#Gateway token mismatch

1 messages · Page 1 of 1 (latest)

frigid vine
#

(base) PS C:\openClaw\openclaw> docker compose exec openclaw-gateway openclaw devices list
time="2026-02-27T16:46:13+08:00" level=warning msg="The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string."
time="2026-02-27T16:46:13+08:00" level=warning msg="The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string."
time="2026-02-27T16:46:13+08:00" level=warning msg="The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string."
time="2026-02-27T16:46:13+08:00" level=warning msg="The "CLAUDE_AI_SESSION_KEY" variable is not set. Defaulting to a blank string."
time="2026-02-27T16:46:13+08:00" level=warning msg="The "CLAUDE_WEB_SESSION_KEY" variable is not set. Defaulting to a blank string."
time="2026-02-27T16:46:13+08:00" level=warning msg="The "CLAUDE_WEB_COOKIE" variable is not set. Defaulting to a blank string."

🦞 OpenClaw 2026.2.26 (unknown) — If something's on fire, I can't extinguish it—but I can write a beautiful postmortem.

│
gateway connect failed: Error: unauthorized: gateway token mismatch (set gateway.remote.token to match gateway.auth.token)
[openclaw] Failed to start CLI: Error: gateway closed (1008): unauthorized: gateway token mismatch (set gateway.remote.token to match gateway.auth.token)

abstract gullBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> âś… Mark Solution

frigid vine
#

@echo sluice

quasi leafBOT
#

That error almost always means the Gateway and the CLI are reading the token from different places (or you rotated one and not the other).

In the Docker Compose setup there are two common token sources:

  • Gateway (server) uses gateway.auth.token from openclaw.json if present (config wins), otherwise it falls back to OPENCLAW_GATEWAY_TOKEN.
  • CLI (client) tends to use OPENCLAW_GATEWAY_TOKEN first, then falls back to gateway.auth.token.

So if both are set but different, you get gateway token mismatch.

Fix (Docker Compose)

  1. Use the CLI container (that’s the documented flow), not exec openclaw-gateway:
docker compose run --rm openclaw-cli devices list
  1. Make sure these two match (don’t paste the token into Discord):
  • In your repo’s .env: OPENCLAW_GATEWAY_TOKEN=...
#
  • In your mounted config file (from .env’s OPENCLAW_CONFIG_DIR): openclaw.json → gateway.auth.token

If they don’t match: copy one value so they are identical, then restart:

docker compose restart openclaw-gateway
  1. Retry:
docker compose run --rm openclaw-cli devices list

Docs: https://docs.openclaw.ai/install/docker (see “Control UI token + pairing (Docker)” section)

If it still mismatches after you’ve confirmed they match, reply with (redacted) outputs of:

  • docker compose run --rm openclaw-cli gateway status
  • and whether your openclaw.json has gateway.remote.* set (yes/no)
#

That CLAUDE_* warning spam is harmless here — the real problem is:

The Gateway is expecting token A, but the CLI is sending token B.
In Docker Compose this usually happens when you have both of these set but they don’t match:

  • OPENCLAW_GATEWAY_TOKEN (from your .env, injected into the containers)
  • gateway.auth.token (inside your mounted openclaw.json)

Server-side precedence is important: the Gateway will use gateway.auth.token if it exists, otherwise it falls back to OPENCLAW_GATEWAY_TOKEN. The CLI will happily use the env var, so you can end up mismatched.

Do this (safe + quick)

  1. Prefer the CLI container (avoids weird “run CLI inside the gateway process container” edge cases):
docker compose run --rm openclaw-cli devices list
  1. Check whether env-token and config-token are different without pasting the full token: