#Open the dashboard through SSH

I am running OpenClaw on a VPS on my tailnet. How do I access the dashboard when I don’t have the gateway token?

First, can you share openclaw --version? Version mismatches are a common cause of dashboard/auth weirdness.

For a VPS, the usual path is:

1. SSH tunnel the gateway port:

ssh -N -L 18789:127.0.0.1:18789 user@your-vps

2. Open locally:
   http://127.0.0.1:18789/

3. On the VPS, get or create the auth secret:

openclaw config get gateway.auth.token

If that returns nothing and you do not have a shared secret configured, generate one:

openclaw doctor --generate-gateway-token

Then paste that token into the dashboard auth field.

Also try this on the VPS:

openclaw dashboard

On a headless machine it should print the dashboard URL / SSH hint, and if the token is available locally it can include it via URL fragment.

If you want tokenless tailnet access, that is a different setup: use Tailscale Serve with gateway.auth.allowTailscale: true. Direct gateway.bind: "tailnet" still requires token/password auth.

Docs:
https://docs.openclaw.ai/web/dashboard

https://docs.openclaw.ai/gateway/tailscale

When I ran openclaw config get gateway.auth.token, I got the output __OPENCLAW_REDACTED__ rather than an actual token.

Yep, that redaction is intentional. openclaw config get redacts secret fields, so __OPENCLAW_REDACTED__ means “there is a token configured”, not “that is the token”.

Don’t paste the real token here. On the VPS, do one of these:

openclaw dashboard

That is the preferred path; if the token is resolvable in that shell, it can prepare the dashboard URL / auth bootstrap for you.

If you need to find where it comes from:

openclaw config file

Then inspect that file locally on the VPS and look at gateway.auth.token:

• If it is a literal string, that is the token.
• If it is ${OPENCLAW_GATEWAY_TOKEN}, the token is in that environment variable.
• If it is a SecretRef, resolve it from that secret provider, or export OPENCLAW_GATEWAY_TOKEN in the shell and rerun openclaw dashboard.

If you own the VPS and just want to replace the token, rotate it:

openclaw config set gateway.auth.token "$(openssl rand -hex 32)"
openclaw gateway restart

That will invalidate the old gateway token, so any existing clients using it need the new one.

Also still send openclaw --version when you can. Docs for this bit:
https://docs.openclaw.ai/web/dashboard
https://docs.openclaw.ai/start/faq#config-basics

brianna@brianna-space:~$ openclaw dashboard

🦞 OpenClaw 2026.5.12 (f066dd2) — Your .env is showing; don't worry, I'll pretend I didn't see it.

Dashboard URL: http://127.0.0.1:18789/
Token auto-auth included in browser/clipboard URL.
Copy to clipboard unavailable.
No GUI detected. Open from your computer:
ssh -N -L 18789:127.0.0.1:18789 brianna@100.98.128.89
Then open:
http://localhost:18789/
Docs:
https://docs.openclaw.ai/gateway/remote
https://docs.openclaw.ai/web/control-ui
Token auto-auth not delivered. Append your gateway token (from OPENCLAW_GATEWAY_TOKEN or gateway.auth.token) as a URL fragment with key `token` to authenticate.
brianna@brianna-space:~$ openclaw --version
OpenClaw 2026.5.12 (f066dd2)

Good, that version is current enough.

What happened: openclaw dashboard found enough auth info to build a tokenized browser/clipboard URL, but because this is a headless VPS it had nowhere to deliver that tokenized URL. The plain terminal URL is intentionally not useful for auth unless you append the token yourself.

Keep the tunnel running from your computer:

ssh -N -L 18789:127.0.0.1:18789 brianna@100.98.128.89

Then open:

http://localhost:18789/#token=YOUR_TOKEN_HERE

To get YOUR_TOKEN_HERE, do this on the VPS, but don’t paste the result into Discord:

printenv OPENCLAW_GATEWAY_TOKEN

If that prints nothing, find the config file:

openclaw config file

Open that file on the VPS and look at gateway.auth.token. If it is ${OPENCLAW_GATEWAY_TOKEN}, the token is coming from the env / .env setup. If it is a literal string, use that as the URL fragment.

If you don’t care about preserving the existing token, the cleanest reset is:

TOKEN="$(openssl rand -hex 32)"

openclaw config set gateway.auth.token "$TOKEN"
printf 'Open this after starting the SSH tunnel: http://localhost:18789/#token=%s
' "$TOKEN"
openclaw gateway restart

That rotates the gateway token, so anything already using the old gateway token will need the new one.

Should it look like a long hex string? I assume it will based on the fact that it can be generated by openssl rand -hex 32, but I might as well check.

Yes, if it was generated with openssl rand -hex 32, it should be a 64-character hex string: only 0-9 and a-f.

Example shape, not a real token:

4f8c...64 total hex chars...b91a

It does not have to be hex in all setups, though. If someone set gateway.auth.token manually, it can be another long secret string. The important parts are: treat it like a password, don’t paste it here, and append it exactly after #token= in the local dashboard URL.

Thanks! That worked!

Glad that worked! 🎉

If this fixed it, please right-click the solution message → Apps → ✅ Mark Solution. That helps Answer Overflow index the fix for future users.