Subagent spawn fails with pairing required when gateway TLS is enabled (Docker)

[cnavarro]

Bug: Subagent spawn fails with "pairing required" when gateway uses TLS

Environment

• OpenClaw version: 2026.2.19-2
• Platform: Docker (Linux x64)
• Gateway config: mode: "local", bind: "lan", tls.enabled: true

Description

When gateway.tls is enabled (self-signed cert with autoGenerate: true), sessions_spawn fails because the spawned sub-agent connects to the gateway via wss:// but gets rejected with pairing required (WebSocket close code 1008).

Steps to Reproduce

1. Configure gateway with TLS:

{
  "gateway": {
    "mode": "local",
    "bind": "lan",
    "tls": { "enabled": true, "autoGenerate": true, "fingerprint": "<sha256>" },
    "auth": { "mode": "token", "token": "my-token" }
  }
}

2. Call sessions_spawn from within a session
3. Sub-agent connects to wss://<container-ip>:3000
4. Gateway closes connection with 1008: pairing required

Expected Behavior

The spawned sub-agent should inherit the parent's auth token and connect without requiring separate pairing.

Context

This is triggered by the security check that blocks ws:// to non-loopback addresses. In Docker, bind: "lan" resolves to the container bridge IP (e.g., 172.18.0.x), which is non-loopback → fails security check.

Enabling TLS solves the security check (wss:// is always allowed), but introduces the pairing issue because the sub-agent doesn't inherit auth credentials.

Workaround

None found. Without TLS, spawn fails with SECURITY ERROR. With TLS, spawn fails with pairing required.

The only scenario where spawn works is ws://127.0.0.1 (loopback), but setting bind: "loopback" breaks external access (Caddy reverse proxy, Docker port mapping).

[newcodebook]

1008: pairing required on a sessions_spawn / sub-agent WebSocket is usually the gateway telling you: “this is a new device/connection and it needs approval (or a scope upgrade)”. Enabling TLS + binding to a non-loopback address makes that much more likely.

Try this (often resolves spawn immediately):

1. On the gateway host, list pending device requests:

   openclaw devices list

2. Approve the pending request (or the most recent one):

   openclaw devices approve

3. If logs mention reason=scope-upgrade, rotate the operator token to include operator.write:

   openclaw devices rotate --device <deviceId> --role operator \
     --scope operator.read --scope operator.write

Why this helps: the gateway’s device pairing/scopes are enforced at the WebSocket layer; it’s separate from gateway.auth.token, and changes like wss:// + LAN bind can surface a new “device identity” path.

If it still fails after approval, please paste the gateway log lines around the close (openclaw logs --follow | rg -i "pairing required|scope-upgrade|sessions_spawn|devices").

Further reading:

• https://coclaw.com/troubleshooting/solutions/gateway-pairing-required-scope-upgrade/
• https://coclaw.com/troubleshooting/solutions/control-ui-pairing-required/

[Sid-Qin]

Submitted a fix in PR #30801. Backend self-connections (gateway-client from localhost with valid shared auth) now skip device pairing, allowing sessions_spawn to work when gateway.tls.enabled=true.

[vincentkoc]

Triage update for the pairing/TLS/subagent cluster:

• Canonical issue remains Subagent spawn fails with pairing required when gateway TLS is enabled (Docker) #30740.
• Canonical fix path remains fix(gateway): skip device pairing for local backend self-connections #30801.
• Network policy sibling track is fix(gateway): allow ws:// to private network addresses #28670.

I posted boundary notes on #23471, #20707, and #22226 and held duplicate closures for now because #30801 still has a failing required check. Once #30801 is accepted, we can do a single cleanup pass and close any fully-covered related issues with explicit mapping.