v2026.3.2: gateway auth.mode=token rejects valid gateway token (token_mismatch) after reboot

[calvinmoltbot]

Summary

After upgrading to OpenClaw v2026.3.2, gateway token auth appears broken in one environment: when gateway.auth.mode is token, connection attempts fail with token_mismatch even when using the configured gateway token.

As a temporary workaround, setting auth to none works (gateway is loopback-only in this case).

Environment

• OpenClaw version: 2026.3.2
• Host: macOS (Mac mini)
• Client: openclaw tui from another machine (MacBook)
• Gateway reachable and otherwise functional
• Issue started after reboot (was working before the upgrade/reboot)

Expected behavior

When gateway.auth.mode = "token", the gateway should accept the configured token from:

• --token CLI flag
• OPENCLAW_GATEWAY_TOKEN env var
• config token in openclaw.json

Actual behavior

All tested combinations fail with auth token mismatch / token_mismatch.
Only auth.mode = "none" (or equivalent no-auth mode) allows connection.

What was tested

• Explicit openclaw tui --token <gateway-token>
• OPENCLAW_GATEWAY_TOKEN=<same-token>
• Matching token value across local config/state files (openclaw.json, plist env, and local identity files)
• Repeated restarts after changes

Result: token-based auth still rejected.

Logs / signals

Observed errors include:

• gateway token mismatch
• token_mismatch
• In some paths, AUTH_DEVICE_TOKEN_MISMATCH surfaced in UI diagnostics while auth mode was set to token.

Notes

There may be an interaction/regression between shared token auth and stored device token fallback/selection after reboot in v2026.3.2.

If useful, we can provide sanitized logs and a minimal repro config.

[mdlmarkham]

Triage: Token Auth Regression After Reboot

Severity: P1 — Auth blocking, workaround exists (auth.mode: none)

Hypothesis

The issue description mentions:

"Issue started after reboot (was working before the upgrade/reboot)"

Combined with:

"AUTH_DEVICE_TOKEN_MISMATCH surfaced in UI diagnostics while auth mode was set to token"

This suggests a stored device token is being selected instead of the gateway token after reboot.

Suspected Code Path

1. v2026.3.2 changed token selection logic
2. On reboot, stored device tokens may be loaded from state files
3. Auth flow compares provided token against stored device tokens first
4. Gateway token is never matched because device token takes priority

Investigation Steps

For reporter (@calvinmoltbot):

1. Check stored tokens on disk:

   # Find all token-related state files
   find ~/.openclaw -name "*.json" -exec grep -l "token" {} \;
   
   # Check for device token files
   ls -la ~/.openclaw/devices/

2. Compare token values:

   # Configured gateway token
   jq '.gateway.token' ~/.openclaw/openclaw.json
   
   # Any stored device tokens
   jq '.token' ~/.openclaw/devices/*.json

3. Try with explicit token file deletion:

   rm -rf ~/.openclaw/devices/
   # Restart gateway and retry

For developers:

The token mismatch path likely goes through:

• src/auth/gateway-token-validate.ts (or similar)
• src/auth/device-token.ts

Need to verify:

• Token precedence order when multiple tokens exist
• Whether v2026.3.2 changed the precedence logic
• If device token fallback should even apply when auth.mode: token

Workaround

Until fixed:

{
  "gateway": {
    "auth": { "mode": "none" }
  }
}

Only safe if gateway is loopback-only (no external network exposure).

---

cc: @mdlmarkham for visibility (auth regression)

[steipete]

Closing as fixed by the landed gateway auth/token drift work on main.

Relevant commits:

• 265367d99
• 8ca326caa
• 3a74dc00b

The service-side fix here was stopping plaintext gateway tokens from being serialized into gateway service units, treating tokenless service env as canonical, and repairing stale embedded tokens during doctor/configure/install flows. The UI-side fixes also stopped cached device-token/auth retry loops from masking the recovery.

If someone can still reproduce this on current main after reinstalling the gateway service, please open a fresh issue with the exact auth mode and install path.

[joshavant]

Thanks again for the report and for helping us track this down.

This has now been addressed by #39241, which consolidated the gateway auth-resolution fixes across Discord/node-host/systemd and related regression coverage.

Marking this as superseded by #39241, and we appreciate the detailed report.