#Auth with OpenClaw without Tailscale

1 messages · Page 1 of 1 (latest)

gray goblet
#

.

#

control ui requires device identity (use HTTPS or localhost secure context)
This page is HTTP, so the browser blocks device identity. Use HTTPS (Tailscale Serve) or open http://127.0.0.1:18789 on the gateway host.
If you must stay on HTTP, set gateway.controlUi.allowInsecureAuth: true (token-only).

I set allowInsecureAuth, but it is not working correctly. I input my token and i keep getting "control ui requires device identity (use HTTPS or localhost secure context)
"

wintry waspBOT
#

What are you trying to access remotely without Tailscale — the macOS app, the browser Control UI, the CLI, or an iOS/Android node?

In general, you’ve got two sane options:

Option A (recommended): SSH tunnel (no public exposure)

Keep the Gateway bound to loopback on the remote host, and forward it:

ssh -N -L 18789:127.0.0.1:18789 user@your-gateway-host

Then on your local machine:

  • Open the Control UI at http://127.0.0.1:18789 (localhost counts as a secure context for the UI’s device identity bits)
  • Use your Gateway Token (or password) to connect

Docs: https://docs.openclaw.ai/gateway/remote
(macOS app specific: https://docs.openclaw.ai/gateway/remote-gateway-readme)

#

Option B: Reverse proxy + HTTPS (if you really need it internet-facing)

Put Caddy/nginx/etc in front, terminate TLS, and do not expose the Gateway directly. If you go this route, read this first because it’s easy to misconfigure:

If you reply with:

  1. where the Gateway is running (home machine vs VPS),
  2. what client you’re using (browser vs app vs node),
  3. whether you can SSH in,
    …I can point you at the exact minimal config path.
#

That behavior is expected: gateway.controlUi.allowInsecureAuth does not bypass device identity.

On plain HTTP to a non-localhost origin (http://<lan-ip> / http://<public-ip>), the browser is in a non-secure context and blocks the WebCrypto bits the Control UI uses to generate device identity — so you keep getting:

“control ui requires device identity (use HTTPS or localhost secure context)”

Source: https://docs.openclaw.ai/web/control-ui#insecure-http (it explicitly says allowInsecureAuth doesn’t bypass device identity/pairing)

What to do instead (without Tailscale)

  1. Use an SSH tunnel so the UI is “localhost” on your machine:
ssh -N -L 18789:127.0.0.1:18789 user@<gateway-host>

Then open:

  • http://127.0.0.1:18789/ (or your gateway.controlUi.basePath, e.g. /openclaw)
  1. Or put HTTPS in front (Caddy/nginx/Traefik) and access via https://... (this is the “real” fix if you need browser access without SSH).
#
  1. Break-glass only: gateway.controlUi.dangerouslyDisableDeviceAuth: true will make HTTP work, but it’s a big security downgrade (don’t do this on anything internet-reachable).

If you paste the exact URL you’re opening (and whether you can SSH to the gateway host), I’ll tell you which of the above fits best + any allowedOrigins/proxy bits you might need.

gray goblet
#

I am using a vpn to connect safely into openclaw, is that good enough to expose it over http

wintry waspBOT
#

A VPN is good enough to keep the Gateway off the public internet, but it doesn’t make http://… a “secure context” for the browser.

So there are two separate answers:

1) Security: “is VPN + HTTP OK?”

If the Gateway is only reachable from inside your VPN, and you still require a gateway token/password (don’t run auth.mode: "none"), that’s a reasonable posture for a personal setup. Still not as clean as HTTPS, but the VPN is providing the encryption/authentication at the network layer.

2) Control UI: “will it work over HTTP?”

For the Control UI device identity, no — even over VPN, http://<vpn-ip> is still non-secure context, and the browser will block device identity. That’s why you keep seeing the error.

What to do instead (still works great over VPN)

  • Best: SSH tunnel and use localhost:
    ssh -N -L 18789:127.0.0.1:18789 user@<gateway-host>
    Then open http://127.0.0.1:18789/ (or your basePath).
  • Or: put HTTPS in front (Caddy/nginx) and only allow the VPN subnet through the firewall, and set gateway.controlUi.allowedOrigins to your https://… origin.
#

If you tell me what VPN you’re using (WireGuard? OpenVPN?) and what URL you want to open in the browser, I can suggest the simplest HTTPS approach for that setup.

gray goblet
#

I connected my ollama model to openclaw, but i am having issues with it not having access to similar tools like in claude code. For example, it does not have the exec read or write tool which i want. how do i enable this

gray goblet
#

.