openclaw/ (different config/token)
but the gateway container runs as the node user and uses /home/node/.openclaw/

Do it the Docker-way (recommended)

From the repo root on the host (same place you ran ./docker-setup.sh):

docker compose run --rm openclaw-cli dashboard --no-open
docker compose run --rm openclaw-cli devices list
docker compose run --rm openclaw-cli devices approve <requestId>

#

Then refresh the Control UI — “pairing required” is expected until you approve that browser device.

Docs: https://docs.openclaw.ai/install/docker#control-ui-token--pairing-docker

If you really want to `docker exec`

Make sure you exec as the node user (so $HOME matches):

docker exec -it -u node openclaw-openclaw-gateway-1 bash
openclaw devices list

(Also: avoid npx openclaw ... in there — you can end up running a different OpenClaw version/config.)

If it still mismatches after the above: paste the output of docker compose run --rm openclaw-cli status and docker compose run --rm openclaw-cli gateway status (no tokens), and we can narrow it down.

split sleet Feb 15, 2026, 5:55 PM

#

Running devices list with the correct user gives

[openclaw] CLI failed: Error: gateway closed (1006 abnormal closure (no close frame)): no close reason Gateway target: ws://127.0.0.1:18789 Source: local loopback Config: /home/node/.openclaw/openclaw.json Bind: loopback

stray fiberBOT Feb 15, 2026, 5:58 PM

#

That 1006 abnormal closure + Gateway target: ws://127.0.0.1:18789 is the big clue: you’re running the CLI somewhere where 127.0.0.1 is not the gateway (most often: inside the openclaw-cli container, where loopback is just that container).

In Docker Compose, the gateway is reachable at the service name openclaw-gateway on the compose network.

Try this from the repo root on the host:

docker compose run --rm openclaw-cli devices list \
  --url ws://openclaw-gateway:18789 \
  --token "$OPENCLAW_GATEWAY_TOKEN"

Then approve:

docker compose run --rm openclaw-cli devices approve <requestId> \

#

  --url ws://openclaw-gateway:18789 \
  --token "$OPENCLAW_GATEWAY_TOKEN"

If that still fails, paste:

docker compose ps
docker compose logs openclaw-gateway --tail 120

Docs refs:

split sleet Feb 15, 2026, 6:02 PM

#

Run devices list gives

[openclaw] CLI failed: Error: gateway url override requires explicit credentials Fix: pass --token or --password (or gatewayToken in tools). Config: /home/node/.openclaw/openclaw.json

stray fiberBOT Feb 15, 2026, 6:03 PM

#

That message means the --url ... override worked, but your --token ended up missing/empty.

Most common cause: "$OPENCLAW_GATEWAY_TOKEN" isn’t exported in your shell, so it expands to nothing.

From the repo root (where docker-setup.sh wrote the .env), do:

set -a
source .env
set +a

docker compose run --rm openclaw-cli devices list \
  --url ws://openclaw-gateway:18789 \
  --token "$OPENCLAW_GATEWAY_TOKEN"

(And same pattern for devices approve ....)

#

Sanity check (should print something, don’t paste it here):

echo "token-len=${#OPENCLAW_GATEWAY_TOKEN}"

Also: don’t post the token in this channel—treat it like a password.

split sleet Feb 15, 2026, 6:05 PM

#

Token Len is 64. Devices list prints token mismatch after sourcing .env

#Token mismatch

Do it the Docker-way (recommended)

If you really want to docker exec

If you really want to `docker exec`