node run: add --header flag for Cloudflare Zero Trust service tokens

[kevin-freiburger]

Problem

When a gateway is behind Cloudflare Zero Trust (or similar reverse proxy with auth), openclaw node run cannot connect because the WebSocket handshake gets a 302 redirect to the auth page. There's no way to pass custom HTTP headers on the WebSocket connection.

Current workaround

SSH tunnels to bypass Cloudflare, then connect to localhost. This works but adds operational complexity (tunnel management, auto-reconnect, extra services).

Proposed solution

Add a repeatable --header flag to openclaw node run and openclaw node install:

openclaw node run --host gateway.example.com --port 443 --tls \
  --header "CF-Access-Client-Id:abc123" \
  --header "CF-Access-Client-Secret:xyz789" \
  --display-name "Remote Node"

Headers would be included in the initial WebSocket upgrade request.

Alternatively, support CF_ACCESS_CLIENT_ID and CF_ACCESS_CLIENT_SECRET env vars, or a generic OPENCLAW_NODE_HEADERS env var.

Use case

Bidirectional node pairing between two OpenClaw gateways, both behind Cloudflare Zero Trust tunnels. Each gateway is a node on the other, enabling symmetric remote exec and diagnostics. Without header support, SSH tunnels are required as an intermediary.

Environment

• OpenClaw 2026.3.8
• Both gateways behind Cloudflare Tunnel + Zero Trust Access apps
• openclaw node run --tls returns Unexpected server response: 302

[SudheerDev-AIML]

Hi, I'd like to work on this. I'll add a --header flag to openclaw node run and openclaw node install that passes custom HTTP headers on the WebSocket upgrade request. Will also support the env var approach as an alternative. I'll submit a PR shortly.
Thanks.

[newcodebook]

302 on the WebSocket upgrade is Cloudflare Access doing its job (redirecting to an interactive auth page). Until openclaw node run supports custom headers, you need a transport that doesn’t require header-based auth.

Two workable options today:

1. Easiest operationally: expose a separate gateway hostname/route for node traffic that bypasses Access (lock it down by IP allowlist / mTLS / private network), so the WS upgrade returns 101 instead of 302.

2. If you can’t change CF Access policy, keep your current workaround: SSH port-forward the gateway WS port and point node run at localhost:

# on the node machine
ssh -N -L 18789:127.0.0.1:18789 user@gateway.example.com
openclaw node run --host 127.0.0.1 --port 18789

Why this helps: the node client can’t complete an interactive/browser Access flow; it needs a direct 101 upgrade.

Recommended reading:

• OpenClaw Remote Browser Setup: Gateway on One Machine, Browser on Another
• OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access

[SudheerDev-AIML]

Hi @newcodebook
Thanks for workaround solution.
These are exactly the right workarounds until native header support lands — the SSH tunnel one is especially clean.
For anyone hitting this: I have a PR open (#42841) that adds --header directly to node run and node install, so you'd be able to do:

openclaw node run --host gateway.example.com --port 443 \ --header "CF-Access-Client-Id: your-client-id" \ --header "CF-Access-Client-Secret: your-client-secret"

Also picks up CF_ACCESS_CLIENT_ID / CF_ACCESS_CLIENT_SECRET from env if you don't want tokens on the command line. Happy to take feedback before it merges!

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Issue #42792 is not implemented on current main, but the exact remaining work is already tracked by open PR #42841, which explicitly targets node run/install --header support for Cloudflare Zero Trust and links back with Closes #42792.

What I checked:

• Canonical PR tracks the same request: Provided GitHub context shows PR Node run/install: add --header for WebSocket upgrade (Cloudflare Zero Trust) #42841 is open, titled "Node run/install: add --header for WebSocket upgrade (Cloudflare Zero Trust)", and its body says it adds repeatable --header support to openclaw node run/install plus OPENCLAW_NODE_HEADERS and CF_ACCESS_CLIENT_* env handling. It explicitly says "Closes node run: add --header flag for Cloudflare Zero Trust service tokens #42792". (0fcd100ccbb5)
• Current main node CLI lacks --header: Current main registers node run options for host, port, tls, tls-fingerprint, node-id, and display-name only; node install likewise has no --header option. (src/cli/node-cli/register.ts:40, e640c0a95fcb)
• Current main WebSocket client has no custom header path: GatewayClient builds wsOptions with maxPayload and optional TLS fingerprint handling, then calls new WebSocket(url, wsOptions). No generic custom header option is wired into GatewayClientOptions or the WebSocket constructor path. (src/gateway/client.ts:256, e640c0a95fcb)
• Current main node config has no persisted headers field: NodeHostGatewayConfig currently includes host, port, tls, and tlsFingerprint only, so node install cannot persist gateway WebSocket headers on main. (src/node-host/config.ts:7, e640c0a95fcb)
• Targeted search found no current header support: A targeted repo search for --header, OPENCLAW_NODE_HEADERS, CF_ACCESS_CLIENT, CF_ACCESS, and headers across the node CLI, node-host, GatewayClient, daemon node args, install helper, and node docs returned no matches. (e640c0a95fcb)

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against e640c0a95fcb.