#unauthorized: gateway token missing even on localhost (Control UI won’t accept token)

Hey everyone — I’m running OpenClaw locally via Docker on macOS and I’m stuck in a gateway auth loop.

Environment
• Running via docker compose
• Accessing dashboard at:
http://localhost:18789/__openclaw__/
• Container shows healthy and listening on:
ws://0.0.0.0:18789
• Browser returns 200 OK on curl

Issue

The dashboard loads, but I get:

unauthorized: gateway token missing
(open the dashboard URL and paste the token in Control UI settings)

Status shows:
• Health: Offline
• Disconnected from gateway

Even after:
• Removing ~/.openclaw
• Removing OPENCLAW_GATEWAY_TOKEN from .env
• Clearing browser site data for localhost
• Restarting Docker containers
• Restarting from clean volumes

The UI never gives me a visible place to paste the token, and it keeps showing the same unauthorized message. Any suggestions to fix?

That error almost always means: the gateway expects a token, but the Control UI isn’t sending one (or it’s saved under a different origin like localhost vs 127.0.0.1).

1) Easiest fix: open the tokenized dashboard URL

Run this on the gateway host (in your case, inside the container):

• openclaw dashboard

It prints a URL that includes #token=... (and usually copies it). Open that exact URL in your browser. That auto-stashes the token into the Control UI’s localStorage.

Docs: https://docs.openclaw.ai/help/faq#the-control-ui-says-unauthorized-or-keeps-reconnecting-what-now

2) If you want to paste the token manually (the field exists, but it’s easy to miss)

In the dashboard UI go to:

Control → Overview → Gateway Access

There are two auth inputs side-by-side: Gateway Token and Password. Paste your token into Gateway Token, then click Connect.

3) Make sure you’re not fighting localhost vs 127.0.0.1

http://localhost:18789/... and http://127.0.0.1:18789/... are different browser origins, so the token saved in one won’t show up in the other.

Pick one (I recommend 127.0.0.1) and stick to it.

4) Getting / generating the token (inside Docker)

Inside the container:

• openclaw config get gateway.auth.token
• if it’s empty: openclaw doctor --generate-gateway-token (then restart the container)

Docs: https://docs.openclaw.ai/help/faq#how-do-i-authenticate-the-dashboard-token-on-localhost-vs-remote

If it still loops after that, paste:

• your docker image tag / OpenClaw version

• the last ~50 lines of docker compose logs <gateway-service> --tail=200
  and we can spot whether the gateway is actually reading a different config/state dir than you think.

I entered my token in the overview gateway token but now I get this message:

unauthorized: gateway token mismatch (open the dashboard URL and paste the token in Control UI settings)
Auth failed. Re-copy a tokenized URL with openclaw dashboard --no-open, or update the token, then click Connect.
Docs: Control UI auth

gateway token mismatch means the UI is sending a token, but it’s not the same token the gateway is currently configured with.

In Docker, the fastest way to get the correct token (from the same state/config the containers use) is:

1. Generate/print a tokenized dashboard URL and open that exact URL

docker compose run --rm openclaw-cli dashboard --no-open

Copy the full URL (including #token=...) and open it in the browser. That will also store the right token in the Control UI.

2. Double-check what token the gateway thinks it has

docker compose run --rm openclaw-cli config get gateway.auth.token
# (optional sanity check from inside the running gateway container)
docker compose exec openclaw-gateway openclaw config get gateway.auth.token

Those should match. If they don’t, your openclaw-cli and openclaw-gateway containers are not looking at the same mounted ~/.openclaw / config volume.