macOS app: gateway auth token churn can cause token_mismatch + pairing_required reconnect spam

[sene1337]

Summary

On macOS, when gateway auth token changes (or is regenerated) during config rewrites/restarts, OpenClaw.app can enter a reconnect loop with alternating errors:

• unauthorized: gateway token mismatch
• pairing required
• intermittent Could not connect to the server during restart windows

This creates sustained log spam and makes the node appear broken even after approvals.

Environment

• Gateway CLI: openclaw 2026.3.9
• macOS app observed: 2026.3.8-beta.1
• Local gateway: ws://127.0.0.1:18789

Observed log signals

• Gateway out:
  • auth token was missing. Generated a new token and saved it to config (gateway.auth.token).
  • frequent SIGTERM/restart cycles
• Gateway/App:
  • unauthorized ... reason=token_mismatch
  • closed before connect ... code=1008 reason=pairing required
  • Could not connect to the server during restart windows

Repro (approx)

1. macOS app connected locally to gateway (127.0.0.1:18789).
2. Trigger config writes touching auth/restart path.
3. Gateway rotates/regenerates auth token and restarts.
4. App/node attempts reconnect with stale auth/device role state.
5. Loop: token mismatch + pairing required + connect failures.

Expected

• Token/auth state should remain stable across benign config writes/restarts, or
• clients should re-handshake cleanly once token changes, without prolonged spam loops.

Actual

• repeated auth/pairing/connect failures until manual repair/reset/pairing/token rotation.

Temporary mitigation that helped

• re-approve pending node pairing request
• rotate node token
• stabilize gateway (avoid further auth-token churn/restarts)

Suggested fixes

1. Prevent silent auth token regeneration unless explicitly requested.
2. If token changes, surface a single clear state transition to clients and suppress reconnect spam.
3. Make node-role upgrade flow (operator -> node) resilient to concurrent restart/auth transitions.
4. Consider backoff/jitter + deduplicated error emission in app logs for this class.

[sene1337]

Related prior issues:\n- #21236 (closed): pairing required after update\n- #21267: device token mismatch after update\n- #21688: pairing scope-upgrade reconnect loop\n- #23891: persistent local token mismatch after identity wipe/restart\n- #23498: pairing recovery self-unpair/token mismatch behavior\n\nThis report looks like the same failure family with explicit macOS app + auth-token churn + restart-window evidence.

[sene1337]

Potential enhancement: add a dedicated Doctor check for auth/pairing churn loops.\n\n### Why\nThis failure mode is diagnosable from logs and state, but currently manual to detect. It presents as noisy reconnect spam and is easy to mis-triage as generic connectivity.\n\n### Suggested doctor check\nDetect this signature over a short window (e.g., 2–5 minutes):\n- repeated and/or websocket closes\n- repeated around frequent gateway restarts\n- evidence of regeneration/rewrite\n- same device repeatedly requesting role upgrade ()\n\n### Suggested doctor output\nWhen detected, emit a single high-confidence diagnosis, e.g.:\n> "Gateway auth/pairing state churn detected (token rotation + reconnect loop)."\n\n### Suggested guided remediation (safe order)\n1. Freeze auth token churn (pin/confirm stable gateway auth token).\n2. Ensure gateway is stable (single clean restart, then wait for listening state).\n3. Re-approve pending node pairing (if present).\n4. Re-issue/rotate node token only if mismatch persists.\n5. Verify loop cleared (no new / events in time window).\n\nThis would convert a high-noise operational incident into a deterministic path.

[sene1337]

Correction / clean version of the doctor-feature suggestion:\n\nPotential enhancement: add a dedicated Doctor check for auth/pairing churn loops.\n\nWhy this helps:\n- This failure mode is diagnosable from logs/state but currently manual to triage.\n- It appears as reconnect spam and often looks like generic connectivity issues.\n\nSuggested detection (2-5 minute window):\n- repeated websocket unauthorized errors with reason token_mismatch\n- repeated websocket closes with reason pairing required\n- repeated Could not connect errors around gateway restart windows\n- evidence that gateway auth token was regenerated/rewritten\n- same device repeatedly requesting role upgrade from operator to node\n\nSuggested Doctor output:\n- one high-confidence diagnosis message indicating auth/pairing state churn\n\nSuggested guided remediation (safe order):\n1) freeze auth-token churn (pin/confirm stable gateway auth token)\n2) stabilize gateway (single clean restart; wait for listening state)\n3) approve pending node pairing request (if present)\n4) rotate node token only if mismatch persists\n5) verify quiet period (no new token_mismatch/pairing required events)\n\nThis would make the incident deterministic and suitable for doctor --fix.

[benclawbot]

Hi! For macOS gateway auth token churn - this sounds like a token refresh issue.

Possible fixes:

1. Check token expiry settings
2. Add automatic token refresh logic
3. Store tokens in keychain instead of config

The token_mismatch suggests the stored token doesn't match what's expected. Happy to help debug!

[joshavant]

Thanks for reporting this and for the detailed reproduction notes.

This is now covered by #42507 (merged), which supersedes this thread and includes reconnect-loop hardening across clients (including macOS-path behavior).

Closing as superseded by the merged fix set. If this still reproduces on latest main, please drop updated logs and we can reopen.