[Bug]: Agent-to-node commands fail with persistent "device token mismatch" after upgrade to 2026.2.14 on Windows

[rpelizza]

Summary

After upgrading to OpenClaw 2026.2.14 on Windows, the gateway starts successfully and listens on port 18789, but all CLI probes and agent-to-node command invocations fail with:

gateway closed (1008): unauthorized: device token mismatch (rotate/reissue device token)

The node appears as paired in openclaw nodes status, but the internal agent backend cannot authenticate to the gateway to invoke node commands (e.g., camera_snap). The device identity system seems to cache stale token data that survives all manual reset attempts.

Steps to Reproduce

1. Have a working OpenClaw setup on Windows 11 (gateway + node, both running as Scheduled Tasks)
2. Upgrade to OpenClaw 2026.2.14
3. Run openclaw gateway status → fails with "device token mismatch"
4. Run openclaw nodes status → node shows "paired · disconnected"
5. Try to invoke any node command via the agent (e.g., camera snap via Telegram) → fails with:

   gateway closed (1008): unauthorized: device token mismatch (rotate/reissue device token)
   

What Was Tried (All Failed)

1. Ran openclaw doctor --fix — updated config, rotated gateway token, but token mismatch persisted
2. Deleted ~/.openclaw/identity/device-auth.json — CLI re-created it with new tokens, but gateway's internal state still held old ones
3. Deleted ~/.openclaw/identity/device.json (full key pair reset) — gateway repopulated paired.json with stale cached data
4. Emptied ~/.openclaw/devices/paired.json and pending.json — gateway immediately repopulated them from an internal cache on restart
5. Set OPENCLAW_GATEWAY_TOKEN as a system environment variable — node reconnected temporarily, but device token mismatch persisted for the agent backend
6. Added gateway token directly to node.json — node connected but gateway itself crashed
7. Killed all gateway processes and restarted clean — same error after restart
8. Multiple full reboots — error persists across reboots

Root Cause Hypothesis

The gateway maintains an internal cache/store of paired device entries that is not cleared when the on-disk identity files (device.json, device-auth.json, paired.json) are deleted or emptied. On restart, the gateway repopulates these files from its internal state, making it impossible to break out of the stale token cycle.

When the CLI or agent backend re-creates device-auth.json (with new tokens after deletion), the gateway's cached entries still contain the old tokens, causing a permanent mismatch.

Expected Behavior

• Deleting device identity files and restarting the gateway should result in a clean re-pairing flow
• openclaw doctor --fix should synchronize all token references (gateway config, device-auth, paired.json, and internal cache)
• The agent backend should be able to authenticate and invoke node commands after a successful node pairing

Actual Behavior

• Gateway repopulates paired.json from cache, ignoring file deletions
• Token mismatch is permanent and survives all manual reset attempts
• Node shows as "paired" but agent cannot invoke any node commands
• openclaw gateway status always reports: gateway closed (1008): unauthorized: device token mismatch

Current Status Output

$ openclaw gateway status
gateway connect failed: Error: unauthorized: device token mismatch (rotate/reissue device token)
Service: Scheduled Task (registered)
Runtime: stopped (state Running)
RPC probe: failed
Port 18789 is already in use (pid listening on 127.0.0.1:18789)

$ openclaw nodes status
Known: 1 · Paired: 1 · Connected: 0
Node df84a616... → paired · disconnected

Workaround

None found. Core features (Telegram messaging, memory, cron) continue to work. Only node command execution is broken.

Environment

• OpenClaw version: 2026.2.14
• OS: Windows 11 Home (Build 26200)
• Node.js: v22.16.0
• Setup: Gateway + Node on same machine (localhost), both as Scheduled Tasks
• Connection: Loopback (127.0.0.1:18789)

[robbyczgw-cla]

This sounds like the same root cause I just debugged on Linux — a stale OPENCLAW_GATEWAY_TOKEN environment variable baked into the service definition.

On Linux it was in the systemd service file. On Windows, check your Scheduled Task for an OPENCLAW_GATEWAY_TOKEN environment variable with an old token value (possibly from the Clawdbot/Moltbot era).

You can check with PowerShell:

Get-ScheduledTask | Where-Object {$_.TaskName -like '*openclaw*' -or $_.TaskName -like '*clawdbot*'} | ForEach-Object { $_.Actions }

Look for any environment variables or arguments passing an old token. Remove/update it and restart the gateway.

The gateway prioritizes the env var over the config file token, so even if your config is correct, the stale env var causes the mismatch. Pre-2026.2.14 the validation was lenient enough that this didn't matter — the stricter auth in 2026.2.14 exposed it.

See also my comment on #16820: #16820 (comment)

[vandaimer]

@robbyczgw-cla -

Having your comment, I did the following to fix, but of course, I want to know the proper fix, this looks a workaround.

Steps:

• Opened ~/.config/systemd/user/openclaw-gateway.service
• Duplicate Environment=OPENCLAW_GATEWAY_TOKEN= and added the token from ~/.openclaw/openclaw.json

Example:

• In ~/.openclaw/openclaw.json, gateway -> auth -> token (copy this token)
• Duplicate the line Environment=OPENCLAW_GATEWAY_TOKEN on ~/.config/systemd/user/openclaw-gateway.service and add the token copied before.

Again, I don't know if the proper fix is removing Environment=OPENCLAW_GATEWAY_TOKEN line from ~/.config/systemd/user/openclaw-gateway.service or what I have done.

[steipete]

Closing as duplicate of #17223.

This is the same service/config token-drift device_token_mismatch family (stale OPENCLAW_GATEWAY_TOKEN in service/task env overriding current config token). Please continue tracking in #17223.