sullen wind
Getting this error after update to 2026.4.14
Health check failed: gateway.auth.token is configured as a secret reference but is unavailable in this command path. Fix: set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD, pass explicit --token/--password, or run a gateway command path that resolves secret references before credential selection.
queen micaBOT
vernal remnantBOT
queen micaBOT
olive tuskBOT
That looks like a SecretRef resolution issue, not necessarily a bad token.
What’s usually happening:
gateway.auth.token is stored as a ref, like ${OPENCLAW_GATEWAY_TOKEN} or a file/exec SecretRefopenclaw health needs the token before it can talk to the gatewayCommon fix:
export OPENCLAW_GATEWAY_TOKEN="your-token"
openclaw health --verbose
# or
openclaw health --token "$OPENCLAW_GATEWAY_TOKEN"
Big gotcha: the daemon/service may have the token, but your current shell does not, so the gateway runs fine while CLI health checks fail.
Can you paste these?
openclaw --version
openclaw gateway status
openclaw status --all
Also tell me whether gateway.auth.token is:
Please don’t paste the actual secret.
Docs:
sullen wind
OpenClaw 2026.4.14 (323493f)
🦞 OpenClaw 2026.4.14 (323493f) — I can run local, remote, or purely on vibes—results may vary with DNS.
│
â—‡
Service: systemd (enabled)
File logs: /tmp/openclaw/openclaw-2026-04-14.log
Command: /usr/bin/node /usr/lib/node_modules/openclaw/dist/index.js gateway --port 18789
Service file: ~/.config/systemd/user/openclaw-gateway.service
Service env: OPENCLAW_GATEWAY_PORT=18789
Config (cli): ~/.openclaw/openclaw.json
Config (service): ~/.openclaw/openclaw.json
Gateway: bind=loopback (127.0.0.1), port=18789 (service args)
Probe target: ws://127.0.0.1:18789
Dashboard: http://127.0.0.1:18789/
Probe note: Loopback-only gateway; only local clients can connect.
Runtime: running (pid 261042, state active, sub running, last exit 0, reason 0)
Warm-up: launch agents can take a few seconds. Try again shortly.
RPC probe: failed
RPC auth: gateway.auth.token SecretRef is unresolved in this command path; probing without configured auth credentials.
RPC target: ws://127.0.0.1:18789
gateway closed (1006):
Gateway port 18789 is not listening (service appears running).
Logs: journalctl --user -u openclaw-gateway.service -n 200 --no-pager
Troubles: run openclaw status
Troubleshooting: https://docs.openclaw.ai/troubleshooting
gateway token is set in the secrets.json file
Diagnosis (read-only)
Gateway connection details:
Gateway target: ws://127.0.0.1:18789
Source: local loopback
Config: /home/jarvis/.openclaw/openclaw.json
Bind: loopback
âś“ Config: /home/jarvis/.openclaw/openclaw.json
! Secret diagnostics (5)
- status --all: failed to resolve channels.discord.token locally (secrets.providers.filemain.path permissions are too open: /home/jarvis/.openclaw/secrets.json | secrets.providers.filemain.path permissions are too open: /home/jarvis/.openclaw/secrets.json).
- status --all: failed to resolve channels.telegram.botToken locally (secrets.providers.filemain.path permissions are too open: /home/jarvis/.openclaw/secrets.json | secrets.providers.filemain.path permissions are too open: /home/jarvis/.openclaw/secrets.json).
- status --all: channels.discord.token is unavailable in this command path; continuing with degraded read-only config.
- status --all: channels.telegram.botToken is unavailable in this command path; continuing with degraded read-only config.
- status --all: gateway secrets.resolve unavailable (gateway.auth.token is configured as a secret reference but is unavailable in this command path.
Fix: set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD, pass explicit --token/--password,
or run a gateway command path that resolves secret references before credential selection.); attempted local command-secret resolution.
âś“ Restart sentinel: none
âś“ Port 18789
! Tailscale: off · unknown
✓ Skills: 12 eligible · 0 missing · /home/jarvis/.openclaw/workspace
âś“ Plugin compatibility (none)
! Channel issues skipped (gateway unreachable)
Gateway health:
gateway closed (1006): ; gateway.auth.token SecretRef is unresolved in this command path; probing without configured auth credentials.
Nice, that narrows it down.
I think there are 2 things going on:
gateway.auth.token SecretRef locallySo the auth warning is probably not the whole story.
Can you paste these next?
journalctl --user -u openclaw-gateway.service -n 100 --no-pager
openclaw secrets audit --check
ls -l ~/.openclaw/secrets.json
And if possible, a redacted snippet of your ~/.openclaw/openclaw.json for:
gateway.authsecrets.providerssecrets.defaultsPlease redact the actual token value if it appears.
My hunch is one of these:
gateway.auth.token is wrong after the updatesecrets.json is unreadable / not where the provider thinks it isTemporary CLI workaround, if you know the token value:
export OPENCLAW_GATEWAY_TOKEN="..."
openclaw gateway status
openclaw health --verbose
Docs:
Yep, this one is much clearer now, we found the root cause.
OpenClaw is refusing to read:
/home/jarvis/.openclaw/secrets.json
because the file permissions are too open.
That’s why:
gateway.auth.token can’t be resolvedI’d fix it like this:
chmod 600 ~/.openclaw/secrets.json
chmod 700 ~/.openclaw
chown "$USER":"$USER" ~/.openclaw/secrets.json
openclaw gateway restart
openclaw gateway status
If you want, also verify first:
ls -l ~/.openclaw/secrets.json ~/.openclaw
What you want is roughly:
~/.openclaw → drwx------~/.openclaw/secrets.json → -rw-------