Skip to content

[Bug]: gateway connect failed: Error: unauthorized: device token mismatch (rotate/reissue device token) #18475

New issue
New issue
Open
#18498
Open
[Bug]: gateway connect failed: Error: unauthorized: device token mismatch (rotate/reissue device token)#18475
#18498
Labels
bugSomething isn't working
@igmarketing

Description

@igmarketing
igmarketing
opened on Feb 16, 2026

Summary

After adding EnvironmentFile= entries (systemd user override) to inject per-workspace secrets from /etc/openclaw/secrets/*.env into the openclaw-gateway service, openclaw gateway status begins reporting an auth error:

unauthorized: device token mismatch (rotate/reissue device token)

However, the gateway continues to run normally: the dashboard loads, and other CLI commands (e.g., openclaw status, openclaw doctor) show no errors. This looks like a false-positive limited to openclaw gateway status’s RPC probe.

Steps to reproduce

  1. Create secrets directory and placeholder env files (use dummy names):

    • /etc/openclaw/secrets/agent1.env
    • /etc/openclaw/secrets/agent2.env
    • etc.

    Example (dummy placeholders only):

    sudo mkdir -p /etc/openclaw/secrets

sudo tee /etc/openclaw/secrets/agent1.env > /dev/null << 'EOF'
# Example placeholders
# SOME_API_KEY=your_key_here
EOF

sudo tee /etc/openclaw/secrets/agent2.env > /dev/null << 'EOF'
# Example placeholders
EOF

sudo chmod 600 /etc/openclaw/secrets/*.env
sudo chown root:openclaw /etc/openclaw/secrets/*.env

  2. Create a systemd user override for the gateway to load these secrets:

    mkdir -p ~/.config/systemd/user/openclaw-gateway.service.d

cat > ~/.config/systemd/user/openclaw-gateway.service.d/secrets.conf << 'EOF'
[Service]
EnvironmentFile=/etc/openclaw/secrets/agent1.env
EnvironmentFile=/etc/openclaw/secrets/agent2.env
EOF

  3. Reload systemd user units and restart the gateway:

    systemctl --user daemon-reload
openclaw gateway restart

  4. Run:

    openclaw gateway status

Expected behavior

  • openclaw gateway status should report a healthy running gateway and a successful RPC probe (or at minimum, not report an auth failure) when:

    • the gateway is running,
    • the dashboard is reachable,
    • and other CLI health checks (openclaw status, openclaw doctor) pass.

Actual behavior

  • openclaw gateway status reports the gateway is running, but the RPC probe fails with:

    • unauthorized: device token mismatch (rotate/reissue device token)
    • and gateway closed (1008): unauthorized: device token mismatch ...

  • At the same time:

    • Dashboard is accessible at http://127.0.0.1:<port>/
    • openclaw status works
    • openclaw doctor works
    • Overall system appears functional

  • This suggests the status command’s probe/auth handshake is detecting a mismatch only after adding EnvironmentFile= overrides (even if the gateway continues serving normally).

OpenClaw version

2026.2.15

Operating system

Linux Mint 22.3

Install method

npm global

Logs, screenshots, and evidence



Impact and severity


No response


Additional information


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions