[Bug]: Telegram native approvals auto-enables on 2026.4.8 and spams "too many failed authentication attempts" in a retry loop

[SteveTsai66]

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

After upgrading to 2026.4.8, the Telegram native approvals subsystem
auto-enables (as documented in FAQ for 4.8) but immediately fails
authentication in a tight retry loop, spamming the log every ~1 second
and causing the gateway to become rate-limited, which also breaks the
Control UI dashboard (Internal Server Error).

Steps to reproduce

1. Have a working Telegram channel configured with allowFrom set to
   a numeric user ID
2. Do NOT set channels.telegram.execApprovals.enabled (leave unset,
   so it defaults to "auto")
3. Upgrade to 2026.4.8
4. Start the gateway

Expected behavior

Native approvals should either:

• Successfully obtain a loopback token and connect, OR
• Fail gracefully with a clear error and stop retrying

Actual behavior

Gateway log spams the following every ~1 second continuously:

[telegram] failed to start native approval handler: 
GatewayClientRequestError: unauthorized: too many failed 
authentication attempts (retry later)

[ws] unauthorized conn=... client=Telegram Native Approvals (default) 
backend v2026.4.8 reason=rate_limited

The health endpoint for native approvals shows:
"running": false
"tokenSource": "none"

The retry loop causes the gateway's rate limiter to trigger, which blocks
the Control UI dashboard with Internal Server Error.

OpenClaw version

2026.4.8

Operating system

Linux arm64 (Raspberry Pi 3, Ubuntu) + Windows WSL2

Install method

npm global

Model

na

Provider / routing chain

na

Additional provider/model setup details

No response

Logs, screenshots, and evidence

Impact and severity

No response

Additional information

Workaround

Explicitly disabling native approvals stops the retry loop:

openclaw config set channels.telegram.execApprovals.enabled false

The config hot-reloads immediately without gateway restart.

Config (redacted)

"channels": {
  "telegram": {
    "enabled": true,
    "botToken": "<redacted>",
    "dmPolicy": "allowlist",
    "allowFrom": [<numeric_user_id>],
    "streaming": { "mode": "partial" }
  }
},
"approvals": {
  "exec": {
    "enabled": true,
    "mode": "targets",
    "targets": [{ "channel": "telegram", "to": "<numeric_user_id>" }]
  }
}

Notes

• The tokenSource: "none" in the health endpoint suggests native
  approvals cannot locate a valid gateway token for loopback auth
• Gateway auth mode is token with OPENCLAW_GATEWAY_TOKEN in .env
• Reproduced on both Pi3 (arm64) and Windows WSL2 after upgrading to 4.8
• Same issue occurs regardless of whether channels.telegram.execApprovals
  is explicitly set or left unset

[clawsweeper]

Closing this as implemented after Codex automated review.

Current main already fixes the 2026.4.8 Telegram native-approvals regression well enough to close this issue. Telegram native exec approvals no longer auto-enable from an unset channels.telegram.execApprovals.enabled; the shared enablement helper requires true or "auto", Telegram has regression coverage for the unset/allowFrom case, and the monitor only registers the native approval handler when that gate passes. The gateway side also preserves direct-local backend gateway-client approval scopes, covering the internal native approval client path. The broader service-identity cleanup remains tracked separately by #69066, but this reported 4.8 auto-enable/auth-loop symptom is implemented on main and shipped in v2026.4.23.

Best possible solution:

Close this issue as implemented on main. Keep the shipped explicit-enable Telegram approval gate and backend gateway-client auth compatibility tests; use #69066 for the broader future service-identity/auth design rather than keeping this 2026.4.8 regression open.

What I checked:

• Shared native approval enablement now requires explicit true/auto: isChannelExecApprovalClientEnabledFromConfig returns false unless approvers exist and enabled is exactly true or "auto"; unset config no longer auto-enables a native approval client just because approvers resolve. (src/plugin-sdk/approval-client-helpers.ts:40, 2f6615d2ee9d)
• Telegram config gate prevents missing-token/native handler enablement: Telegram resolves no exec-approval config as undefined, forces enabled: false when the account is disabled or has tokenSource === "none", and its handler-configured check delegates to the shared explicit enablement helper. (extensions/telegram/src/exec-approvals.ts:35, 2f6615d2ee9d)
• Telegram regression coverage matches the issue's unset allowFrom case: The Telegram test suite asserts that no config, enabled: true without approvers, inferred allowFrom, and approvers without enabled all remain disabled; only enabled: "auto" with approvers enables native approvals, and enabled: false stays disabled. (extensions/telegram/src/exec-approvals.test.ts:113, 2f6615d2ee9d)
• Telegram monitor registers native approval runtime only after the gate passes: Both webhook and polling startup paths call registerChannelRuntimeContext for Telegram native approvals only when isTelegramExecApprovalHandlerConfigured(...) is true, so the handler that logged the retry loop is not started for the old unset default case. (extensions/telegram/src/monitor.ts:132, 2f6615d2ee9d)
• Internal approval client path is covered as backend gateway-client auth: Native approval handlers use the shared operator-approvals gateway client, which connects as gateway-client in BACKEND mode with operator.approvals; current gateway compatibility tests preserve scopes for direct-local backend shared-token and shared-password connects without device pairing. (src/gateway/operator-approvals-client.ts:21, 2f6615d2ee9d)
• Release notes show the fix shipped: The v2026.4.23 changelog says chat exec approval clients now require explicit enablement instead of auto-enabling when approvers resolve, and also notes startup handling that lets native handlers report ready after gateway auth while replaying approvals in the background. (CHANGELOG.md:703, 2f6615d2ee9d)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 2f6615d2ee9d; fix evidence: release v2026.4.23, commit 527d7211e032.

[prtags]

Related work from PRtags group rare-impala-09en

Title: telegram: native approvals pairing and scope-upgrade loops

Number	Title
#63381*	[Bug]: Telegram native approvals auto-enables on 2026.4.8 and spams "too many failed authentication attempts" in a retry loop
#65690	native-approvals subsystem fails with 'pairing required' loop after 2026.4.8 upgrade (Telegram channel)
#68254	[Bug]: Internal "Telegram Native Approvals" handler cannot be paired in Docker loopback-only deployment (2026.4.14)
#68634	[Bug]: CLI commands repeatedly trigger scope-upgrade requests + Telegram Native Approvals fails with pairing required, generating persistent pending approvals
#68739	Telegram native approvals still start with execApprovals.enabled=false, then loop on pairing required (scope-upgrade)
#69214	[Bug]: Gateway client gets stuck in scope-upgrade repair loop for Telegram Native Approvals
#70687	Bug: Scope upgrade pending approval error after upgrade to 2026.4.21

* This issue