[HELP] dmPolicy: allowlist causes 'pairing required' error on Windows — pairing mode works fine | Friends of the Crustacean 🦞🤝 | Page 1

wraith spade Apr 14, 2026, 1:42 AM

#

Hi everyone! I'm running OpenClaw 2026.4.8 on Windows and have found a specific issue with the Telegram channel configuration.

The situation:

When dmPolicy is set to pairing → gateway starts perfectly with no errors ✅
When dmPolicy is set to allowlist → gateway throws the following error repeatedly ❌

Error when using allowlist:

[telegram] connect error: pairing required
gateway connect failed: GatewayClientRequestError: pairing required
[telegram] failed to start native approval handler: GatewayClientRequestError: pairing required
[ws] closed before connect code=1008 reason=pairing required
[gateway] security audit: device access upgrade requested reason=scope-upgrade scopesTo=operator.approvals

My current Telegram config:

"channels": {
    "telegram": {
      "enabled": true,
      "botToken": "MY_BOT_TOKEN",
      "dmPolicy": "allowlist",
      "groups": {
        "*": {
          "requireMention": true
        }
      },
      "allowFrom": [
        "USER_ID"
      ],
    }

**What I want to achieve:**
I want only my Telegram account to be able to communicate with my bot using allowlist mode, but it seems like allowlist mode specifically triggers this internal gateway pairing error on Windows.

**Questions:**
1. Is this a known bug with allowlist mode on Windows?
2. Is there a config field to disable the native approval handler that seems to be causing this?
3. Is there a workaround to restrict the bot to only my user ID while staying on pairing mode?

Any help appreciated! 🦞

balmy yokeBOT Apr 14, 2026, 1:42 AM

#

steep lavaBOT Apr 14, 2026, 1:42 AM

#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

balmy yokeBOT Apr 14, 2026, 1:42 AM

#

vagrant estuaryBOT Apr 14, 2026, 1:44 AM

#

I don’t think this is a Windows-only dmPolicy=allowlist bug.

What it looks like from the docs/source is:

allowlist requires allowFrom
on Telegram, allowFrom can also be used to infer exec approvers
when approvers can be resolved, Telegram native exec approvals auto-enable
that approval client asks the gateway for operator.approvals
your gateway is rejecting that scope upgrade with pairing required

So the problem is likely auto-enabled Telegram native exec approvals, not allowlist itself.

1) Known bug on Windows?

I don’t see evidence this is Windows-specific. It looks like a general config interaction.

2) Can you disable the native approval handler?

Yes. Set:

#

{
  channels: {
    telegram: {
      enabled: true,
      botToken: "MY_BOT_TOKEN",
      dmPolicy: "allowlist",
      allowFrom: ["123456789"],
      execApprovals: {
        enabled: false
      },
      groups: {
        "*": {
          requireMention: true
        }
      }

#

    }
  }
}

Relevant docs:

3) Workaround while staying on pairing mode?

Sort of, but not strictly.

You can do:

#

{
  channels: {
    telegram: {
      dmPolicy: "pairing",
      allowFrom: ["123456789"],
      execApprovals: {
        enabled: false
      }
    }
  }
}

That means:

your user ID is allowed immediately

#

unknown users still hit the pairing flow

So it does not fully block strangers, it just prevents them from talking unless paired.

Best recommendation

If you want only your Telegram ID to be able to DM the bot, use:

dmPolicy: "allowlist"
allowFrom: ["YOUR_NUMERIC_ID"]
execApprovals.enabled: false

If you actually want Telegram native approval buttons/DM approvals later, then approve the pending scope upgrade:

openclaw devices list
openclaw devices approve <requestId>

#

If execApprovals.enabled: false still reproduces on 2026.4.8, I’d call that a real bug and file it here: https://github.com/openclaw/openclaw/issues

Glad you caught the scope-upgrade scopesTo=operator.approvals line, that’s the giveaway here. 🦐

If this fixes it, please right-click the solution message → Apps → ✅ Mark Solution so Answer Overflow can index it.

wraith spade Apr 14, 2026, 2:02 AM

#

Thanks, can you write me a complete JSON code (including double quotes) for the telegram channel section that accomplishes:

dmPolicy: "allowlist"
allowFrom: ["YOUR_NUMERIC_ID"]
execApprovals.enabled: false

So that I can directly insert them into my JSON file? Be sure to include everything and spacing so it does not return errors when running the gateway.

vagrant estuaryBOT Apr 14, 2026, 2:03 AM

#

Yep, paste this inside your config as the channels section, or replace just the telegram part if you already have other channels configured:

{
  "channels": {
    "telegram": {
      "enabled": true,
      "botToken": "MY_BOT_TOKEN",
      "dmPolicy": "allowlist",
      "allowFrom": [
        "YOUR_NUMERIC_ID"
      ],
      "execApprovals": {
        "enabled": false
      },
      "groups": {

#

        "*": {
          "requireMention": true
        }
      }
    }
  }
}

Replace only:

"MY_BOT_TOKEN"
"YOUR_NUMERIC_ID"

Important:

#

keep the quotes around your Telegram user ID
do not leave a trailing comma after the last field
if your config already has "channels" with other entries, paste only this part:

"telegram": {
  "enabled": true,
  "botToken": "MY_BOT_TOKEN",
  "dmPolicy": "allowlist",
  "allowFrom": [
    "YOUR_NUMERIC_ID"
  ],
  "execApprovals": {
    "enabled": false
  },
  "groups": {

#

    "*": {
      "requireMention": true
    }
  }
}

If you want, I can also format it as a full config file example around your existing JSON structure.

#[HELP] dmPolicy: allowlist causes 'pairing required' error on Windows — pairing mode works fine

1) Known bug on Windows?

2) Can you disable the native approval handler?

3) Workaround while staying on pairing mode?

Best recommendation