scope upgrade pending approval error | Friends of the Crustacean 🦞🤝 | Page 1

#scope upgrade pending approval error

1 messages · Page 1 of 1 (latest)

raven jackal May 4, 2026, 7:45 AM

I cannot approve device pairing:
~ openclaw devices approve ab719cf4-7c1a-461b-a2de-2d77f1cc796d

🦞 OpenClaw 2026.5.2 (8b2a6e5) — Your task has been queued; your dignity has been deprecated.

│
◇
[openclaw] Failed to start CLI: GatewayClientRequestError: missing scope: operator.admin
at GatewayClient.handleMessage (file:///opt/homebrew/lib/node_modules/openclaw/dist/client-D-i9iMPZ.js:663:25)
at WebSocket.<anonymous> (file:///opt/homebrew/lib/node_modules/openclaw/dist/client-D-i9iMPZ.js:314:35)
at WebSocket.emit (node:events:508:20)
at Receiver.receiverOnMessage (/opt/homebrew/lib/node_modules/openclaw/node_modules/ws/lib/websocket.js:1225:20)
at Receiver.emit (node:events:508:20)
at Receiver.dataMessage (/opt/homebrew/lib/node_modules/openclaw/node_modules/ws/lib/receiver.js:596:14)
at Receiver.getData (/opt/homebrew/lib/node_modules/openclaw/node_modules/ws/lib/receiver.js:496:10)
at Receiver.startLoop (/opt/homebrew/lib/node_modules/openclaw/node_modules/ws/lib/receiver.js:167:16)
at Receiver._write (/opt/homebrew/lib/node_modules/openclaw/node_modules/ws/lib/receiver.js:94:10)
at writeOrBuffer (node:internal/streams/writable:570:12)

Diagnosis (read-only)
...
Gateway health:
scope upgrade pending approval (requestId: 5c226471-9c59-4f44-830c-af7e94d037f7)

How can I solve this missing scope problem?

raven jackal May 9, 2026, 2:32 PM

help me

copper steppeBOT May 9, 2026, 2:33 PM

Yep — this is a scope-upgrade deadlock, not a normal pairing failure.

Your current CLI connection is authenticated with a paired-device token that does not have operator.admin. The pending request is trying to mint/restore admin-level operator access, so OpenClaw refuses to let a lower-scope token approve it.

Do this from the machine/account that owns the Gateway, using the shared Gateway token/password path:

openclaw devices approve --latest

That previews the newest pending request. Then approve the exact current requestId it prints. In your diagnosis the current one looks like 5c226471-9c59-4f44-830c-af7e94d037f7, not the older ab719... one:

openclaw devices approve 5c226471-9c59-4f44-830c-af7e94d037f7 --token "$OPENCLAW_GATEWAY_TOKEN"

If your Gateway uses password auth instead: