#Issue with OpenClaw Browser Relay Chrome Extension - "Relay not running"

Dear OpenClaw Support Team,

I am experiencing an issue connecting the OpenClaw Browser Relay Chrome extension with my OpenClaw instance. The extension consistently indicates "relay not running" despite troubleshooting.

Problem Description:
The Chrome extension displays an exclamation mark ("!") and the message "Clawdbot Browser Relay: relay not running". It cannot establish a connection to control the browser.

Troubleshooting Steps Taken:

1. Browser Relay Status & Start Attempts: Initial checks via browser(action="status") showed the relay as not running. Attempts to start it via browser(action="start") resulted in an error: "no tab is connected."
2. Gateway Restart & Service Verification: I restarted the OpenClaw Gateway via gateway(action="restart"). Logs confirmed "Browser control listening on http://127.0.0.1:18792 (http://127.0.0.1:18792/)".
3. Extension Connection Attempts: Despite the service being active, the Chrome extension icon remains an "!" (not "ON") and does not connect to any open tab. The extension's options page correctly states "Relay reachable at http://127.0.0.1:18792/".

Current Situation:
OpenClaw's browser control service is running and listening, and the Chrome extension acknowledges reachability. However, the extension fails to connect to a Chrome tab for browser control.

Could you please assist me in resolving this connectivity issue?

Thank you for your time and support.

What you’re seeing is usually two separate things that look like one problem:

1. `browser(action="start") → "no tab is connected" is expected until you attach a tab.
   The Chrome relay does not auto-attach. You must:

• open a normal web page (e.g. https://example.com, not chrome://…)
• click the Browser Relay extension toolbar icon on that tab
• the badge should flip to ON

Only after that will browser(profile="chrome", …) show a running/connected tab.

2. The ! relay not running badge means the extension can’t reach and/or authenticate to the local relay service.
   Even if the gateway log says it’s listening on 127.0.0.1:18792, the extension still needs the correct Gateway token.

Quick fix checklist

• Confirm versions: paste openclaw --version
• Confirm topology: is Chrome running on the same machine as the Gateway?
  • If the Gateway is remote (VPS) and Chrome is local: you must run a node host on the Chrome machine (docs cover this).

• In Chrome extension Options, set:
  • Port: 18792
  • Gateway token: the value of gateway.auth.token
    Get it with: openclaw config get gateway.auth.token
• Then attach a tab (toolbar button → badge ON)
• Verify from CLI: openclaw browser --browser-profile chrome tabs

Docs (this exact flow + remote gateway notes): https://docs.openclaw.ai/tools/chrome-extension

If it still shows !, paste:

• openclaw gateway status
• and a screenshot of the extension Options page (it should indicate whether token auth passed, not just “reachable”).

Hello again,

Following up on my previous message regarding the OpenClaw Browser Relay Chrome extension issue.

The extension I am currently using is "OpenClaw Browser Relay - Powered By PAIO".

During further troubleshooting with the AI assistant, we discovered two key points that might be relevant:

1. Gateway Token Unobtainable: When attempting to retrieve the gateway.auth.token using openclaw config get gateway.auth.token in the CLI, the output consistently showed OPENCLAW_REDACTED, preventing me from obtaining the token value.
2. No Gateway Token Field in Extension Options: I checked the Chrome extension's Options page (screenshot attached previously), and there is no dedicated field to input a Gateway token. Only the "Relay port" is adjustable.

Despite these findings, the extension's options page still displays "Relay reachable at http://127.0.0.1:18792/". However, the extension icon in the toolbar remains an exclamation mark ("!"), and I am still unable to "attach" any Chrome tab to OpenClaw for browser control.

It seems the connection cannot be established even when the OpenClaw browser control service is confirmed to be running and listening on the correct port.

Any further guidance you can provide would be greatly appreciated. ThankTyou.

Two separate things are going on here, and they point to a pretty specific root cause.

1) __OPENCLAW_REDACTED__ for gateway.auth.token is (usually) expected

That sentinel comes from OpenClaw’s config redaction layer: when config is read through the running Gateway (Control UI / remote client / some CLI paths), sensitive fields are intentionally replaced with __OPENCLAW_REDACTED__ so you don’t accidentally leak tokens into logs/chat/UI.

Implication: you probably ran openclaw config get gateway.auth.token not on the gateway host, or in a way that queries the Gateway instead of reading the on-disk file.

Fix options (pick one):

• Run it on the gateway host (SSH into the machine where the Gateway service runs) and read the config file directly:
  • config lives at ~/.openclaw/openclaw.json (unless you use profiles / custom OPENCLAW_STATE_DIR)
  • copy the token locally (don’t paste it into Discord)
• Or set/rotate a new token to a value you know, then restart:

  openclaw config set gateway.auth.token "$(openssl rand -hex 32)"
  openclaw gateway restart
  

  (Again: don’t paste the new token here.)

2) Your extension sounds like the wrong one (or an outdated build)

Per our docs, the OpenClaw extension’s Options page should have both:

• Relay port (18792)
• Gateway token (must match gateway.auth.token)

If your extension really has no token field, it’s almost certainly not the unpacked extension shipped with OpenClaw (or it’s an old fork/build).

Recommended: use the built-in installer + load unpacked:

openclaw browser extension install
openclaw browser extension path

Then in Chrome: chrome://extensions → Developer mode → Load unpacked → select that folder.
(And remove/disable the Web Store one you mentioned, so you’re not accidentally clicking the wrong toolbar icon.)

Docs: https://docs.openclaw.ai/tools/chrome-extension

One more critical check: is Chrome on the same machine as the Gateway?

If your Gateway runs on a VPS/other machine, your local Chrome extension pointing at http://127.0.0.1:18792 will be talking to your laptop’s loopback — not the server’s. In that case you need a node host on the Chrome machine (also covered in the doc under “Remote Gateway”).

If you paste these (safe) details, I can tell you exactly which branch you’re on:

1. openclaw --version
2. Is the Gateway on the same machine as Chrome? (yes/no)
3. How did you install the extension (Web Store vs “Load unpacked” from openclaw browser extension path)?

Hello again,

Thank you for your follow-up questions. Here are the details regarding my setup, which I hope will help in diagnosing the Browser Relay issue:

1. OpenClaw Version: My OpenClaw version is 2026.2.23.
2. Gateway and Chrome on the Same Machine: Yes, both the OpenClaw Gateway and Chrome browser are running on the same machine.
3. Extension Installation Method: The "OpenClaw Browser Relay - Powered By PAIO" Chrome extension was installed from the Chrome Web Store.

To reiterate the issues encountered:

• When attempting to retrieve the gateway.auth.token via openclaw config get gateway.auth.token in the CLI, the output consistently showed OPENCLAW_REDACTED.
• The Chrome extension's Options page does not have a dedicated field for inputting a Gateway token; only the "Relay port" (set to 18792) is configurable.
• Despite the Gateway's browser control service actively listening on http://127.0.0.1:18792 and the extension options indicating "Relay reachable," the extension icon remains an exclamation mark ("!"), and I am unable to connect/attach any Chrome tab for browser control.

I have ensured that a regular web page is open in Chrome and attempted to click the extension icon to turn it "ON," but the status does not change.

Your continued assistance is greatly appreciated.

Given your details, this is almost certainly extension mismatch + a bad token value.

A) The Web Store extension (“Powered By PAIO”) isn’t the one our docs refer to

In current OpenClaw (you’re on 2026.2.23), the supported flow is the unpacked extension that ships with OpenClaw, installed via the CLI:

openclaw browser extension install
openclaw browser extension path

Then Chrome → chrome://extensions → Developer mode → Load unpacked → select that folder.

That shipped extension’s Options page includes a Gateway token field (per docs). If your Options page only has “Relay port”, it’s not the expected extension, and it won’t be able to authenticate properly (so you get ! forever).

Docs: https://docs.openclaw.ai/tools/chrome-extension

B) openclaw config get gateway.auth.token showing __OPENCLAW_REDACTED__ means your token is literally that string

openclaw config get … reads your on-disk config; it normally does not redact. So if it prints __OPENCLAW_REDACTED__, that value likely got written into your config at some point (common if a UI round-trip accidentally saved a redaction sentinel).

Fix: rotate to a real token you control (don’t paste the token into Discord):

openclaw config set gateway.auth.token "$(openssl rand -hex 32)"
openclaw gateway restart

After that, openclaw config get gateway.auth.token should print a real-looking hex string.

Note: rotating the token will also require you to re-auth the Control UI (use openclaw dashboard and paste the new token in the UI settings if prompted).

C) After you load the shipped unpacked extension

1. Open extension Options
2. Set:
   • Port: 18792

• Gateway token: (the new value from your config)

3. Open a normal https://… page (not chrome://extensions)
4. Click the extension icon → badge should become ON

If you do just those two changes (use the shipped unpacked extension + set a real token), this usually snaps into place.

If it still doesn’t: paste the output of openclaw gateway status (safe/redacted) and tell me whether you’re using any --profile / multiple state dirs (that can cause “I changed token but the service uses a different config”).

Dear OpenClaw Support Team,

I am writing to provide a comprehensive update on a persistent issue I'm facing with the OpenClaw Browser Relay, where I am consistently receiving a "Gateway token rejected" error, preventing the extension from connecting to my OpenClaw instance. This is despite following your detailed troubleshooting steps.

My Setup Details:

• OpenClaw Version: 2026.2.23
• Gateway and Chrome Location: Both the OpenClaw Gateway and Chrome browser are running on the same machine.
• Chrome Extension: I am currently using the unpacked "OpenClaw Browser Relay" extension (installed via openclaw browser extension install and loaded via Chrome's Developer mode).

Chronology of Issues and Troubleshooting Steps Taken:

1. Initial Problem ("Relay not running" with Web Store Extension):
   • Initially, I was using the "OpenClaw Browser Relay - Powered By PAIO" extension from the Chrome Web Store.
   • The extension icon consistently showed an exclamation mark ("!") and displayed "Clawdbot Browser Relay: relay not running."
   • The extension's options page only had a "Relay port" field (set to 18792), with no "Gateway token" input field.
   • openclaw config get gateway.auth.token from CLI output OPENCLAW_REDACTED, so the token value was unknown to me at that time.
2. Support Guidance & Attempted Resolution (Unpacked Extension & Token Rotation):
   • Based on your guidance, I was informed about the extension mismatch (Web Store vs. unpacked) and the OPENCLAW_REDACTED issue.
   • I executed openclaw config set gateway.auth.token "$(openssl rand -hex 32)" to set a new token and then openclaw gateway restart.
   • I deleted the Web Store extension and successfully installed and loaded the unpacked extension (~/.openclaw/browser/chrome-extension) via chrome://extensions (Developer mode).
   • The newly loaded unpacked extension's options page correctly displayed both "Port" and "Gateway token" fields.

3. Token Verification and Persistent Rejection:
   • Despite setting a new token, openclaw config get gateway.auth.token continued to output OPENCLAW_REDACTED.
   • To get the actual token, I directly inspected ~/.openclaw/openclaw.json and found the active token. (The exact token value was copied and pasted into the extension, ensuring no extra spaces, and "Save" was clicked.)
   • Result: The extension options page immediately displayed "Gateway token rejected. Check token and save again." (Screenshot attached showing this error). This error persists even with repeated attempts.
4. Brief Anomaly with "DESKTOP-6JPTCC3":
   • At one point, as an experiment, I manually entered "DESKTOP-6JPTCC3" (my hostname, which appeared in openclaw status Gateway auth token field) into the extension's Gateway token field. This briefly made the error disappear from the options page. However, attempting to attach a tab still resulted in a gateway connect failed: Error: unauthorized: gateway token mismatch from the CLI, and later this "DESKTOP-6JPTCC3" value also became rejected. The currently active token in openclaw.json is a hexadecimal string (as confirmed by direct file inspection), not "DESKTOP-6JPTCC3".

Current Situation:

• OpenClaw Gateway is running and its browser control service is confirmed listening on http://127.0.0.1:18792.
• The unpacked Chrome extension is installed and its options are set with Port 18792 and the verified gateway.auth.token (a hexadecimal string copied directly from openclaw.json).
• Despite this, the extension continuously reports "Gateway token rejected" and cannot successfully attach to any Chrome tab.

I have exhausted all troubleshooting steps that I (and the AI assistant) can identify. Your further assistance in resolving this connectivity issue would be greatly appreciated.

Thank you for your time and continued support.

That “Gateway token rejected” message is coming from the relay’s auth check, and there’s a gotcha here:

The relay does not accept the raw gateway.auth.token directly

For the Chrome relay server on 127.0.0.1:18792, OpenClaw derives a relay-scoped token from your gateway token (HMAC, scoped to the port). If you paste the raw gateway token into the extension, the relay will 401 → “Gateway token rejected”.

Workaround (generate the relay-scoped token and paste that into the extension)

On the machine running the gateway + Chrome:

PORT=18792
GW_TOKEN="$(openclaw config get gateway.auth.token)"

printf "openclaw-extension-relay-v1:%s" "$PORT" \
  | openssl dgst -sha256 -hmac "$GW_TOKEN" \
  | awk '{print $2}'

That prints a 64-hex string. Paste that output into the extension’s “Gateway token” field, hit Save, and the Options page should flip to:

Relay reachable and authenticated at http://127.0.0.1:18792/

Then click the toolbar button on a normal https://… tab → badge should go ON.

Important: env var override can still bite you

The relay token derivation prefers OPENCLAW_GATEWAY_TOKEN / CLAWDBOT_GATEWAY_TOKEN if set. So if you have either of those set in the gateway service environment (or ~/.openclaw/.env), you must use that value as GW_TOKEN (or remove it so config is the single source of truth).

If it still rejects

Paste (redacted is fine):

• openclaw gateway status
• and tell me your OS (macOS vs Linux vs WSL)

Also: this mismatch between the extension UI text (“must match gateway.auth.token”) and what the relay currently expects is worth a GitHub issue: https://github.com/openclaw/openclaw/issues

That’s a really useful update — and it explains the behavior.

Why you keep getting “Gateway token rejected”

In 2026.2.23, the relay on http://127.0.0.1:18792 does not accept the raw gateway.auth.token directly.

The relay expects a relay-scoped token derived from your gateway token (HMAC-SHA256, scoped to the port). If you paste the raw gateway token into the extension, the relay will return 401 → the Options page shows “Gateway token rejected”.

(Confusingly, the extension UI text says “Gateway token must match gateway.auth.token”, but the actual relay auth check is against the derived token.)

Fix (works even if openclaw config get … is weird)

1. Make sure you know the actual gateway token the running gateway service uses
   Two common gotchas:

• you’re editing a different profile/state dir than the service uses
• OPENCLAW_GATEWAY_TOKEN / CLAWDBOT_GATEWAY_TOKEN is set somewhere (overrides config)

Please paste the output of (safe/redacted):

openclaw gateway status

This will show whether “Config (cli)” and “Config (service)” match.

2. Derive the relay token and paste THAT into the extension
   Take the gateway token you found in the correct openclaw.json (don’t post it here), then run:

bash / zsh

PORT=18792
GW_TOKEN='(paste your gateway.auth.token here)'
node -e 'const crypto=require("crypto"); const port=process.env.PORT; const gw=process.env.GW_TOKEN; console.log(crypto.createHmac("sha256", gw).update(`openclaw-extension-relay-v1:${port}`).digest("hex"))'

PowerShell

$env:PORT="18792"
$env:GW_TOKEN="(paste your gateway.auth.token here)"
node -e "const crypto=require('crypto'); console.log(crypto.createHmac('sha256', process.env.GW_TOKEN).update(`openclaw-extension-relay-v1:${process.env.PORT}`).digest('hex'))"

That prints a 64-hex string. Paste that into the extension’s “Gateway token” field → Save.

3. Quick sanity check (no secrets in output)
   After saving in the extension, this should return 200 (not 401):

curl -s -o /dev/null -w "%{http_code}\n" http://127.0.0.1:18792/json/version

(If it still says 401, the extension didn’t save the token you think it did, or you’re hitting a different relay process.)