Control UI 在 2026.3.12 版本中无法通过 HTTP + Token 认证访问，2026.3.2 版本正常工作 / Control UI authentication via HTTP + Token fails in 2026.3.12 but works in 2026.3.2

[xishandong]

问题描述 / Description

升级到 OpenClaw 2026.3.12 后，无法通过 HTTP + Token 的方式访问 Control UI。浏览器显示 "device identity required" 错误，即使已配置 dangerouslyDisableDeviceAuth: true。

After upgrading to OpenClaw 2026.3.12, cannot access Control UI via HTTP + Token. Browser shows "device identity required" error even with dangerouslyDisableDeviceAuth: true configured.

降级到 2026.3.2 版本后，使用相同的配置可以正常工作。

Downgrading to 2026.3.2 with the same configuration works correctly.

环境信息 / Environment

• OpenClaw 版本 / Version: 2026.3.12 (问题版本 / broken) vs 2026.3.2 (正常版本 / working)
• 操作系统 / OS: Linux (x64)
• Node.js: 22.x
• 浏览器 / Browser: Chrome
• 访问方式 / Access method: HTTP (非 HTTPS / non-HTTPS)

配置 / Configuration

{
  "gateway": {
    "bind": "lan",
    "mode": "local",
    "controlUi": {
      "basePath": "xxx",
      "allowedOrigins": ["http://<host>:<port>"],
      "allowInsecureAuth": true,
      "dangerouslyDisableDeviceAuth": true
    },
    "auth": {
      "mode": "token",
      "token": "xxx"
    }
  }
}

复现步骤 / Steps to Reproduce

1. 安装 OpenClaw 2026.3.12 / Install OpenClaw 2026.3.12
2. 配置 gateway.controlUi.dangerouslyDisableDeviceAuth: true / Configure gateway.controlUi.dangerouslyDisableDeviceAuth: true
3. 通过 HTTP 访问 Control UI / Access Control UI via HTTP
4. 页面显示 "device identity required"，无法连接 / Page shows "device identity required", connection fails

预期行为 / Expected Behavior

与 2026.3.2 版本一致：配置 dangerouslyDisableDeviceAuth: true 后，应该能够通过 HTTP + Token 访问 Control UI，不需要设备身份验证。

Same as 2026.3.2: With dangerouslyDisableDeviceAuth: true, should be able to access Control UI via HTTP + Token without device identity verification.

实际行为 / Actual Behavior

页面显示 "device identity required"，WebSocket 连接失败。

Page shows "device identity required", WebSocket connection fails.

相关变更 / Related Changes

根据 CHANGELOG，2026.2.26 版本引入了以下变更：

Per CHANGELOG, 2026.2.26 introduced:

Gateway/Security: require secure context and paired-device checks for Control UI auth even when gateway.controlUi.allowInsecureAuth is set

建议 / Suggestions

1. 明确 dangerouslyDisableDeviceAuth 的预期行为：是否应该完全禁用设备身份检查，包括 secure context 检查？/ Clarify expected behavior of dangerouslyDisableDeviceAuth: should it completely disable device identity checks including secure context?
2. 或者提供一种方式，允许在受控环境（如内网、开发环境）中通过 HTTP 访问 Control UI / Or provide a way to allow HTTP access to Control UI in controlled environments (e.g., LAN, dev environment)
3. 更新文档，说明从 2026.2.26 版本开始，HTTP 访问 Control UI 的限制 / Update documentation about HTTP access restrictions to Control UI since 2026.2.26

临时解决方案 / Workaround

降级到 2026.3.2 版本：

Downgrade to 2026.3.2:

npm install -g openclaw@2026.3.2

[Ryce]

This looks like the same auth layer regression as #45398 — the dangerouslyDisableDeviceAuth flag is being ignored by the WebSocket handshake path.

Your diagnosis of the CHANGELOG note is right: the 2026.2.26 security change requiring device identity checks runs after the config-level bypass, so the flag gets overridden regardless. The config is read correctly (you can verify with /config), but the WebSocket upgrade handler doesn't respect it.

Another workaround (besides downgrading): Try enabling the control UI explicitly and setting the auth mode to token-only:

{
  "gateway": {
    "controlUi": {
      "enabled": true,
      "dangerouslyDisableDeviceAuth": true,
      "allowInsecureAuth": true
    }
  }
}

Some operators reported the flag only takes effect when controlUi.enabled is explicitly true rather than relying on default-on behavior.

If you can't access the gateway at all: This is exactly the scenario where independent backup matters — when the gateway's own auth layer is misconfigured or broken, you can't reach the control UI to fix it. An external backup (https://keepmyclaw.com) captures sessions independently of gateway config, so your agent history survives even when the gateway is completely inaccessible.

中文总结：这是 WebSocket 层的认证回退，和 #45398 同一个根因。dangerouslyDisableDeviceAuth 标志被安全层覆盖了。建议降级到 2026.3.2 或等待修复。如果完全无法访问网关，独立备份可以保护会话数据。

[LainNetWork]

I have tried it,but bot work...

{
"gateway": {
"controlUi": {
"enabled": true,
"dangerouslyDisableDeviceAuth": true,
"allowInsecureAuth": true
}
}
}

最后在本地装了个Caddy签发本地自签名证书并做反向代理，解决了这个问题，域名也是临时配在路由器上的，折腾了一晚上。。有需要的可以临时使用这个方法进行本地访问

[jmcte]

Confirmed on current main: this regression is already fixed after v2026.3.12 by #45088 (0a3b9a9a090ab2ae1dbf6eb8d044e20af165c0d1, fix(ui): keep shared auth on insecure control-ui connects).

What that fix changes:

• restores explicit shared token/password auth on insecure http:// Control UI first-connect flows
• keeps the existing secure-context/device-token behavior unchanged
• adds regression coverage for insecure token/password connects

So the issue reproduces on the released v2026.3.12, but current main already contains the fix and should pick it up in the next release.

[new12]

Same issue on Docker environment with v2026.3.12