Bug type
Behavior bug (incorrect output/state without crash)
Summary
openclaw gateway install writes the systemd unit with:
EnvironmentFiles=/home//.config/openclaw/gateway.env
But the rest of the OpenClaw ecosystem (docs, openclaw configure,
openclaw secrets configure, openclaw onboard) writes secrets to
~/.openclaw/.env.
This means $VAR references in openclaw.json (e.g. $OPENCLAW_GATEWAY_TOKEN,
$DISCORD_BOT_TOKEN) resolve from gateway.env at the systemd level, but
the CLI resolves them from ~/.openclaw/.env. If the two files have different
values, you get gateway token mismatch on every CLI command.
Suggested fix
Either:
- Set
EnvironmentFile=~/.openclaw/.env in the generated systemd unit, or
- Symlink
~/.config/openclaw/gateway.env → ~/.openclaw/.env during install
Steps to reproduce
- Run
openclaw gateway install
- Run
setup-secrets or manually write secrets to ~/.openclaw/.env
- Set
gateway.auth.token: "$OPENCLAW_GATEWAY_TOKEN" in openclaw.json
systemctl --user restart openclaw-gatewayopenclaw health → token mismatch
Expected behavior
Operational consistency without errors or "token mismatch"
Actual behavior
Token mismatch error... other issues with token functionality after security hardening with token $VARs
OpenClaw version
OpenClaw 2026.3.23-2
Operating system
Linux 6.17.0-19-generic x86_64 (Ubuntu 24)
Install method
Node v22.22.1
Model
n/a
Provider / routing chain
n/a
Additional provider/model setup details
systemd --user service
Logs, screenshots, and evidence
:~$ openclaw health
🦞 OpenClaw 2026.3.23-2 (7ffe7e4) — Making 'I'll automate that later' happen now.
│
gateway connect failed: GatewayClientRequestError: unauthorized: gateway token mismatch (provide gateway auth token)
◇
[openclaw] Failed to start CLI: Error: gateway closed (1008): unauthorized: gateway token mismatch (provide gateway auth token)
Gateway target: ws://127.0.0.1:18789
Impact and severity
No response
Additional information
Deeper issue with security of tokens being hardcoded into configs and requiring manual adjustment after secrets are written and symlinked
Bug type
Behavior bug (incorrect output/state without crash)
Summary
openclaw gateway installwrites the systemd unit with:EnvironmentFiles=/home//.config/openclaw/gateway.env
But the rest of the OpenClaw ecosystem (docs,
openclaw configure,openclaw secrets configure,openclaw onboard) writes secrets to~/.openclaw/.env.This means
$VARreferences in openclaw.json (e.g.$OPENCLAW_GATEWAY_TOKEN,$DISCORD_BOT_TOKEN) resolve fromgateway.envat the systemd level, butthe CLI resolves them from
~/.openclaw/.env. If the two files have differentvalues, you get
gateway token mismatchon every CLI command.Suggested fix
Either:
EnvironmentFile=~/.openclaw/.envin the generated systemd unit, or~/.config/openclaw/gateway.env→~/.openclaw/.envduring installSteps to reproduce
openclaw gateway installsetup-secretsor manually write secrets to~/.openclaw/.envgateway.auth.token: "$OPENCLAW_GATEWAY_TOKEN"in openclaw.jsonsystemctl --user restart openclaw-gatewayopenclaw health→ token mismatchExpected behavior
Operational consistency without errors or "token mismatch"
Actual behavior
Token mismatch error... other issues with token functionality after security hardening with token $VARs
OpenClaw version
OpenClaw 2026.3.23-2
Operating system
Linux 6.17.0-19-generic x86_64 (Ubuntu 24)
Install method
Node v22.22.1
Model
n/a
Provider / routing chain
n/a
Additional provider/model setup details
systemd --user service
Logs, screenshots, and evidence
Impact and severity
No response
Additional information
Deeper issue with security of tokens being hardcoded into configs and requiring manual adjustment after secrets are written and symlinked