#Pattern A multi-agent delegation blocked by missing operator scopes on 2026.4.15

1 messages · Page 1 of 1 (latest)

vast slate
#

Pattern A multi-agent delegation blocked by missing operator scopes on 2026.4.15 — CLI doesn't use paired token (matches #51779)

Setup:

  • OpenClaw 2026.4.15 (041266a) on Ubuntu 24.04 VPS (Hetzner), loopback bind
  • Two agents: main (Nova) and coach-chaos, each with their own Telegram bot
  • Both agents reachable on Telegram individually, working fine
  • agents.list[].subagents.allowAgents: ["coach-chaos"] set on main
  • sessions_spawn added to main's tools.alsoAllow
  • JSON valid, backups in place

Problem:
When Nova calls sessions_spawn to delegate to coach-chaos, she gets:

{
  "status": "error",
  "error": "gateway closed (1008): pairing required",
  "childSessionKey": "agent:main:subagent:<uuid>"
}

Same error when invoking the CLI directly:

$ openclaw agent --agent coach-chaos --message "hi"
gateway connect failed: GatewayClientRequestError: pairing required
Gateway agent failed; falling back to embedded
...
(embedded fallback does produce a reply)

What I tried:

  1. openclaw doctor --fix — ran clean, no effect on the pairing issue
  2. auth.mode: "none" in gateway config — no change
  3. Manually edited ~/.openclaw/devices/paired.json per #17187 workaround — added operator.{admin,approvals,pairing,read,write} to the CLI device's scopes, approvedScopes, and tokens.operator.scopes. Validated JSON. Killed all openclaw-gateway processes, restarted clean. Same error.

Suspected cause:
Matches #51779 — the CLI/runtime connects as a shared-token caller rather than the paired operator device, so paired.json edits are invisible at runtime.

Paired devices state:

  • openclaw-control-ui (webchat) devices — all 5 scopes ✅
  • cli device — originally had only operator.read, manually edited to all 5, no effect

Question:
Is there a known workaround on 2026.4.15 to get the local CLI/runtime to use the properly-scoped paired device token? Or is the fix still pending?

Happy to share logs, config (redacted), or run diagnostics if helpful.****

steady vortexBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

fresh locustBOT
delicate wagonBOT
#

I’m checking the current docs and source paths for the pairing behavior before I answer.

#

I found the auth-selection docs and source path. I’m checking whether there’s any newer issue status before I tell them “pending vs workaround.”

#

Short answer: this looks like a real 2026.4.15 auth-path bug/limitation, not a bad sessions_spawn config.

What I could verify from current docs/source:

  • openclaw agent ... and sessions_spawn both go through gateway auth first, so if both fail with 1008: pairing required, the problem is below the subagent layer.
  • Current auth selection explicitly prefers shared token/password first, then explicit deviceToken, then stored paired-device token, then bootstrap token.
  • There does not seem to be a documented openclaw agent flag to force “use my cached paired operator token”.
  • Issue #51779 is still open as of now, which matches your diagnosis pretty closely.

Why your paired.json edit likely did nothing:

  • it changes the gateway-side record,
  • but it does not rotate/mint a fresh device token,
  • and it does not guarantee the CLI will stop taking the shared-token path first.

So yes, I think “CLI/runtime is not actually using the properly-scoped paired token” is a plausible read here.

Supported workarounds I’d try on 2026.4.15:

#

  1. Check for a pending scope-upgrade request right after reproducing:

  2. Rotate or re-pair the CLI device, don’t hand-edit paired.json:

  3. Check whether the CLI path is still resolving a shared token/password from config/env (gateway.remote.token, OPENCLAW_GATEWAY_TOKEN, etc.). If it is, that can win before the stored paired token is considered.
    Troubleshooting: https://docs.openclaw.ai/gateway/troubleshooting
    FAQ: https://docs.openclaw.ai/help/faq

If you want, paste these 3 outputs and I can narrow it down fast: