Summary
After upgrading to 2026.2.14, the gateway rejects all CLI, WebUI, and sub-agent connections with device token mismatch, even though all config files and device-auth tokens are correct.
Root Cause
openclaw gateway install writes the current OPENCLAW_GATEWAY_TOKEN as an Environment= line in the systemd service file (~/.config/systemd/user/openclaw-gateway.service). When the gateway token is later rotated (e.g. via doctor --fix, config changes, or migration from Clawdbot/Moltbot), the systemd service file is not updated. The env var takes precedence over the config file, so the gateway uses the stale token.
Pre-2026.2.14, the token validation was lenient enough that this mismatch was silently tolerated. The stricter auth in 2026.2.14 (commit cfd1129) now correctly rejects the mismatched token, but the error message (device token mismatch) gives no hint that the root cause is a stale environment variable.
Steps to Reproduce
- Install OpenClaw (or migrate from Clawdbot/Moltbot era)
- Run
openclaw gateway install (writes token to systemd service)
- Rotate the gateway token (via config change, doctor --fix, or upgrade)
- Upgrade to 2026.2.14
openclaw gateway status → device token mismatch- All CLI, WebUI, and sub-agent connections fail
Diagnosis
# Check for stale token in systemd service
grep OPENCLAW_GATEWAY_TOKEN ~/.config/systemd/user/openclaw-gateway.service
# Compare with config
cat ~/.openclaw/openclaw.json | grep -A2 auth
# Check process environment
cat /proc/$(pgrep -f openclaw-gateway)/environ | tr '\0' '\n' | grep GATEWAY_TOKEN
Current Workaround
sed -i '/OPENCLAW_GATEWAY_TOKEN=/d' ~/.config/systemd/user/openclaw-gateway.service
systemctl --user daemon-reload
openclaw gateway stop && openclaw gateway start
Suggested Fix
When openclaw gateway install writes the service file, it should either:
- Not bake the token into the env var — let the gateway read from config at runtime
- Update the service file when the token is rotated (in
doctor --fix, token rotation, etc.)
Option 1 is simpler and eliminates the entire class of stale-token bugs.
Environment
Related
Summary
After upgrading to 2026.2.14, the gateway rejects all CLI, WebUI, and sub-agent connections with
device token mismatch, even though all config files and device-auth tokens are correct.Root Cause
openclaw gateway installwrites the currentOPENCLAW_GATEWAY_TOKENas anEnvironment=line in the systemd service file (~/.config/systemd/user/openclaw-gateway.service). When the gateway token is later rotated (e.g. viadoctor --fix, config changes, or migration from Clawdbot/Moltbot), the systemd service file is not updated. The env var takes precedence over the config file, so the gateway uses the stale token.Pre-2026.2.14, the token validation was lenient enough that this mismatch was silently tolerated. The stricter auth in 2026.2.14 (commit cfd1129) now correctly rejects the mismatched token, but the error message (
device token mismatch) gives no hint that the root cause is a stale environment variable.Steps to Reproduce
openclaw gateway install(writes token to systemd service)openclaw gateway status→device token mismatchDiagnosis
Current Workaround
Suggested Fix
When
openclaw gateway installwrites the service file, it should either:doctor --fix, token rotation, etc.)Option 1 is simpler and eliminates the entire class of stale-token bugs.
Environment
openclaw gateway installRelated