[Bug]: Gateway local CLI stuck in pairing required loop for some commands (devices OK, status/cron blocked)

[jhartshorn]

Summary

Local Telegram DMs and the TUI work, and openclaw devices list --json works after manual device scope fixes, but some CLI commands (e.g. openclaw status --deep, openclaw cron …) still fail.

Steps to reproduce

1. Initial state:

• Telegram DM conversations working.
• openclaw tui reported gateway connect failed: pairing required.
• All CLI talks to the gateway (openclaw devices list, openclaw cron list, etc.) failed with the same pairing required error.

2. Inspection of device state:

Files under ~/.openclaw/devices and ~/.openclaw/identity showed:

• A paired device for the TUI:

{
"deviceId": "efe3…bf3b",
"publicKey": "QMSXJ5…",
"displayName": "openclaw-tui",
"platform": "linux",
"clientId": "gateway-client",
"clientMode": "ui",
"role": "operator",
"roles": ["operator"],
"scopes": ["operator.admin"],
"tokens": {
"operator": {
"token": "…",
"role": "operator",
"scopes": ["operator.admin"],
"createdAtMs": 1771620739860
}
}
}

• A paired device for the CLI:

{
"deviceId": "def4…3ce0",
"publicKey": "nGVRdZl…",
"platform": "linux",
"clientId": "cli",
"clientMode": "probe",
"role": "operator",
"roles": ["operator"],
"scopes": ["operator.admin"],
"tokens": {
"operator": {
"token": "…",
"role": "operator",
"scopes": ["operator.admin"],
"createdAtMs": 1771620724590
}
}
}

• A pending device request for the same CLI device but with lower scopes:

{
"requestId": "7b61…8219d",
"deviceId": "def4…3ce0",
"publicKey": "nGVRdZl…",
"platform": "linux",
"clientId": "gateway-client",
"clientMode": "backend",
"role": "operator",
"roles": ["operator"],
"scopes": ["operator.read"],
"silent": false,
"isRepair": true,
"ts": 1771621234176
}

This fits the pattern: an existing device with admin scopes, plus a repair request trying to upgrade (or downgrade) scopes, which resulted in pairing required for CLI connections.

3. Manual alignment fix (what we did by hand):

• Updated ~/.openclaw/devices/paired.json so both the CLI and TUI devices had:

"scopes": [
"operator.admin",
"operator.approvals",
"operator.pairing"
]

• Updated ~/.openclaw/identity/device-auth.json to match, e.g.:

{
"version": 1,
"deviceId": "def4…3ce0",
"tokens": {
"operator": {
"token": "_L9nSY…",
"role": "operator",
"scopes": [
"operator.admin",
"operator.approvals",
"operator.pairing"
],
"updatedAtMs": 1771621326582
}
}
}

• Cleared pending.json to {}.
• Restarted gateway.

4. After that manual fix:

• openclaw devices list --json now works and returns:

{
"pending": [],
"paired": [
{
"deviceId": "efe3…bf3b",
"clientId": "gateway-client",
"clientMode": "ui",
"scopes": [
"operator.admin",
"operator.approvals",
"operator.pairing"
]
},
{
"deviceId": "def4…3ce0",
"clientId": "cli",
"clientMode": "cli",
"scopes": [
"operator.admin",
"operator.approvals",
"operator.pairing"
]
}
]
}

• openclaw tui connects correctly.
• openclaw security audit (non‑deep) works.
• openclaw update status works.

5. But some CLI commands still fail with pairing required:

• openclaw status --deep
• Anything that seems to use a “backend/probe” identity (status probes, cron CLI) still yields:

gateway connect failed: Error: pairing required
[openclaw] Failed to start CLI: Error: gateway closed (1008): pairing required
Gateway target: ws://127.0.0.1:18789
Source: local loopback

So it looks like some CLI subcommands are connecting as a different internal client identity (e.g. gateway-client with clientMode: backend and only operator.read), which remains unpaired or under‑scoped, even though the main CLI/TUI devices are now fully paired.

Expected behavior

• Once a local device is paired and has admin scopes, all CLI commands from that host should either:
• reuse that device identity and token, or
• present a clear prompt / pairing code that can be approved with openclaw devices approve.
• In particular:
• openclaw status --deep
• openclaw cron list/add
should not get stuck in a pairing required loop when openclaw devices list --json and the TUI are already working.

Actual behavior

• openclaw devices list --json and TUI work after fixing device scopes.
• Some deeper CLI operations (status --deep, cron) still fail with pairing required, suggesting they use a different device identity than the one stored in device-auth.json and devices/paired.json.

OpenClaw version

2026.2.19-2

Operating system

Ubuntu 24.04

Install method

Pnpm stable

Logs, screenshots, and evidence

Impact and severity

• It prevents using the built‑in cron scheduler for nightly security audits and update checks.
• It creates a confusing situation where pairing looks “healthy” (devices list OK, TUI OK) but parts of the CLI are still blocked.

Additional information

No response

[stormk90]

🛠️ Deep CLI Fix: Aligning "Backend" Identities

This is an excellent breakdown. You've identified the "Multi-Identity" problem: OpenClaw uses different clientMode profiles for different tasks. While you fixed the ui and cli identities, the backend identity (used for probes and cron) is likely still trapped in a scope-mismatch loop.

Since you've already proven you can handle manual JSON editing, here is the final fix to align the "Backend/Probe" identity and stop the persistent pairing required on deep commands:

Identify the "Backend" Device ID

Run your working: openclaw devices list --json
Look for any device with clientMode: "backend".

Annotation: We used these commands to catch the token mismatch between the CLI and the background service:

To see the CLI token: python3 -c "import json; c=json.load(open('$HOME/.openclaw/openclaw.json')); print(c['gateway']['auth']['token'])"

To see the Service token: grep OPENCLAW_GATEWAY_TOKEN ~/.config/systemd/user/openclaw-gateway.service

The "Nuclear" Alignment (Manual Sync)

To fix status --deep and cron, you need to ensure the CLI's internal auth file has the exact same scopes you injected into the Gateway.

Edit your local CLI auth file: nano ~/.openclaw/identity/device-auth.json

Ensure that EVERY entry inside the "tokens" object has the full admin triad:
"scopes": [
"operator.admin",
"operator.approvals",
"operator.pairing"
]

Forcing the Backend Identity

If cron or status --deep still fails, force the CLI to re-pair the backend mode while you have the TUI open:

Open your working OpenClaw TUI.

In your terminal, run: openclaw status --deep

If it generates a Pairing Code, use your terminal to approve it: openclaw pairing approve telegram YOUR_CODE

Why this happens (The "Ghost" Bug)

In version 2026.2.19-2, loopback (127.0.0.1) is incorrectly flagged as a "remote" host. We confirmed this by checking the logs for auto-approval failures:

Command: grep -i "approve" /tmp/openclaw/openclaw-2026-02-20.log | tail -n 5

Final Tip: After syncing the scopes in both devices/paired.json and identity/device-auth.json, restart the user service:
systemctl --user restart openclaw-gateway.service

This is AI generated translation. Sorry don't speak english :)

[vignesh07]

Fixed in main.

This was part of the same operator-scope compatibility gap in gateway/device-auth checks. Devices paired with operator.admin could still be challenged for operator.pairing/operator.approvals scope paths used by some CLI commands.

Shipped in commit 55d492b:

• treat operator.admin as satisfying operator.* during auth scope checks
• added targeted regression coverage

Thanks for the excellent reproduction details, @jhartshorn.

[jhartshorn]

Thanks @stormk90 - this was spot on and really helpful.

What fixed it for us:

1. Verified paired devices (openclaw devices list --json) and confirmed no backend identity was paired.
2. Triggered backend/probe path with openclaw status --deep.
3. Approved the resulting backend pairing request via openclaw devices approve --latest
4. Restarted openclaw-gateway.service.
5. Re-tested openclaw status --deep — now working.

Appreciate the clear diagnosis and practical steps.

Thanks for the fix @vignesh07 - happy my bot and I could help.