[Feature]: doctor/status should warn when OPENCLAW_GATEWAY_TOKEN in ~/.openclaw/.env overrides gateway.auth.token

[grzesiolpl]

Summary

Warn users when a stale OPENCLAW_GATEWAY_TOKEN in ~/.openclaw/.env overrides gateway.auth.token in local gateway mode.

Problem to solve

After updating OpenClaw, my local gateway entered a confusing split-brain auth state.

I had gateway.auth.token configured in ~/.openclaw/openclaw.json, but ~/.openclaw/.env also contained OPENCLAW_GATEWAY_TOKEN. I did not manually set this env token; it appears to have been created or left by OpenClaw setup/update/install flow.

Because OPENCLAW_GATEWAY_TOKEN takes precedence over gateway.auth.token, some local auth/probe paths used the stale env token while others used the config token.

This caused confusing symptoms:

• gateway token mismatch
• health/Dashboard/CLI auth disagreement
• gateway status sometimes showed reachable/admin-capable
• openclaw health failed with token mismatch or timeout
• Dashboard connected but messages were stuck/spinning
• Discord/WhatsApp behavior was inconsistent until the stale env token was removed

Current behavior is insufficient because the gateway can look partially healthy while different local clients disagree on auth. The stale ~/.openclaw/.env token was not obvious until manually checking env precedence.

Proposed solution

Add a diagnostic guardrail in doctor/status that detects this condition:

• gateway.mode is local
• gateway.auth.token is configured in ~/.openclaw/openclaw.json
• ~/.openclaw/.env contains a non-empty OPENCLAW_GATEWAY_TOKEN

When detected, warn that env credentials override config and may be stale.

The warning should:

• not print the token or any secret
• mention the source path ~/.openclaw/.env
• explain that OPENCLAW_GATEWAY_TOKEN overrides gateway.auth.token
• suggest removing or syncing OPENCLAW_GATEWAY_TOKEN
• suggest restarting the gateway afterward

Ideally surface this in:

• openclaw doctor
• openclaw status / status --all
• openclaw gateway status --deep
• gateway install/update flows when auth token rotation or service reinstall happens

Alternatives considered

Manually checking ~/.openclaw/.env works, but users are unlikely to know that this file can override openclaw.json.

Automatically deleting the env token may be too aggressive because some users may intentionally use env-based auth.

A warning is safer: it preserves existing behavior, does not expose secrets, and points users to the exact source of the mismatch.

Impact

Affected users/systems/channels:
Local OpenClaw users running the gateway in local mode with token auth, especially after update/install/onboarding flows that rotate or recreate gateway.auth.token.

Severity:
High when it occurs, because it can block Dashboard, health checks, CLI probes, and channels while still making the gateway look partially healthy.

Frequency:
Intermittent / post-update edge case, but very hard to diagnose when it happens.

Consequence:
Users can spend a long time debugging token mismatch, health timeouts, Dashboard hangs, and inconsistent Discord/WhatsApp behavior. The fix is simple once found, but the current diagnostics do not clearly point to stale ~/.openclaw/.env credentials.

Evidence/examples

Observed on:

• OpenClaw 2026.4.26 (be8c246)
• macOS 15.2 x64
• Node 24.15.0
• local loopback gateway on 127.0.0.1:18789

Relevant findings:

• ~/.openclaw/openclaw.json had gateway.auth.token configured
• ~/.openclaw/.env contained OPENCLAW_GATEWAY_TOKEN
• removing OPENCLAW_GATEWAY_TOKEN / OPENCLAW_GATEWAY_PASSWORD / OPENCLAW_GATEWAY_URL from ~/.openclaw/.env and restarting the gateway fixed the auth mismatch

Symptoms before removing the stale env token:

• gateway token mismatch
• openclaw health failed with token mismatch or timeout
• gateway status sometimes showed reachable/admin-capable
• Dashboard connected but agent messages were stuck/spinning
• Discord/WhatsApp behavior was inconsistent

No secrets should be printed in diagnostics; just showing that OPENCLAW_GATEWAY_TOKEN is set in ~/.openclaw/.env would have been enough.

Additional information

This was debugged with help from the OpenClaw Discord with Krill.

Suggested acceptance criteria:

• Detect local gateway mode + configured gateway.auth.token + non-empty OPENCLAW_GATEWAY_TOKEN in ~/.openclaw/.env
• Do not print either secret
• Warn that env credentials override config and may be stale
• Suggest removing/syncing OPENCLAW_GATEWAY_TOKEN in ~/.openclaw/.env
• Suggest restarting the gateway
• Surface the warning in doctor, status, and ideally install/update flows

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still has the env/config gateway-token precedence split and lacks the requested redacted state-dir .env mismatch diagnostic; open PR #74433 is the unmerged implementation candidate, so this issue should stay open until that PR lands or is replaced.

Reproducibility: yes. A high-confidence source-backed path is local gateway mode with gateway.auth.token in config and a different non-empty OPENCLAW_GATEWAY_TOKEN loaded from state-dir .env, which exercises env-first call/probe credentials against config-first gateway auth.

Next step
No repair lane is needed because open PR #74433 already references this issue with closing syntax and is the focused implementation candidate.

Review details

Best possible solution:

Keep this issue as the canonical report and resolve it by landing #74433 or a replacement that adds one shared redacted mismatch diagnostic for differing non-empty state-dir OPENCLAW_GATEWAY_TOKEN and configured gateway.auth.token.

Do we have a high-confidence way to reproduce the issue?

Yes. A high-confidence source-backed path is local gateway mode with gateway.auth.token in config and a different non-empty OPENCLAW_GATEWAY_TOKEN loaded from state-dir .env, which exercises env-first call/probe credentials against config-first gateway auth.

Is this the best way to solve the issue?

Yes. A warning is the narrowest maintainable solution because it preserves intentional env-based auth, avoids deleting credentials, and can be shared across diagnostic surfaces without printing secrets.

What I checked:

• Current main reviewed: Read-only inspection was against current main at 5f5e0a3633c2851be00145ed6c44435f8f9f3c03; final git status --short was clean. (5f5e0a3633c2)
• Credential precedence split is source-backed: The parity test still documents local mode where env credentials feed call/probe paths while gateway auth/status remain config-first, matching the reported split-brain class. (src/gateway/credential-precedence.parity.test.ts:73, 5f5e0a3633c2)
• Gateway auth resolves config first: Gateway auth resolution passes tokenPrecedence: "config-first", so a configured gateway.auth.token can differ from env-first command paths. (src/gateway/auth-resolve.ts:63, 5f5e0a3633c2)
• Command credential helper defaults env first: resolveGatewayCredentialsFromValues reads OPENCLAW_GATEWAY_TOKEN and defaults token precedence to env-first unless a caller overrides it. (src/gateway/credentials.ts:82, 5f5e0a3633c2)
• State-dir dotenv source exists: readStateDirDotEnvVarsFromStateDir can parse $OPENCLAW_STATE_DIR/.env / ~/.openclaw/.env without exposing values, so the requested diagnostic has an existing source to inspect. (src/config/state-dir-dotenv.ts:36, 5f5e0a3633c2)
• Requested warning is not implemented on main: Targeted search found no check id or warning text for OPENCLAW_GATEWAY_TOKEN overriding gateway.auth.token; state-dir dotenv imports are currently in install/auth policy helpers, not doctor/status warning surfaces. (5f5e0a3633c2)

Likely related people:

• yelog: Opened PR fix(doctor): warn when OPENCLAW_GATEWAY_TOKEN env overrides gateway.auth.token config #74433 with closing syntax for this exact diagnostic and a proposed doctor/security-audit implementation. (role: active implementation candidate; confidence: high; commits: bdb5df8499a6; files: src/commands/doctor-security.ts, src/commands/doctor-security.test.ts)
• Josh Avant: Commit 72cf9253fcb5 added SecretRef support for gateway.auth.token and touched the gateway auth, doctor, status, install, and docs surfaces that define this credential boundary. (role: adjacent gateway auth feature introducer; confidence: medium; commits: 72cf9253fcb5; files: src/gateway/credentials.ts, src/commands/doctor-gateway-auth-token.ts, src/commands/status.gateway-probe.ts)
• Vincent Koc: Current-main blame in this checkout maps the central precedence test, state-dir dotenv parser, doctor-security function, and auth resolver lines through bcfa5bc32b; the commit is broad, so this is useful for routing but not strong authorship evidence. (role: recent current-main maintainer signal; confidence: low; commits: bcfa5bc32b78; files: src/gateway/credential-precedence.parity.test.ts, src/config/state-dir-dotenv.ts, src/commands/doctor-security.ts)

Remaining risk / open question:

• Surface coverage remains unresolved until fix(doctor): warn when OPENCLAW_GATEWAY_TOKEN env overrides gateway.auth.token config #74433 or a replacement decides exactly where to warn across doctor, status, gateway status, and install/update flows.
• The stale-token origin is based on reporter recollection of older setup/install drift; the mismatch diagnostic is still valid even if some users created the env token manually.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5f5e0a3633c2.

[martingarramon]

The precedence is documented in src/agents/tools/gateway.test.ts:63-95 on origin/main: OPENCLAW_GATEWAY_TOKEN (env) takes precedence over gateway.auth.token (config) for local-override paths, with config as the fallback when env is unset.

For the doctor warning, the natural place is alongside the existing gateway.auth.token validation in doctor's state-integrity probes. A diagnostic could read ~/.openclaw/.env (the same path setup/install flows write to), check for OPENCLAW_GATEWAY_TOKEN presence, cross-check against the resolved gateway.auth.token from config, and emit a "shadowed config" warning if they differ.

One clarifying question @grzesiolpl: was the stale env token written by an older OpenClaw version's setup, or by a manual install step that's no longer in the docs? The answer shapes the right warning scope — setup-flow drift suggests the warning should also cite the offending setup version, while a manual user-added token is closer to a generic "shadowed config" surface.

[grzesiolpl]

I’m pretty sure it was written by an older OpenClaw setup/install flow, not manually by me.

I never manually added OPENCLAW_GATEWAY_TOKEN to ~/.openclaw/.env and did not know that file was involved until debugging this issue. My best recollection is that the env token came from an older OpenClaw version/setup from around March, then survived later updates.

After updating to 2026.4.26, gateway.auth.token in openclaw.json was rotated/changed, but the old OPENCLAW_GATEWAY_TOKEN remained in ~/.openclaw/.env and kept shadowing the config token in some paths.

So I think this is setup-flow drift rather than a user-added/manual env override.

[martingarramon]

Precedence is documented at gateway.test.ts:63-95: OPENCLAW_GATEWAY_TOKEN (env) wins over gateway.auth.token (config). Doctor surface for the warn:

Natural location is src/commands/doctor/checks/gateway-auth.ts (or wherever checkGatewayAuthToken lives — gateway-auth surface, not status, since status is read-mostly. Surface mapping is the unverified piece; the precedence chain itself is documented).

Fire conditions:

1. OPENCLAW_GATEWAY_TOKEN set in ~/.openclaw/.env (parse the file, not just process.env — the dotfile is what the next gateway boot loads)
2. AND gateway.auth.token set in openclaw.json
3. AND the values differ

If all three: warn-level diagnostic with both source paths and the precedence note ("env wins; remove OPENCLAW_GATEWAY_TOKEN from .env to use config token").

Skip the warn when env-only or config-only is set — those are supported configurations. Targets only the split-brain mismatch state @grzesiolpl described.

PR-ready if gateway-auth is the right doctor surface; flag if you'd prefer status or a separate health check.