sessions_spawn fails with pairing required on local loopback with token auth

[yuren19810323-pixel]

Issue: sessions_spawn fails with "pairing required" on local loopback with token auth

Environment

• OpenClaw version: 2026.4.8 (upgraded from 2026.4.2)
• OS: Windows 10 (10.0.26200, x64)
• Node: v24.14.1
• Gateway config: bind: loopback, auth.mode: token
• Channel: Feishu (direct chat)

Description

When calling sessions_spawn with runtime: "subagent" from an agent session, the spawned subagent fails to connect back to the gateway WebSocket with error:

gateway closed (1008): pairing required
Gateway target: ws://127.0.0.1:18789
Source: local loopback

This occurs despite:

1. Gateway running on loopback only (bind: loopback)
2. Token auth configured (gateway.auth.mode: "token")
3. The subagent inherits the gateway token from openclaw.json
4. Agent session is fully operational (can use all other tools, exec, web_search, etc.)

Root Cause Analysis

I traced through the source code and found the issue:

Connection Flow

The subagent connects via WebSocket with:

• client.id: cli (from GATEWAY_CLIENT_IDS.CLI)
• client.mode: cli (from GATEWAY_CLIENT_MODES.CLI)
• role: "operator" (from call-BjnDacVz.js:425)

Auth Check Path

1. evaluateMissingDeviceIdentity() in server.impl-WjqjRArz.js (~line 27570):

   • roleCanSkipDeviceIdentity("operator", sharedAuthOk) should return { kind: "allow" } when sharedAuthOk === true

2. shouldSkipLocalBackendSelfPairing() (~line 27641):

   • Requires client.mode === "backend", but subagent connects with mode: "cli"
   • This path is never taken for subagent connections

3. roleCanSkipDeviceIdentity() (~line 10387):

   • Returns true when role === "operator" && sharedAuthOk
   • This should work, but the subagent still gets rejected

Key Observation

The devices/ directory (~/.openclaw/credentials/devices/) is empty — no paired devices exist. The subagent generates a new device identity each time (resolveDeviceIdentityForGatewayCall() → loadOrCreateDeviceIdentity()), which has no matching paired device record.

It appears that sharedAuthOk may not be resolving to true for the subagent's connection, or the device identity check is happening before the shared auth check.

Relevant Code Locations

• call-BjnDacVz.js:420-425 — subagent connects as mode: CLI, role: "operator"
• server.impl-WjqjRArz.js:27433 — sharedAuthOk resolution
• server.impl-WjqjRArz.js:27560-27575 — evaluateMissingDeviceIdentity()
• server.impl-WjqjRArz.js:27641-27649 — shouldSkipLocalBackendSelfPairing()
• server.impl-WjqjRArz.js:10387-10388 — roleCanSkipDeviceIdentity()
• server.impl-WjqjRArz.js:28282 — final close(1008, "pairing required")

Expected Behavior

Subagent spawned by sessions_spawn on a local loopback gateway with token auth should be able to connect without requiring device pairing, since:

1. The connection is local (loopback)
2. Token auth is valid
3. The role is "operator"

Workaround

Using exec to call claude --print --permission-mode bypassPermissions directly works fine for coding tasks, completely bypassing the subagent WebSocket connection.

Reproduction

1. Set up OpenClaw on Windows with gateway.bind: loopback, gateway.auth.mode: token
2. Have a Feishu channel configured and working
3. From agent session, call sessions_spawn with runtime: "subagent" and any task
4. Observe: "gateway closed (1008): pairing required"

Suggested Fix

Either:

• Ensure sharedAuthOk resolves correctly for subagent connections on local loopback with token auth
• Or add a skip path for locally-spawned subagents similar to shouldSkipLocalBackendSelfPairing but for CLI-mode connections
• Or allow roleCanSkipDeviceIdentity to work regardless of device identity when auth is valid on loopback

[yuren19810323-pixel]

Update: Root Cause Found + Workaround

Root Cause

The subagent client uses the device identity from ~/.openclaw/identity/device.json. This device was already in ~/.openclaw/devices/paired.json but with only operator.read scope. The subagent connection requires broader scopes, causing the close(1008, 'pairing required') rejection despite valid token auth on loopback.

The key insight: there are TWO paths in the code:

1. evaluateMissingDeviceIdentity() — returns {kind: 'allow'} when hasDeviceIdentity=true
2. The device pairing path — checks getPairedDevice(device.id) and validates scopes

The subagent HAS a device identity (generated by loadOrCreateDeviceIdentity()), so it goes through path 2. But the paired record had insufficient scopes.

Workaround

Edit ~/.openclaw/devices/paired.json and update the device entry's scopes and approvedScopes to include all operator scopes:

"scopes": ["operator.admin", "operator.read", "operator.write", "operator.approvals", "operator.pairing"],
"approvedScopes": ["operator.admin", "operator.read", "operator.write", "operator.approvals", "operator.pairing"]

Then restart the Gateway.

Suggested Fix

When shouldSkipLocalBackendSelfPairing() returns true for a local loopback + token auth connection, the scope check should be relaxed or the device should be auto-upgraded, similar to how silent local pairing works.

[steipete]

Fixed on main by e640c0a95f, with the follow-up docs in 41b27024bb.

Root cause matched the analysis here: internal subagent/session RPCs could inherit the local CLI device identity. If that identity was already paired with only operator.read, the backend sessions_spawn coordination path hit a scope-upgrade pairing gate even though it was a trusted direct-loopback backend call authenticated with the shared gateway token.

The fix keeps default callGateway({ scopes }) calls as client.id="gateway-client" / client.mode="backend", and omits device identity only for direct-loopback backend RPCs authenticated with shared gateway token/password. Remote callers, browser/node clients, explicit deviceIdentity, and device-token paths still go through normal pairing and scope-upgrade approval.

Verification:

• pnpm test src/gateway/call.test.ts src/gateway/server.silent-scope-upgrade-reconnect.poc.test.ts
• pnpm check:changed
• live-tested against Peter's Mac Studio gateway: backend loopback health with operator.admin succeeded while the observed client used clientName: "gateway-client", mode: "backend", and deviceIdentity: null.

Closing as fixed.