[Bug]: OPENCLAW_GATEWAY_TOKEN in systemd service file not updated on config change or update, causing device_token_mismatch

[cadugevaerd]

Summary

After changing gateway.auth.token in openclaw.json, the systemd service file retains the old token hardcoded in Environment=OPENCLAW_GATEWAY_TOKEN=<old_token>. Since the env var overrides the config file value, the gateway process uses a different token than what's in the config — causing device_token_mismatch for all internal tool calls (cron, sessions, etc.) and CLI connections.

Steps to reproduce

1. Install OpenClaw gateway as systemd service (openclaw gateway install)
2. Change gateway.auth.token in ~/.openclaw/openclaw.json
3. Restart gateway (systemctl --user restart openclaw-gateway)
4. Try any CLI command or wait for agent tool calls

Expected behavior

Gateway should use the token from openclaw.json. Either:

• The service file should not hardcode OPENCLAW_GATEWAY_TOKEN (read from config at runtime), or
• openclaw gateway install / openclaw update should re-sync the service file, or
• openclaw doctor should detect the mismatch and warn

Actual behavior

• Gateway uses the old token from the systemd env var
• CLI and agent backend fail with unauthorized: device token mismatch (rotate/reissue device token)
• openclaw status shows unreachable (connect failed: unauthorized: device token mismatch)
• openclaw doctor does not detect the config vs service token divergence
• The error message suggests rotating/reissuing device tokens, which does not help since the root cause is the env var override

Root cause

systemctl --user cat openclaw-gateway reveals:

Environment=OPENCLAW_GATEWAY_TOKEN=<old_token_from_install_time>

While openclaw.json has:

"gateway": { "auth": { "mode": "token", "token": "<new_token>" } }

The env var takes precedence, so the gateway authenticates against the old token internally.

Workaround

Create a systemd override to match the current config token:

mkdir -p ~/.config/systemd/user/openclaw-gateway.service.d/
cat > ~/.config/systemd/user/openclaw-gateway.service.d/override.conf << 'EOF'
[Service]
Environment=OPENCLAW_GATEWAY_TOKEN=<your_current_config_token>
EOF
systemctl --user daemon-reload
systemctl --user restart openclaw-gateway

OpenClaw version

2026.2.14

Operating system

Linux (arm64)

Install method

npm global

Impact and severity

OpenClaw is completely unusable — all agent tools (cron, exec, sessions) fail, CLI cannot connect. Only channel message relay continues working since it does not go through device auth.

[haydonryan]

Just hit this today - as my openclaw doctor reported a short token. It had 'undefinied' as the token in openclaw.json - updated it and had to hunt for the systemd service.

It would be great if you could have it use the settings from openclaw.json rather than the environment.

[dorukardahan]

Additional field validation (sanitized) from today.

This issue is still real on a current deployment, and it can produce the same device_token_mismatch symptom family as pairing bugs, but with a different root cause.

What I observed:

• paired.json was already in object-map format and had 1 paired device
• device-auth.json already had an operator token
• openclaw health and openclaw devices list could look OK
• Gateway logs still showed repeated internal failures like:
  • client=gateway-client backend vdev reason=device_token_mismatch
  • unauthorized: device token mismatch (rotate/reissue device token)

Root cause (validated without exposing token values):

• The running gateway process had OPENCLAW_GATEWAY_TOKEN in the systemd user unit environment.
• That env token had drifted from the current configured gateway.auth.token.
• Boolean check only (sanitized): config token present, env token present, TOKEN_MATCH:false.

Field fix that resolved it:

1. Sync the systemd user unit Environment=OPENCLAW_GATEWAY_TOKEN=... with the current configured gateway auth token
2. systemctl --user daemon-reload
3. systemctl --user restart openclaw-gateway.service

After syncing, internal gateway-client backend vdev mismatch logs stopped and Codex agent smoke test succeeded again.

Why this is confusing in practice:

• Pairing state can be healthy (paired.json, device-auth.json both populated)
• But internal gateway self-clients can still fail if the service env token is stale
• So it looks like a device token reissue problem, while the actual issue is token drift between config and systemd env

Related but separate from pairing-state recovery fix work: #23498 / PR #23503 (those fix pairing persistence + self-unpair behavior after mismatch, but not this env-token drift case).

Possible upstream hardening ideas:

• warn on startup when systemd env OPENCLAW_GATEWAY_TOKEN != configured gateway auth token
• avoid persisting hardcoded gateway token in service unit, or auto-sync it on token rotation/update