2026.3.13 local loopback token-auth: post-auth scope gap (operator.read) + status/probe inconsistency

[adamvandenbos]

Summary

On OpenClaw 2026.3.13 in local loopback token-auth mode, we consistently hit a 3-stage auth/probe cascade:

1. token_missing (pre-auth rejection)
2. post-auth scope gap (scopes: [] / missing scope: operator.read)
3. pairing-required state

Token-only Control UI sessions repeatedly hit stage 2. Paired-device auth is currently the only reliable control path.

Environment

• OpenClaw: 2026.3.13
• OS: Linux 6.8.0-101-generic (x64), node 22.22.1
• Gateway mode: local
• Gateway bind: loopback (ws://127.0.0.1:18789)
• Gateway auth: token
• Channels enabled: Telegram + Discord

Observed behavior

• openclaw gateway status shows runtime running and RPC probe: ok.
• openclaw status --deep overview can simultaneously report gateway unreachable (missing scope: operator.read).
• Health table can still show gateway/channel reachable in the same window.
• Intermittent loopback WS churn also observed (closed 1000, handshake timeout).

Expected behavior

• Token-authenticated local Control UI sessions should retain operator scopes consistently.
• Status/probe surfaces should not report contradictory health/scope states for the same runtime window.

Repro steps

1. Start gateway in local loopback + token auth mode.
2. Connect Control UI via token-only path.
3. Run both:
   • openclaw gateway status
   • openclaw status --deep
4. Observe scope/probe inconsistency and operator scope failures.
5. Complete paired-device auth and verify control-path reliability improves.

Auth cascade model used in incident handling

• Stage 1 token_missing: rejected pre-auth (fix: provide token)
• Stage 2 post-auth scope gap: token accepted but no usable operator scope (no config-toggle workaround found)
• Stage 3 pairing required: identity present but pairing incomplete (fix: complete pairing)

Known references

• [Bug]: Dashboard shows "Connected" and "Health OK" but "Error: missing scope: operator.read" - no data with token-only auth #17095
• [Bug]: Web UI Error: missing scope: operator.read #16862
• [Bug]: Intermittent local gateway websocket handshake failures on loopback (ws://127.0.0.1:18789) #45222
• [Bug]: local gateway CLI handshake fails (probe timeout / gateway call closed 1000) even though gateway is running and WS challenge is reachable #45560
• https://docs.openclaw.ai/help/troubleshooting

Additional note

allowTailscale: true appears scoped to Tailscale identity flows and does not remediate token_missing or post-auth scope-gap failures in this loopback token-only path.

[tyler6204]

Resolved by #50101, merge commit: 7b61ca1. Thanks for the report!

[adamvandenbos]

Follow-up from production validation on v2026.3.13-1 (61d171a): the issue symptoms are still reproducible on the latest stable release.

Evidence:

• Latest stable release: v2026.3.13-1 (target commit 61d171ab0b2f..., published 2026-03-14)
• Fix PR Session management improvements and dashboard API #50101 merged later at commit 7b61ca1b0615... (2026-03-19)
• Compare: v2026.3.13-1...7b61ca1b0615... => status=ahead (fix commit is newer than the release)
• Runtime still shows the reported behavior on stable: openclaw status -> missing scope: operator.read while openclaw gateway status shows runtime/RPC healthy.

Request: please mark this as fixed on main, pending release (or reopen until a stable release includes #50101), so production users on stable aren’t misled by a closed state.

[maximizeGPT]

This captures the 2026.3.13 auth flow issues perfectly.

The 3-stage cascade you're seeing:

• token_missing (pre-auth rejection)
• Post-auth scope gap (scopes: [])
• Status/probe inconsistency

Same pattern reported in #46117 and #46100. They're all symptoms of the same underlying change.

What's happening: The 2026.3.13 auth flow has a race condition where:

• CLI sends token with operator.read scope
• Gateway validates token but doesn't propagate scopes to the probe handler
• Status check fails because probe sees scopes: []
• CLI retries, triggering the cascade

Immediate workaround:
Add to your openclaw.json:
{
"gateway": {
"auth": {
"mode": "trusted-proxy",
"trustedProxy": {
"allowLocalhost": true
}
}
}
}
This bypasses the token flow for localhost connections.

Note: Only use this for local development, not production.