Loopback token-auth CLI connects but RPC is scope-limited (missing operator.read/write)

[DmytroVolodymyrson]

Summary

openclaw CLI can connect successfully to a local loopback gateway over shared token auth, but the session lands in a scope-limited operator state and RPC calls fail with errors like:

• missing scope: operator.read
• missing scope: operator.write

This breaks control-plane operations such as:

• openclaw gateway probe
• openclaw cron add
• openclaw cron runs

Environment

• OpenClaw package version: 2026.3.13
• Gateway mode: local
• Gateway bind: loopback
• Gateway auth mode: token
• Target URL: ws://127.0.0.1:18789
• CLI invoked from Cedric via exec, using the local openclaw CLI

Repro

From the same machine as the gateway:

openclaw gateway probe --token <gateway-token> --url ws://127.0.0.1:18789

Observed result:

• transport/auth connect succeeds
• but probe reports degraded RPC auth, e.g.

Reachable: yes
Connect: ok
RPC: limited - missing scope: operator.read

And in gateway logs we see:

[ws] ⇄ res ✗ status 1ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
[ws] ⇄ res ✗ system-presence 1ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
[ws] ⇄ res ✗ config.get 1ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read

Same class of failure affects cron add / cron runs through the same path.

What we checked already

1. Pairing/auth files looked correct

We verified both of these files contained operator scopes including read/write:

• ~/.openclaw/identity/device-auth.json
• ~/.openclaw/devices/paired.json

Scopes present:

• operator.admin
• operator.approvals
• operator.pairing
• operator.read
• operator.write

We also restarted the gateway after correcting a mismatch there. The problem persisted.

2. Internal code path investigation

The installed code suggests this local-loopback path intentionally avoids attaching device identity for token/password-authenticated gateway calls.

In our local build we found:

Client side

dist/auth-profiles-*.js

function shouldAttachDeviceIdentityForGatewayCall(params) {
	if (!(params.token || params.password)) return true;
	try {
		const parsed = new URL(params.url);
		return ![
			"127.0.0.1",
			"::1",
			"localhost"
		].includes(parsed.hostname);
	} catch {
		return true;
	}
}

And the gateway client is built with:

deviceIdentity: shouldAttachDeviceIdentityForGatewayCall({
	url,
	token,
	password
}) ? loadOrCreateDeviceIdentity() : void 0,

Server side

dist/gateway-cli-*.js

We found:

function roleCanSkipDeviceIdentity(role, sharedAuthOk) {
	return role === "operator" && sharedAuthOk;
}

and missing-device handling that can clear scopes when no bound device is present:

const clearUnboundScopes = () => {
	if (scopes.length > 0) {
		scopes = [];
		connectParams.scopes = scopes;
	}
};

This appears to produce an awkward state where:

• shared auth succeeds
• connection is allowed
• but effective operator scopes end up empty / limited
• so subsequent RPC authorization fails

3. Temporary local patch attempt

As a diagnostic only, we patched shouldAttachDeviceIdentityForGatewayCall(...) to always return true in the installed dist bundles.

That still did not fully fix the issue.

So the problem seems deeper than only the loopback identity gate.

Current diagnosis

Most likely the CLI is ending up in a partially authorized operator session on this loopback shared-auth path:

• connect succeeds
• operator role is accepted
• but the client does not arrive with a fully usable device-token-backed scope set for RPC
• and the client does not automatically upgrade/retry out of this degraded state

In other words:

local loopback + shared token auth can connect, but still leave the operator client scope-limited for gateway RPC.

Why this matters

This blocks a robust local operator workflow where the local openclaw CLI is expected to safely perform:

• cron registration
• cron inspection
• gateway probe/status
• other control-plane operations

Without this, local automation that depends on control-plane CLI operations becomes much harder to make reliable.

Questions / expected behavior

I think one of these should be true:

1. Local loopback shared-auth operator CLI calls should attach device identity and establish a fully scoped operator session, or
2. Local shared-auth operator CLI calls that are intentionally allowed without device identity should still preserve requested operator scopes for RPC, or
3. The CLI should detect this degraded state and explicitly retry/upgrade into a device-token-backed operator session instead of silently succeeding at connect and failing later on read/write/admin RPCs.

Request

Could you confirm whether this is expected behavior or a bug?

If it is a bug, I’d appreciate guidance on the intended fix path for:

• local loopback token-authenticated operator CLI
• from the same machine as the gateway
• where downstream RPC methods need full operator scopes

If useful, I can also provide a smaller repro focused only on gateway probe.

[chunliu]

any workaround?

[DmytroVolodymyrson]

We tried the obvious local workarounds on the exact loopback/shared-token path:

• corrected operator scopes in the local pairing/auth files
• restarted the gateway
• even patched the local client to force device identity attachment on loopback

That still didn’t fully resolve it for us, so we don’t currently have a confirmed workaround for the exact ws://127.0.0.1 token-auth path.

A possible workaround worth testing is avoiding loopback entirely and connecting through a non-loopback gateway URL (for example a remote/Tailscale path), since the client code appears to special-case 127.0.0.1 / localhost / ::1.

But to be clear: we have not validated that as a reliable workaround yet.

[sashakhar1]

We reproduced a closely related variant on a Linux VPS and confirmed this is not just a missing env var.

Environment:

• OpenClaw 2026.3.13 (61d171a)
• Node v22.22.1
• Ubuntu 24.04 VPS
• gateway bind: loopback
• gateway auth: token
• target URL: ws://127.0.0.1:18789
• gateway managed by systemd

Observed symptoms:

• openclaw gateway health
• openclaw gateway probe
• openclaw cron status
• openclaw cron list
• openclaw cron add

all fail intermittently with either:

gateway connect failed: Error: gateway closed (1000):
Error: gateway closed (1000 normal closure): no close reason

or with scope-limited RPC failures like:

{"code":"INVALID_REQUEST","message":"missing scope: operator.read"}

Gateway logs show both patterns:

[ws] handshake timeout conn=... remote=127.0.0.1
[ws] closed before connect conn=... remote=127.0.0.1 ... code=1000 reason=n/a
[ws] ⇄ res ✗ cron.status 1ms errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read

What we verified:

1. OPENCLAW_GATEWAY_TOKEN is present in /opt/mole/secrets/mole.env
2. the same token is present in the live gateway process env
3. the gateway is healthy and serving other traffic (Telegram works, gateway service active)
4. raw WS upgrade to 127.0.0.1:18789 succeeds
5. the gateway sends connect.challenge
6. a manual WS client that sends a valid connect request can call health
7. a manual WS client that sends connect with device identity can call cron.status

That strongly suggests the runtime/gateway are fine, but the official CLI path is not consistently arriving at a fully authorized operator session.

Relevant installed code path we inspected:

function shouldAttachDeviceIdentityForGatewayCall(params) {
  if (!(params.token || params.password)) return true;
  try {
    const parsed = new URL(params.url);
    return !["127.0.0.1", "::1", "localhost"].includes(parsed.hostname);
  } catch {
    return true;
  }
}

So for token/password + loopback, the CLI intentionally does not attach device identity.

On our machine, that correlates exactly with the degraded RPC behavior:

• transport can succeed
• gateway allows the session
• but cron.* ends up missing operator.read/write

Additional finding:
we also saw a second failure mode where the official CLI sometimes never completes the handshake at all, and the gateway just logs handshake timeout / closed before connect. So there may be two related regressions here:

1. loopback token-auth CLI sessions can become scope-limited because device identity is not attached
2. the CLI↔gateway handshake path is also flaky/intermittent on 2026.3.13

One ugly diagnostic-only workaround partially proved the first point:

• if we force the official CLI to connect via a non-loopback hostname alias that resolves to 127.0.0.1, openclaw cron add can succeed once because the client starts attaching device identity
• but the CLI still remains unstable overall, so this is not a real fix

So my current conclusion is:

• not an env-var problem
• not a cron schema problem
• very likely an upstream CLI/gateway auth+handshake bug in 2026.3.13

If useful, I can provide the exact manual WS repro that succeeds against the same gateway while the official CLI fails.

[sashakhar1]

We identified the root cause and submitted a fix: #49751

TL;DR: The gateway-side handshake timer races against the async auth flow. clearHandshakeTimer() is called only after the entire auth resolution (device signature verification, token grant, scope binding) completes. On resource-constrained hosts (small VPS, busy event loop), auth takes >3s and the timer kills a legitimate in-progress connection.

The fix (3 lines across 3 files):

1. Move clearHandshakeTimer() to right after the connect request validates — before async auth begins
2. Raise server handshake timeout: 3s -> 10s
3. Raise client challenge timeout: 2s -> 10s

Note: the device-identity-on-loopback issue from my earlier comment is already fixed in main (shouldAttachDeviceIdentityForGatewayCall now returns true unconditionally). The 2026.3.13 release has the old code, so the handshake timeout fix is the remaining piece.

Workaround until the fix ships: patch the installed dist files on the VPS:

# In all dist files containing DEFAULT_HANDSHAKE_TIMEOUT_MS:
sed -i 's/const DEFAULT_HANDSHAKE_TIMEOUT_MS = 3e3;/const DEFAULT_HANDSHAKE_TIMEOUT_MS = 30e3;/' dist/gateway-cli-*.js

# In all dist files containing shouldAttachDeviceIdentityForGatewayCall:
sed -i 's/function shouldAttachDeviceIdentityForGatewayCall(params) {/function shouldAttachDeviceIdentityForGatewayCall(params) { return true;/' dist/auth-profiles-*.js dist/discord-*.js dist/model-selection-*.js dist/reply-*.js

# In all dist files containing connectChallengeTimeoutMs:
sed -i 's/Math.max(250, Math.min(1e4, rawConnectDelayMs)) : 2e3;/Math.max(250, Math.min(3e5, rawConnectDelayMs)) : 30e3;/' dist/auth-profiles-*.js dist/discord-*.js dist/model-selection-*.js dist/reply-*.js

# Restart gateway
sudo systemctl restart openclaw-gateway.service

[tyler6204]

Resolved by #50101, merge commit: 7b61ca1. Thanks for the report!