[Bug]: device-auth.json tokens never persist on macOS — CLI always gets "device token mismatch"

[ctbritt]

Summary

On macOS, device-auth.json tokens are reset to {} on every CLI invocation, causing all commands (including oc tui, openclaw devices list, openclaw gateway status) to fail with unauthorized: device token mismatch (rotate/reissue device token). The gateway is healthy and the device is correctly paired server-side (devices/paired.json has the token), but the client-side auth file never retains the token.

This is a catch-22: you can't run openclaw devices approve or openclaw devices rotate because those commands also require device-identity auth to connect to the gateway.

Steps to reproduce

1. Completely remove OpenClaw:

   launchctl bootout gui/501/ai.openclaw.gateway
   pkill -9 -f "openclaw"
   npm uninstall -g openclaw
   rm -rf ~/.openclaw /tmp/openclaw ~/Library/LaunchAgents/ai.openclaw.gateway.plist

2. Fresh install:

   npm install -g openclaw@2026.2.19
   openclaw onboard

3. Complete onboarding (gateway starts, Anthropic auth configured).

4. Verify gateway is running:

   openclaw gateway status
   # Shows: Runtime: running, RPC probe: ok (when using static token)

5. Attempt to connect:

   oc tui
   # FAILS: unauthorized: device token mismatch (rotate/reissue device token)

6. Inspect the files:

   cat ~/.openclaw/identity/device-auth.json
   # Shows: { "version": 1, "deviceId": "...", "tokens": {} }
   
   cat ~/.openclaw/devices/paired.json
   # Shows: device IS paired with a valid operator token

The token exists in paired.json (server-side) but device-auth.json (client-side) always has "tokens": {}.

Key observations

• Manually writing tokens to device-auth.json does not work. The CLI binary resets the file to "tokens": {} on every invocation before attempting to connect.
• The gateway itself is healthy. The static token auth path works perfectly — oc tui --token <gateway-auth-token> connects immediately.
• OPENCLAW_GATEWAY_TOKEN env var works as a workaround. Setting this env var makes all CLI commands use static token auth instead of device-identity auth.
• The bug survives full nuke-and-reinstall. Three complete wipe-and-reinstall cycles across three versions all produce the same result.
• Connecting via Control UI (browser) or --token flag DOES populate paired.json server-side, but the client-side device-auth.json is never written.
• openclaw gateway install --force may be involved. One of the early observations was that this command appeared to reset device-auth.json to empty tokens.

Expected behavior

Expected behavior

After openclaw onboard completes and the gateway is running, the CLI should be able to connect using device-identity auth. device-auth.json should contain the operator token matching the entry in devices/paired.json.

Actual behavior

Actual behavior

device-auth.json tokens are always {}. Every CLI command fails with:

gateway connect failed: Error: unauthorized: device token mismatch (rotate/reissue device token)
Gateway target: ws://127.0.0.1:18789
Source: local loopback

OpenClaw version

All exhibit identical behavior: - 2026.2.17 (beta channel) - 2026.2.19 (stable) - 2026.2.19-2 (stable)

Operating system

macOS 26.3

Install method

npm install -g openclaw

Logs, screenshots, and evidence

Impact and severity

Severity: High / P1
This is a complete authentication failure that makes the CLI unusable out of the box on macOS. Every fresh install is broken. The impact:

• 100% of macOS fresh installs are affected — tested across three versions (2.17, 2.19, 2.19-2), all identical behavior
• All CLI commands are blocked — not just oc tui, but openclaw devices list, openclaw status, openclaw doctor, everything that connects to the gateway
• Self-healing commands are also broken — openclaw devices approve, openclaw devices rotate can't run because they need the same auth that's broken. It's a catch-22 with no CLI-based escape.
• Onboarding completes without error but leaves the system in a broken state — there's no indication to the user that anything went wrong
• The workaround is non-obvious — setting OPENCLAW_GATEWAY_TOKEN env var requires understanding the static token auth path, which isn't documented as a fallback for device-identity failures

It's not critical/P0 because the workaround exists and data loss isn't involved. But for any new macOS user who installs OpenClaw and tries to use it, the first experience is a wall of device token mismatch errors with no clear path forward.

Additional information

Workaround

Store the static gateway auth token from openclaw.json → gateway.auth.token as an environment variable:

export OPENCLAW_GATEWAY_TOKEN="<your-gateway-auth-token>"

All CLI commands then use static token auth and bypass the broken device-identity layer.

Not the same as #18475 / #18498

Those issues are about the gateway status probe not inheriting systemd EnvironmentFile vars on Linux. This bug is macOS-specific, affects ALL CLI commands (not just the probe), and is caused by device-auth.json tokens never being persisted — not by environment variable mismatch.

[nikolasdehor]

Can confirm this is happening on macOS as well — Darwin 25.3.0, arm64, tested across v2026.2.17 and v2026.2.19.

I've been running OpenClaw as a WhatsApp gateway with multi-model fallback (Codex -> Gemini Flash -> Anthropic Opus). My auth setup uses a combination of:

• OAT (long-lived) tokens for Anthropic, pasted via openclaw models auth paste-token
• OAuth refresh tokens for Codex
• Gateway-managed auth stored in ~/.openclaw/agents/main/agent/auth-profiles.json

I've never been able to get device-identity auth to work reliably on macOS. I've always had to fall back to OPENCLAW_GATEWAY_TOKEN or --token for CLI commands. I assumed it was something specific to my setup, but this report makes it clear it's a systemic issue.

A few questions:

1. Does this affect gateway-managed tokens in auth-profiles.json, or only CLI device tokens in device-auth.json? In my case, the gateway itself authenticates to model providers fine (auth-profiles.json is intact), but CLI-to-gateway auth via device identity has always been broken.

2. Is gateway install --force a contributing factor? I've noticed that gateway install rewrites the plist and can reset auth state. I've been using launchctl bootout gui/501/ai.openclaw.gateway && launchctl bootstrap gui/501 ~/Library/LaunchAgents/ai.openclaw.gateway.plist to restart without running gateway install, specifically to avoid auth file resets. Could this be related to the device-auth.json wipe?

3. Is there a file-locking or atomicity issue? On macOS, if the CLI reads device-auth.json, finds no token, then writes {} back — and this races with the onboarding process that's trying to write the actual token — you'd get exactly this behavior. The fact that you see it on every invocation suggests the write path might be unconditionally resetting the file before the read path can use it.

The OPENCLAW_GATEWAY_TOKEN workaround is solid and has been reliable for me, but I agree this is P1 — new users hitting this on first launch with zero guidance is a terrible first experience.

[vignesh07]

Fixed in main.

Two related fixes landed:

1. Commit 55d492b

• operator.admin now satisfies operator.* device-auth scope checks
• prevents repeated pairing/auth churn on pairing/approval-scoped command paths

2. Commit 483c464

• repair pairing approvals that omit scopes no longer rotate tokens to empty scope sets
• preserves approved scope baseline for existing device tokens

Together these close the token-scope regression path that can lead to repeated local auth failures.

Thanks for the detailed report, @ctbritt.