[Bug]: Control UI "device signature invalid" — token field mismatch between client signing and server

[reece454]

Bug type

Regression (worked before, now fails)

Summary

Bug Report: Control UI "device signature invalid" — token field mismatch between client signing and server verification

Environment

• OpenClaw version: 2026.3.7-beta.1
• Browser: Chrome (secure context, crypto.subtle available)
• Auth mode: token

Summary

The Control UI's device signature verification always fails when using shared token authentication (auth.mode: "token"), because the client signs the payload with one token value while the server reconstructs the payload with a different token value for verification. This creates a deadlock:

• dangerouslyDisableDeviceAuth: false (default) → "device signature invalid", cannot connect
• dangerouslyDisableDeviceAuth: true (workaround) → connects, but disconnects on every page refresh because no deviceToken is ever issued

Steps to Reproduce

1. Configure gateway with shared token auth:

   {
     "gateway": {
       "auth": { "mode": "token", "token": "<shared-token>" },
       "controlUi": {}
     }
   }

2. Access the Control UI dashboard via HTTPS (e.g., Codespaces port forwarding)
3. Enter the shared gateway token and click "Connect"
4. Observe: "device signature invalid" error

Root Cause Analysis

The mismatch

The signed payload includes a token field. The client and server use different values for this field:

	Code location	Token value used
Client signs with	ui/src/ui/gateway.ts line 247	deviceToken ?? null (per-device JWT from localStorage, or null on first connect)
Server verifies with	src/gateway/server/ws-connection/message-handler.ts lines 184, 200	auth.token ?? auth.deviceToken ?? null (shared gateway token, since auth.token is always set)

Detailed trace

Client side (ui/src/ui/gateway.ts, sendConnect() method):

// Line 208: authToken = shared gateway token from config/URL
let authToken = this.opts.token;

// Lines 219-225: auth object sent to server uses the SHARED token
const auth = authToken || this.opts.password
  ? { token: authToken, password: this.opts.password }
  : undefined;

// Lines 240-249: BUT the signed payload uses deviceToken (different value!)
const payload = buildDeviceAuthPayload({
  // ...
  token: deviceToken ?? null,   // ← signs with deviceToken, NOT authToken
  nonce,
});

Server side (src/gateway/server/ws-connection/message-handler.ts, resolveDeviceSignaturePayloadVersion()):

// Lines 184, 200: server reconstructs payload using auth.token (the shared token)
token: params.connectParams.auth?.token ?? params.connectParams.auth?.deviceToken ?? null,
//     ↑ this resolves to the SHARED gateway token, because client sends auth.token = shared token

Payload format (src/gateway/device-auth.ts lines 20-34):

v2|{deviceId}|{clientId}|{clientMode}|{role}|{scopes}|{signedAtMs}|{token}|{nonce}

Why the signatures never match

Scenario 1: First connect (no cached deviceToken)

Client signs:  v2|device123|...|         |nonce    (token = null → empty string)
Server builds: v2|device123|...|5d183ea5…|nonce    (token = shared gateway token)
                                 ^^^^^^^^
                                 MISMATCH → "device signature invalid"

Scenario 2: Reconnect with cached deviceToken

Client signs:  v2|device123|...|eyJhbGci…|nonce    (token = deviceToken JWT)
Server builds: v2|device123|...|5d183ea5…|nonce    (token = shared gateway token)
                                 ^^^^^^^^
                                 MISMATCH → "device signature invalid"

In both cases, auth.token (shared token) takes precedence in the server's ?? chain, but the client never signs with the shared token.

Impact: The dangerouslyDisableDeviceAuth deadlock

Because device signature verification is broken with shared token auth, users must set dangerouslyDisableDeviceAuth: true. But this creates a secondary problem:

connect-policy.ts line 31:

device: dangerouslyDisableDeviceAuth ? null : params.deviceRaw,

When enabled, the server discards the device identity entirely, which means:

• No pairing request is created
• No deviceToken is issued in hello-ok response
• The browser cannot persist any auth credential in localStorage
• Every page refresh loses the in-memory shared token → immediate disconnect

storage.ts lines 60-61:

// Gateway auth is intentionally in-memory only; scrub any legacy persisted token on load.
token: defaults.token,

The shared gateway token is intentionally not persisted in localStorage (security by design), so on page refresh it's gone. Without a deviceToken fallback, the user must re-enter the token every time.

Expected Behavior

The client and server should use the same token value when building the signature payload. Either:

1. The client should sign with the shared token (matching what the server reconstructs), or
2. The server should reconstruct the payload using the device token (matching what the client signs), or
3. The client should send the device token in auth.deviceToken so the server's ?? chain falls through correctly

Suggested Fix

In ui/src/ui/gateway.ts, the auth object construction (lines 219-225) should include deviceToken when available:

const auth = authToken || this.opts.password || deviceToken
  ? {
      token: authToken,
      deviceToken: deviceToken,     // ← ADD: send deviceToken separately
      password: this.opts.password,
    }
  : undefined;

This way, on the server side:

• auth.token = shared gateway token (for authentication)
• auth.deviceToken = the per-device JWT (for signature payload reconstruction)
• When auth.token is present, server uses it for auth; when reconstructing the signed payload, server should prefer auth.deviceToken for the token field

Alternatively, align the client signing to use the same value the server expects:

// In buildDeviceAuthPayload call:
token: authToken ?? deviceToken ?? null,   // sign with shared token if available

Gateway Config (for reference)

{
  "gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "lan",
    "controlUi": {
      "dangerouslyAllowHostHeaderOriginFallback": true,
      "allowInsecureAuth": true,
      "dangerouslyDisableDeviceAuth": true
    },
    "auth": {
      "mode": "token",
      "token": "<redacted>"
    },
    "trustedProxies": ["0.0.0.0/0"]
  }
}

Steps to reproduce

Bug Report: Control UI "device signature invalid" — token field mismatch between client signing and server verification

Environment

• OpenClaw version: 2026.3.7-beta.1
• Platform: GitHub Codespaces (Linux)
• Access method: Codespaces port forwarding (https://<codespace>-18789.app.github.dev)
• Browser: Chrome (secure context, crypto.subtle available)
• Auth mode: token

Summary

The Control UI's device signature verification always fails when using shared token authentication (auth.mode: "token"), because the client signs the payload with one token value while the server reconstructs the payload with a different token value for verification. This creates a deadlock:

• dangerouslyDisableDeviceAuth: false (default) → "device signature invalid", cannot connect
• dangerouslyDisableDeviceAuth: true (workaround) → connects, but disconnects on every page refresh because no deviceToken is ever issued

Steps to Reproduce

1. Configure gateway with shared token auth:

   {
     "gateway": {
       "auth": { "mode": "token", "token": "<shared-token>" },
       "controlUi": {}
     }
   }

2. Access the Control UI dashboard via HTTPS (e.g., Codespaces port forwarding)
3. Enter the shared gateway token and click "Connect"
4. Observe: "device signature invalid" error

Root Cause Analysis

The mismatch

The signed payload includes a token field. The client and server use different values for this field:

	Code location	Token value used
Client signs with	ui/src/ui/gateway.ts line 247	deviceToken ?? null (per-device JWT from localStorage, or null on first connect)
Server verifies with	src/gateway/server/ws-connection/message-handler.ts lines 184, 200	auth.token ?? auth.deviceToken ?? null (shared gateway token, since auth.token is always set)

Detailed trace

Client side (ui/src/ui/gateway.ts, sendConnect() method):

// Line 208: authToken = shared gateway token from config/URL
let authToken = this.opts.token;

// Lines 219-225: auth object sent to server uses the SHARED token
const auth = authToken || this.opts.password
  ? { token: authToken, password: this.opts.password }
  : undefined;

// Lines 240-249: BUT the signed payload uses deviceToken (different value!)
const payload = buildDeviceAuthPayload({
  // ...
  token: deviceToken ?? null,   // ← signs with deviceToken, NOT authToken
  nonce,
});

Server side (src/gateway/server/ws-connection/message-handler.ts, resolveDeviceSignaturePayloadVersion()):

// Lines 184, 200: server reconstructs payload using auth.token (the shared token)
token: params.connectParams.auth?.token ?? params.connectParams.auth?.deviceToken ?? null,
//     ↑ this resolves to the SHARED gateway token, because client sends auth.token = shared token

Payload format (src/gateway/device-auth.ts lines 20-34):

v2|{deviceId}|{clientId}|{clientMode}|{role}|{scopes}|{signedAtMs}|{token}|{nonce}

Why the signatures never match

Scenario 1: First connect (no cached deviceToken)

Client signs:  v2|device123|...|         |nonce    (token = null → empty string)
Server builds: v2|device123|...|5d183ea5…|nonce    (token = shared gateway token)
                                 ^^^^^^^^
                                 MISMATCH → "device signature invalid"

Scenario 2: Reconnect with cached deviceToken

Client signs:  v2|device123|...|eyJhbGci…|nonce    (token = deviceToken JWT)
Server builds: v2|device123|...|5d183ea5…|nonce    (token = shared gateway token)
                                 ^^^^^^^^
                                 MISMATCH → "device signature invalid"

In both cases, auth.token (shared token) takes precedence in the server's ?? chain, but the client never signs with the shared token.

Impact: The dangerouslyDisableDeviceAuth deadlock

Because device signature verification is broken with shared token auth, users must set dangerouslyDisableDeviceAuth: true. But this creates a secondary problem:

connect-policy.ts line 31:

device: dangerouslyDisableDeviceAuth ? null : params.deviceRaw,

When enabled, the server discards the device identity entirely, which means:

• No pairing request is created
• No deviceToken is issued in hello-ok response
• The browser cannot persist any auth credential in localStorage
• Every page refresh loses the in-memory shared token → immediate disconnect

storage.ts lines 60-61:

// Gateway auth is intentionally in-memory only; scrub any legacy persisted token on load.
token: defaults.token,

The shared gateway token is intentionally not persisted in localStorage (security by design), so on page refresh it's gone. Without a deviceToken fallback, the user must re-enter the token every time.

Expected Behavior

The client and server should use the same token value when building the signature payload. Either:

1. The client should sign with the shared token (matching what the server reconstructs), or
2. The server should reconstruct the payload using the device token (matching what the client signs), or
3. The client should send the device token in auth.deviceToken so the server's ?? chain falls through correctly

Suggested Fix

In ui/src/ui/gateway.ts, the auth object construction (lines 219-225) should include deviceToken when available:

const auth = authToken || this.opts.password || deviceToken
  ? {
      token: authToken,
      deviceToken: deviceToken,     // ← ADD: send deviceToken separately
      password: this.opts.password,
    }
  : undefined;

This way, on the server side:

• auth.token = shared gateway token (for authentication)
• auth.deviceToken = the per-device JWT (for signature payload reconstruction)
• When auth.token is present, server uses it for auth; when reconstructing the signed payload, server should prefer auth.deviceToken for the token field

Alternatively, align the client signing to use the same value the server expects:

// In buildDeviceAuthPayload call:
token: authToken ?? deviceToken ?? null,   // sign with shared token if available

Current Workaround

A Tampermonkey userscript that injects #token=<shared-token> into the URL on every page load (@run-at document-start), before the app's <script type="module"> executes. The app reads the token from the URL hash in applySettingsFromUrl(), re-establishing the connection on each refresh.

Gateway Config (for reference)

{
  "gateway": {
    "port": 18789,
    "mode": "local",
    "bind": "lan",
    "controlUi": {
      "dangerouslyAllowHostHeaderOriginFallback": true,
      "allowInsecureAuth": true,
      "dangerouslyDisableDeviceAuth": true
    },
    "auth": {
      "mode": "token",
      "token": "<redacted>"
    },
    "trustedProxies": ["0.0.0.0/0"]
  }
}

Expected behavior

The client and server should use the same token value when building the signature payload. Either:

1. The client should sign with the shared token (matching what the server reconstructs), or
2. The server should reconstruct the payload using the device token (matching what the client signs), or
3. The client should send the device token in auth.deviceToken so the server's ?? chain falls through correctly

Actual behavior

dangerouslyDisableDeviceAuth: false=》device signature invalid
dangerouslyDisableDeviceAuth: true=》"device identity required" on every page refresh, must re-enter gateway token to reconnect

OpenClaw version

2026.3.7-beta.1

Operating system

Ubuntu 24.04.3 LTS

Install method

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[qiuyuemartin-max]

Issue #39667 Root Cause Analysis & Fix

Problem

Control UI device signature verification fails with "device signature invalid" error when using shared token authentication (gateway.auth.mode: "token").

Root Cause

The Token Mismatch

Client and server use DIFFERENT token values when building/verifying the device signature payload:

Component	Token Used	Location
Client signs with	authToken (could be shared token OR deviceToken)	ui/src/ui/gateway.ts line 219
Server verifies with	auth.token ?? auth.deviceToken (always gets shared token first)	src/gateway/server/ws-connection/message-handler.ts lines 184, 200

Detailed Flow

Scenario 1: First connection (no cached deviceToken)

1. Client: authToken = shared gateway token (no storedToken yet)
2. Client: signs payload with token = authToken = shared token
3. Client: sends auth.token = shared token (no auth.deviceToken)
4. Server: rebuilds payload with token = auth.token = shared token
5. Result: ✅ Signature matches (both use shared token)

Wait, this should work! But the Issue reporter says it doesn't. Let me re-read...

Ah! The Issue says the client signs with deviceToken ?? null (line 247), but the CURRENT code (line 219) uses authToken!

This means the code was partially fixed, but the fix is incomplete or incorrect.

The Real Problem

Current behavior (WRONG):

1. Client: authToken = storedToken ?? this.opts.token (line 189)
2. Client: signs with token: authToken (line 219)
3. Client: sends auth.token = authToken (line 193)
4. Server: rebuilds with token: auth.token ?? auth.deviceToken (line 184)

When storedToken exists:

• Client: authToken = storedToken (deviceToken)
• Client: signs with deviceToken
• Client: sends auth.token = deviceToken ❌ WRONG! Should send separate fields
• Server: rebuilds with auth.token (gets deviceToken)
• Result: ✅ Matches (both use deviceToken)

When storedToken does NOT exist (fresh install):

• Client: authToken = this.opts.token (shared token)
• Client: signs with shared token
• Client: sends auth.token = shared token
• Server: rebuilds with auth.token (gets shared token)
• Result: ✅ Matches (both use shared token)

So why does the Issue reporter see failures?

The Missing Piece

The Issue mentions Codespaces / HTTPS forwarding. This triggers:

1. User enters shared token in URL: #token=<shared-token>
2. First connect: no storedToken yet
3. Client: authToken = this.opts.token (shared token)
4. Client: signs with shared token
5. Server: accepts, issues deviceToken in response
6. Client: stores deviceToken in localStorage
7. Page refresh / navigation: lose in-memory shared token
8. Second connect: storedToken = deviceToken exists
9. Client: authToken = storedToken (deviceToken)
10. Client: signs with deviceToken
11. Client: sends auth.token = deviceToken ❌ Server expects SHARED token for auth!
12. Server: auth fails because deviceToken is not the shared token

The Correct Solution

Separate authentication token from signature token:

1. Client sends BOTH:

   • auth.token = shared token (for authentication)
   • auth.deviceToken = deviceToken (for signature verification)

2. Client signs with:

   • token: deviceToken ?? null (consistent signature payload)

3. Server uses:

   • auth.token for authentication (shared token)
   • auth.deviceToken ?? null for signature verification

This way:

• ✅ Authentication always uses shared token (when configured)
• ✅ Signature always uses deviceToken (when available)
• ✅ First connect (no deviceToken): signs with null, server rebuilds with null
• ✅ Subsequent connects: signs with deviceToken, server rebuilds with deviceToken
• ✅ Page refresh doesn't break because deviceToken is persisted in localStorage

Solution Implementation

Changes

1. Separate authToken and deviceToken variables

let authToken = this.opts.token;  // For authentication
let deviceToken: string | null = null;  // For signature

if (isSecureContext) {
  const storedToken = loadDeviceAuthToken(...)?.token;
  deviceToken = storedToken ?? null;  // Keep deviceToken separate
  authToken = storedToken ?? this.opts.token;  // Fallback chain for auth
}

2. Send both tokens in auth object

const auth = authToken || this.opts.password || deviceToken
  ? {
      token: authToken,  // Shared token (or deviceToken as fallback)
      deviceToken: deviceToken ?? undefined,  // Explicit deviceToken
      password: this.opts.password,
    }
  : undefined;

3. Sign with deviceToken

const payload = buildDeviceAuthPayload({
  // ...
  token: deviceToken ?? null,  // Sign with deviceToken, not authToken
  nonce,
});

Server Side (Already Correct)

The server already supports this:

token: params.connectParams.auth?.token ?? params.connectParams.auth?.deviceToken ?? null,

When auth.deviceToken is present, server uses it for signature verification.
When auth.token is present, server uses it for authentication.

Impact

Before Fix

• First connect: Works (both use shared token OR null)
• Subsequent connects: May fail if page refreshed (loses shared token)
• With dangerouslyDisableDeviceAuth: true: Works but no device identity

After Fix

• First connect: Works (signs with null, authenticates with shared token)
• Subsequent connects: Works (signs with deviceToken, authenticates with shared token OR deviceToken)
• Page refresh: Works (deviceToken persisted in localStorage)
• Token mode: Fully functional without workarounds

Testing

Manual Verification

1. Configure gateway with auth.mode: "token"
2. Access Control UI via HTTPS (Codespaces, etc.)
3. Enter shared token and connect
4. Before: May fail with "device signature invalid"
5. After: Succeeds, issues deviceToken
6. Refresh page
7. Before: Disconnects or fails to reconnect
8. After: Reconnects seamlessly using cached deviceToken

Regression Protection

• Password mode: Unchanged
• No auth mode: Unchanged
• First-time users: Still works (signs with null)

Related

• Issue: [Bug]: Control UI "device signature invalid" — token field mismatch between client signing and server #39667
• Reporter: Detailed root cause analysis with code locations
• Environment: Codespaces / HTTPS forwarding, token auth mode
• Version: 2026.3.7-beta.1

Files Modified

• ui/src/ui/gateway.ts: Separate authentication and signature tokens, send both in auth object

[liangruochong44-ui]

👀 前端负责人跟进中。

当前状态：

• Issue 已有详细的 root cause 分析（感谢 @qiuyuemartin-max 的分析）
• 问题在于客户端签名和服务器验证使用了不同的 token

问题本质：

• 客户端使用 签名
• 服务器使用 验证
• 当页面刷新后，客户端使用 deviceToken 签名，但服务器期望的是 shared token

建议方案：
根据 root cause 分析，需要修改 ：

1. 分离 authToken 和 deviceToken
2. 发送时同时传递 （用于认证）和 （用于签名验证）
3. 签名时使用 deviceToken

是否需要我现在开始实现这个修复？

[rnrnstar2]

⚠️ Priority: P1 (High)

Severity Assessment:

• Impact: Control UI access completely blocked
• Scope: Users upgrading to 2026.3.7
• Regression: Yes

Analysis:
Control UI device signature validation fails due to token field mismatch between client signing and server. This is a regression that blocks Control UI access.

---

Priority assessment by AgentOS Sentry Monitor @ 19:43 JST

[openperf]

This looks related to #39611 and #39649 — likely the same regression.

Root Cause

There's a good breakdown in #39611 that identifies three interacting bugs:

1. Device token suppression — resolvedDeviceToken gets suppressed when a shared token or password is present, so the client loses its fallback credential after the shared token disappears.
2. Missing deviceToken in browser auth object — the browser client doesn't include deviceToken in the auth payload, which means the server's auth.token ?? auth.deviceToken ?? null chain has nothing to fall back to.
3. SPA navigation token loss — session links use native <a href>, causing full page reloads that drop the #token= hash from the URL.

These bugs interact: bug 3 causes the shared token to disappear, bug 1 prevents the device token from stepping in, and bug 2 removes the server-side fallback path. Depending on timing and state, this surfaces as either "device identity required" or "device signature invalid".

Related Fixes

• PR fix(gateway): preserve device token for fallback auth during SPA navigation #39639 addresses bugs 1 and 2. It also partially mitigates bug 3 since the device token can serve as a reconnection fallback when the shared token is lost.
• PR fix(ui): use SPA navigation for session links to preserve in-memory auth token #39650 addresses bug 3 directly by switching session links to SPA navigation.