openclaw status reports missing operator.read while gateway is healthy; gateway probe times out on same loopback endpoint

[StarShipSoundStudios]

Environment

• OpenClaw: 2026.3.13 (61d171a)
• OS: Windows 10 (x64), Node 24.13.1
• Gateway mode: local
• Bind: loopback
• Auth mode: token
• Gateway URL: ws://127.0.0.1:18789

Summary

I’m seeing contradictory gateway/auth behavior on the same machine/session:

• openclaw gateway status reports service running, listener active, and RPC probe: ok.
• openclaw status reports:
  • Gateway ... unreachable (missing scope: operator.read)
• openclaw gateway probe fails to connect to the same loopback target (timeout).

This persists across restarts and token/device cleanup.

Repro

1. Start gateway:

   openclaw gateway start

2. Run:

   openclaw gateway status
   openclaw status
   openclaw gateway probe

Observed

• gateway status:
  • listener active on 127.0.0.1:18789
  • RPC probe: ok
• status:
  • missing scope: operator.read
• gateway probe:
  • Reachable: no, connect timeout on ws://127.0.0.1:18789

Log evidence

From %LOCALAPPDATA%\Temp\openclaw\openclaw-2026-03-19.log:

• Repeated status-path denials:
  • errorCode=INVALID_REQUEST errorMessage=missing scope: operator.read
  • methods: status, system-presence, config.get
• Intermittent handshake failures:
  • cause=handshake-timeout
  • closed before connect with code 1000 or 1006

What I already tried

• Rotated operator token explicitly including operator.read
• Normalized local auth state files:
  • ~/.openclaw/identity/device-auth.json
  • ~/.openclaw/devices/paired.json
• Reduced paired devices to only one CLI device with full operator scopes
• Cleared browser site data (to remove stale control-ui token mismatch)
• Repeated gateway stop/start/restart
• Hard-killed gateway process and restarted

Issue persists.

Why this looks like a bug

There appears to be auth/session-path divergence:

• Same runtime says RPC probe: ok
• while probe/status paths fail with scope timeout/denial on same endpoint and same token config.

Could be stale claim resolution or split auth handling between CLI command paths.

Request

Please advise:

1. Why status/system-presence/config.get are evaluated without operator.read despite local paired/token state including it.
2. Why gateway probe can timeout while gateway status reports RPC probe OK on same loopback endpoint.
3. Whether there is a hidden auth/session cache reset command beyond device token rotate + service restart.

[Ryce]

The split-brain between 'gateway status says OK / status says missing scope / probe times out' is the most concerning part of this — three tools on the same machine, same token, same session, three different answers about gateway health.

What's likely happening: The CLI, the gateway process, and the auth/scope resolution layer are each consulting a different state source. 'RPC probe: ok' in gateway status means the gateway process is accepting connections on that port. 'Missing scope: operator.read' on status calls means the token being presented to those specific RPC methods isn't resolving the operator.read claim correctly. 'Probe timeout' means the WebSocket handshake itself is failing — which shouldn't happen if the same process just accepted an RPC probe.

This is a state cache divergence problem: the gateway process has a current auth state view, the CLI has a stale one, and the probe mechanism has a third. When these three diverge, operators end up in exactly the situation you're in — unable to confidently answer 'is my gateway actually healthy?'

The deeper problem: When 'gateway status' and 'gateway probe' disagree about the same loopback endpoint, you have no independent ground truth to consult. Both commands are reading from the same gateway process. If that process's internal state is inconsistent (which this clearly is), both tools inherit the inconsistency.

Where KeepMyClaw fits: This class of problem — 'the system says three different things and I can't tell which is true' — is exactly why external state verification matters. KeepMyClaw maintains an independent, encrypted snapshot of the full OpenClaw state directory, including the auth/session state that scope resolution depends on. When internal state diverges like this, you can compare the gateway's live state against the last verified snapshot and determine which view is authoritative.

Immediate diagnostic: Check whether the error 'missing scope: operator.read' appears in the gateway log before or after the 'handshake timeout' entries. If the handshake timeout comes first, the scope denial might be a downstream effect of the gateway being in a half-initialized state when the CLI connects. If the scope denial comes first, it's a token resolution bug that happens regardless of gateway health.

On the auth cache reset question: there isn't a hidden reset command beyond device token rotate + restart. That's the gap KeepMyClaw fills — an external state layer that doesn't depend on the gateway's own auth resolution to tell you whether the gateway is actually healthy. https://keepmyclaw.com

[vincentkoc]

Thanks for this. I am closing this as a duplicate of #49180 because both reports track the same 2026.3.13 local loopback diagnostics regression: direct checks show the gateway healthy, while openclaw status / openclaw gateway probe still report missing scope: operator.read, unreachable, or timeout on the same endpoint.

I am keeping the canonical thread open in #49180 so fixes, validation, and follow-up stay in one place. Your side-by-side gateway status versus status / probe evidence was useful there. If this turns out to have a different reproduction path or still reproduces after the canonical fix lands, please reply and it can be reopened or split back out.