[Bug]: WhatsApp channel shows linked/OK but inbound messages are not delivered (single tick), with repeated 440/401 reconnect loop

[juvenalmakoszay]

Bug type

Regression (worked before, now fails)

Summary

On OpenClaw 2026.3.12, WhatsApp channel appears as linked and OK, but inbound messages are not actually delivered to the bot (sender sees only one tick in WhatsApp). The channel repeatedly enters reconnect/auth loops with 440 session conflict and 401 Unauthorized errors.

Environment

• OpenClaw version: 2026.3.12 (6472949)
• OS: Linux 6.12.47+rpt-rpi-2712 (arm64) (Raspberry Pi)
• Node: 22.22.0
• Gateway: ws://127.0.0.1:18789 (local loopback)
• Channel: WhatsApp ON, account linked as +5215591923398
• Account policy seen in status: dm:allowlist · allow:+525591923398

What I expected

After successful QR link (Linked! Credentials saved), inbound WhatsApp messages should be received by OpenClaw and bot replies should be sent normally (double tick / conversation flow works).

What actually happens

• WhatsApp sometimes shows bot as linked/online, but inbound messages are not processed.
• Sender sees only one tick (message not delivered to bot session).
• Repeated channel restart/reconnect behavior appears in logs.
• Errors include:
• status 440: session conflict
• 401 Unauthorized (Connection Failure) with varying location values
• intermittent WhatsApp session logged out

Steps attempted

1. openclaw channels logout --channel whatsapp
2. openclaw channels login --channel whatsapp --verbose
3. QR scanned multiple times, including full relink attempts
4. Gateway restarts
5. Repeated validation with openclaw status --deep and channel logs
6. Verified allowlist contains correct number (+525591923398)

Issue persists.

Relevant diagnostics

openclaw status --all highlights

• WhatsApp channel reports: linked · +5215591923398 · auth 3m ago · accounts 1
• Account: default with dm:allowlist · allow:+525591923398
• Gateway may report timeout from CLI while service is running (openclaw-gateway pid ...)

openclaw channels logs --channel whatsapp --lines 400 excerpts

• WhatsApp Web connection closed (status 440: session conflict).
• WhatsApp session logged out. Run openclaw channels login --channel web to relink.
• [default] channel exited ... 401 Unauthorized (Connection Failure) with locations such as:
• cln
• vll
• cco
• frc
• odn
• lla
• many [default] starting provider + Listening for personal WhatsApp inbound messages events between failures

Additional note

Error text suggests openclaw channels login --channel web, but CLI returns:

• Unsupported channel: web
  (so expected command seems to be --channel whatsapp)

Request

Please help identify root cause and recommended stable recovery path for this reconnect/auth conflict loop (440/401) where channel appears linked but inbound delivery fails.

Steps to reproduce

1. Configure WhatsApp channel in OpenClaw and link via:
   openclaw channels login --channel whatsapp --verbose
2. Scan QR in WhatsApp Linked Devices until CLI shows:
   Linked! Credentials saved
3. Verify channel appears healthy in:
   openclaw status --all (WhatsApp shows linked / OK)
4. Send DM to the linked OpenClaw WhatsApp number from allowed sender (+525591923398)
5. Observe sender side: only one tick (not delivered), no bot response
6. Check logs:
   openclaw channels logs --channel whatsapp --lines 400
7. Observe repeated failures:

• 440 session conflict
• 401 Unauthorized (Connection Failure)
• restart loops (starting provider / Listening ...) and occasional session logged out

Expected behavior

After successful QR linking, inbound WhatsApp DMs should be consistently delivered to OpenClaw and bot replies should be sent normally (messages should not remain at single tick). The channel should remain authenticated without
entering 440/401 reconnect loops.

Actual behavior

Channel often shows as linked/OK, but inbound WhatsApp messages are not delivered (sender sees single tick) and no bot reply is produced. Logs repeatedly show 440 session conflict, 401 Unauthorized (Connection Failure),
auto-restart attempts, and intermittent session logged out.

OpenClaw version

2026.3.12 (6472949)

Operating system

Linux 6.12.47+rpt-rpi-2712 (arm64) (Raspberry Pi)

Install method

No response

Model

openai-codex/gpt-5.3-codex

Provider / routing chain

Gateway local loopback (ws://127.0.0.1:18789) → OpenClaw WhatsApp channel (default account)

Config file / key location

No response

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

No response

[Ryce]

This is a textbook silent delivery failure — the channel shows and while messages are actually being dropped. Sender sees one tick and assumes it went through, but the bot never receives it.

The 440/401 reconnect loop means the session state is corrupted in a way that isn't surfaced to the user. By the time you notice the gap, those messages are gone — WhatsApp doesn't retry indefinitely.

If you had an independent backup of session state from before the reconnect loop started, you could:

1. Detect the gap — diff pre-loop state against current state to see what was lost
2. Restore context — the backup preserves the conversation history that the corrupted session dropped
3. Audit blast radius — know exactly which messages were silently lost vs. successfully delivered

The pattern here — system reports healthy while silently losing data — is exactly why independent persistence matters. The channel's own status reporting can't be trusted when the underlying session is in a reconnect death spiral.

detailed walkthrough on backup-based gap detection

[dsantoreis]

The 440/401 loop is caused by competing WhatsApp Web sessions. Here is what happens:

1. Monitor starts, connects using stored credentials
2. WhatsApp server detects a session conflict (another client is already connected with those creds), returns status 440
3. isNonRetryableWebCloseStatus(440) returns true, monitor stops and logs the "session conflict" message
4. Gateway service restarts the monitor (systemd or internal keepAlive), which tries again with the same stale credentials
5. Loop repeats: connect -> 440 conflict -> stop -> restart -> connect -> 440

The 401 errors between cycles are WhatsApp rejecting the credentials entirely after too many conflicting reconnect attempts (server-side rate limiting / temporary auth block).

Recovery steps:

1. Kill all competing sessions first. On your phone: WhatsApp > Settings > Linked Devices > remove ALL linked devices
2. Clear stored credentials:

   openclaw channels logout --channel whatsapp
   openclaw gateway restart

3. Wait 2-3 minutes for the WhatsApp server-side session lock to expire
4. Relink cleanly:

   openclaw channels login --channel whatsapp --verbose

5. Do not scan the QR from another device during this process

The "single tick" symptom confirms it: messages are reaching the WhatsApp server but not being delivered to the bot client because the socket is dead or in reconnect limbo.

Separate UX bug: the error message tells users to run --channel web but the CLI only accepts --channel whatsapp. This sends people in circles.

Related: #45387, #45391 (WhatsApp send failures with similar status-OK-but-actually-dead pattern).

[dsantoreis]

Same root cause as #45387 and #45391.

The WhatsApp session layer (requireActiveWebListener()) checks an in-memory listener map that gets cleared on socket disconnect. The auth/status path checks persisted credentials separately, so linked/OK is true even when the runtime socket is dead.

The 440 session conflict + 401 Unauthorized loop means another client (likely a previous gateway restart or a second device) is contesting the session. WhatsApp only allows one active Web session per phone number — if the gateway restarts without a clean disconnect, the old session lingers server-side and triggers auth conflicts on the new one.

Steps to resolve:

1. Stop the gateway
2. Unlink WhatsApp Web from your phone (Settings > Linked Devices > remove the OpenClaw entry)
3. Start the gateway and re-link with a fresh QR scan
4. Make sure only one gateway instance is running (ps aux | grep openclaw to check for orphans)

The reconnect loop will not self-heal when the session is in a conflict state — it needs a clean re-link.

[juvenalmakoszay]

Additional technical context from follow-up analysis (consistent with #45387 and #45391):

• We’re seeing a repeated 440 session conflict → reconnect → 401 Unauthorized loop.
• This strongly suggests competing/stale WhatsApp Web sessions.
• Symptoms match exactly: channel can appear linked/OK, but inbound is not actually delivered (sender sees single tick, bot receives nothing).

Likely mechanism:

1. monitor connects with stored creds
2. server returns 440 (conflict)
3. monitor stops
4. service restarts monitor
5. reconnect with same stale/contested session
6. after repeated attempts, server returns 401 (temporary auth rejection)

Important UX issue:

• Error guidance references --channel web, but CLI accepts --channel whatsapp, which causes confusion during recovery.

Clean recovery sequence that appears necessary:

1. Remove ALL linked devices for that WhatsApp account (phone app)
2. openclaw channels logout --channel whatsapp
3. restart gateway
4. wait 2–3 minutes
5. openclaw channels login --channel whatsapp --verbose
6. ensure only one gateway instance and one QR scan path (no competing client)

This state did not self-heal in our tests; only clean relink attempts changed behavior.

[dsantoreis]

@juvenalmakoszay Confirmed, this matches the same conflict-loop signature.

Your added sequence is solid. I would only tighten two operator safeguards:

1. after logout, verify no orphan process before relink:

ps -ef | grep -E "openclaw|whatsapp" | grep -v grep

2. after relink, validate with a real inbound probe (send one test DM from phone and confirm it appears in gateway logs within 10s), not just linked/OK.

Agree this does not self-heal once stuck in 440/401 churn; clean relink is required.

[juvenalmakoszay]

Additional validation result:

I ran the post-relink probe:

• Sent a real WhatsApp DM test from phone
• Checked openclaw channels logs --channel whatsapp --lines 80 immediately after

Result:

• No inbound message event appeared in logs.
• Logs only show provider start/listening entries and prior failures (session logged out, 401 Unauthorized, occasional 408 timeout).

So even when channel shows listening/linked, inbound delivery still fails (silent drop pattern persists).

[dsantoreis]

The persistent single-tick after clean relink tells me the session is technically connected (no more 440/401) but the socket message handler is not forwarding inbound payloads to the channel adapter.

Two things to check:

1. After relink, run openclaw channels status --channel whatsapp --verbose and confirm it shows an active socket connection (not just "linked" flag from stored creds). The 440 loop can leave the stored auth in a half-valid state where status reports OK but the socket never fully authenticated.

2. Check if the allowlist policy is filtering the test number. Your config shows allow:+525591923398 but the account is +5215591923398 (extra "1" — Mexican mobile format). If the inbound DM comes from the number without the country-internal prefix, the allowlist silently drops it. Try temporarily setting dm: open to rule that out.

If dm: open fixes delivery, the root cause is number normalization in the allowlist matcher rather than the reconnect loop.

[dsantoreis]

The silent drop after relink is expected with the current architecture, unfortunately.

When the gateway hits a 440 (session conflict), the monitor loop exits completely via isNonRetryableWebCloseStatus — it calls closeListener() and breaks. That nulls out the active listener in the listener map. Re-linking via openclaw channels login only refreshes auth credentials on disk; it does not restart the monitor loop.

You need a full gateway restart after relink:

openclaw gateway restart

That forces a fresh monitorWebChannel call which creates a new listener, registers it in the active map, and starts processing inbound again.

The deeper fix would be having the login flow signal the running gateway to restart the WhatsApp channel automatically. Related to #45391 and #45387.

[juvenalmakoszay]

Final validation result after full restart + live probe:

• Ran openclaw gateway restart
• Channel came back as linked/running/connected
• Sent real WhatsApp test DM from phone
• Immediately checked:
• openclaw channels logs --channel whatsapp --lines 60
• openclaw channels status --probe --json

Observed:

• No inbound event logged for the test message
• lastInboundAt: null
• lastOutboundAt: null
• Status still reports connected/healthy

Conclusion:
This reproduces a persistent silent inbound drop state: runtime status appears healthy, but message flow is dead.

[juvenalmakoszay]

Thanks — I tested this exact workaround.

I did:

1. relink (openclaw channels login --channel whatsapp --verbose)
2. full gateway restart (openclaw gateway restart)
3. immediate real inbound probe + log/status checks

Result:

• channel still reports linked/running/connected
• but lastInboundAt remains null
• no inbound event appears in channel logs for the probe message

[juvenalmakoszay]

So in this environment, relink + full restart is necessary but not sufficient; silent inbound drop still persists.

[dsantoreis]

@juvenalmakoszay Good repro, this is narrowing it down.

So the channel reports healthy but lastInboundAt stays null even after a live probe message. That rules out the most common restart-fixes and points to the websocket session being connected but not receiving message events (only presence/status frames).

A few things that can cause this specific pattern:

1. Stale session token - the WA websocket authenticates with a session token that can expire silently. The channel reconnects (status looks fine) but the server stops forwarding message events to that session. The 440/401 errors you saw earlier confirm auth issues during reconnect.

2. Multi-device slot exhaustion - WhatsApp limits linked devices. If another linked device was added/removed, the session may be in a degraded state where it receives presence but not messages.

3. Event subscription mismatch - after reconnect, the client needs to re-subscribe to message events explicitly on some WA web protocol versions.

Can you try:

# fully remove and re-pair (not just relink)
openclaw channels remove --channel whatsapp
openclaw channels add --channel whatsapp
# scan the new QR, then:
openclaw channels status --probe --json

A fresh pairing forces a new session token and device slot. If inbound works after that, the root cause is stale session persistence across reconnects.

[dsantoreis]

That narrows it down significantly — the monitor loop is running, the socket is connected, but the WhatsApp server isn't delivering messages to this device.

This is a known Baileys auth-state issue. The stored auth keys can become stale even though the socket connects. The server accepts the connection but doesn't route messages to the device because the signal session keys are out of sync.

Nuclear fix:

# Stop gateway
openclaw gateway stop

# Wipe all WhatsApp auth state (forces full re-registration)
rm -rf ~/.openclaw/channels/whatsapp/auth/

# Re-login from scratch
openclaw channels login --channel whatsapp

# Start gateway
openclaw gateway start

The key difference vs a normal relink: this wipes the signal session keys, not just the connection creds. The fresh login generates new device keys that the server will actually route messages to.

If that still fails, check openclaw channels logs --channel whatsapp --lines 20 right after sending a test message — we need to see whether messages.upsert events fire at all at the Baileys layer.