Description
The Dockerfile (line 56-58) defines a build arg NEMOCLAW_DISABLE_DEVICE_AUTH that when set to "1" disables device-pairing authentication. This is a security-sensitive configuration documented only in Dockerfile comments, not in any user-facing documentation. A user could unknowingly set this in production, creating an unauthenticated sandbox.
Impact
Users may disable authentication unintentionally due to undocumented build args.
Steps to Reproduce
- Search documentation for "NEMOCLAW_DISABLE_DEVICE_AUTH"
- Find zero results in user-facing docs
Expected Behavior
Documentation in sandbox hardening or security best practices page explaining this flag.
Actual Behavior
Only a Dockerfile comment mentions it.
Affected Page
Dockerfile (lines 56-58), docs/deployment/sandbox-hardening.md
Issue Type
Missing documentation
Suggested Fix
Recommended Fix
File to create: docs/deployment/authentication.md
# Authentication Configuration
## `dangerouslyDisableDeviceAuth`
**Location**: Set in `Dockerfile` line 110 when generating `openclaw.json`
**Default**: `True` (device auth disabled in Docker sandbox)
### What It Does
When `True`, the OpenClaw gateway skips the OAuth 2.0 Device Authorization
Grant flow. Users are NOT prompted to authenticate via browser-based
device code approval before accessing the gateway API.
### Why It's Disabled in Docker
The NemoClaw Docker sandbox has no browser. Device auth would deadlock:
the gateway prompts for browser-based approval, but no browser exists
inside the container to complete the flow.
### When to Enable (set to `False`)
Enable device auth when:
- The gateway is network-accessible (not just localhost)
- Multiple users or external clients connect to the same instance
- You need per-user audit trails
```python
# In Dockerfile or openclaw.json generation:
'dangerouslyDisableDeviceAuth': False # Require device auth
Security Implications
| Setting |
Risk |
Use Case |
True (disabled) |
Anyone with network access to the gateway can use it without auth |
Single-user local/Docker |
False (enabled) |
Requires browser-based approval; gateway generates per-device tokens |
Multi-user, external access |
Related Settings
allowInsecureAuth: True — allows HTTP (non-TLS) auth flows. Set False in production.auth.token — the gateway bearer token generated at build time (secrets.token_hex(32))trustedProxies — IPs allowed to set X-Forwarded-For headers
**Also add** inline comment in `Dockerfile` at line 110:
```dockerfile
# Device auth is disabled because the sandbox has no browser.
# For external-facing deployments, set to False and see
# docs/deployment/authentication.md for security implications.
'dangerouslyDisableDeviceAuth': True, \
Description
The Dockerfile (line 56-58) defines a build arg
NEMOCLAW_DISABLE_DEVICE_AUTHthat when set to "1" disables device-pairing authentication. This is a security-sensitive configuration documented only in Dockerfile comments, not in any user-facing documentation. A user could unknowingly set this in production, creating an unauthenticated sandbox.Impact
Users may disable authentication unintentionally due to undocumented build args.
Steps to Reproduce
Expected Behavior
Documentation in sandbox hardening or security best practices page explaining this flag.
Actual Behavior
Only a Dockerfile comment mentions it.
Affected Page
Dockerfile (lines 56-58), docs/deployment/sandbox-hardening.md
Issue Type
Missing documentation
Suggested Fix
Recommended Fix
File to create:
docs/deployment/authentication.mdSecurity Implications
True(disabled)False(enabled)Related Settings
allowInsecureAuth: True— allows HTTP (non-TLS) auth flows. SetFalsein production.auth.token— the gateway bearer token generated at build time (secrets.token_hex(32))trustedProxies— IPs allowed to setX-Forwarded-Forheaders