WhatsApp QR-unavailable/headless login needs phone-code fallback

[VishalJ99]

Summary

QR-based WhatsApp Web linking can be impractical from headless gateway hosts and can fail when the phone scanner does not pick up the terminal or dashboard QR. In a field relink attempt, the useful fallback was WhatsApp's linked-device Link with phone number flow.

Related locked issue: #15614
Draft PR adding the CLI fallback: #85866

Desired flow

openclaw channels login --channel whatsapp --account <account> --phone-number <country-code-and-number>

Then on the phone:

1. Open WhatsApp.
2. Go to Linked Devices.
3. Choose Link with phone number.
4. Enter the code printed by OpenClaw.

After this one-time auth step completes, OpenClaw should save the same WhatsApp Web credentials that QR login saves, and normal CLI send/receive/status flows should continue unchanged.

Notes from testing

• Phone-code pairing works best when the socket advertises a browser profile accepted by WhatsApp's phone-code flow.
• The phone number should be normalized to digits with country code before asking WhatsApp for the code.
• International notation with optional trunk prefixes, such as +44 (0) ..., should be rejected or clearly documented because keeping the 0 can request a code for the wrong number.
• A partial phone-code attempt can leave a creds.json with registered:false, me, and pairingCode, but no completed account/platform payload. That should not be treated as a linked session, and retry paths should clear it safely before starting a new login.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-23 23:36 UTC / May 23, 2026, 7:36 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main and the latest release are still QR-only for WhatsApp login, and the requested phone-code path is a new channel auth capability rather than an already-fixed bug. The issue is also paired with an open draft implementation PR, so it should remain open until #85866 is reviewed, merged, or closed.

Reproducibility: not applicable. as a strict bug repro: current source and docs already show WhatsApp login is QR-only, and the request is for a new phone-code fallback rather than broken documented phone-code behavior.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Add expected vs actual behavior.
• Include redacted logs or terminal output.

Next step
No separate repair lane should start because the issue is already paired with an open draft PR that uses closing syntax and directly targets this behavior.

Review details

Best possible solution:

Review the linked implementation PR as the canonical path, keeping the fallback owned by the WhatsApp plugin with only the minimal generic channel-auth seam needed for CLI input.

Do we have a high-confidence way to reproduce the issue?

Not applicable as a strict bug repro: current source and docs already show WhatsApp login is QR-only, and the request is for a new phone-code fallback rather than broken documented phone-code behavior.

Is this the best way to solve the issue?

Unclear until the linked PR is reviewed: a WhatsApp-plugin-owned phone-code flow is directionally right, but the generic channel auth API/CLI expansion and stale partial-credential cleanup need maintainer approval and proof.

Label changes:

• add P2: The request would unblock a real WhatsApp login workflow on headless hosts, but it is a bounded channel-auth feature already paired with an open PR.
• add impact:auth-provider: The issue concerns channel authentication, persisted WhatsApp Web credentials, and login recovery behavior.
• add issue-rating: 🌊 off-meta tidepool: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-product-decision: Current issue advisory state selects this label.

Label justifications:

• P2: The request would unblock a real WhatsApp login workflow on headless hosts, but it is a bounded channel-auth feature already paired with an open PR.
• impact:auth-provider: The issue concerns channel authentication, persisted WhatsApp Web credentials, and login recovery behavior.

What I checked:

• current CLI surface: Current main registers openclaw channels login with --channel, --account, and --verbose, with no --phone-number option. (src/cli/channels-cli.ts:254, a1c2d093c2f9)
• current auth adapter contract: The channel auth adapter currently passes cfg/account/runtime/verbose/channelInput only, so a phone-number login mode would require expanding the channel auth surface. (src/channels/plugins/types.adapters.ts:361, a1c2d093c2f9)
• current WhatsApp login implementation: WhatsApp auth.login delegates to loginWeb, and loginWeb creates a socket with an onQr handler that tells the operator to scan a QR; there is no phone-code branch in this path. (extensions/whatsapp/src/login.ts:13, a1c2d093c2f9)
• current docs: The WhatsApp docs on main describe the login step as QR-based and warn that the current setup flow is QR-only for remote/headless hosts. Public docs: docs/channels/whatsapp.md. (docs/channels/whatsapp.md:63, a1c2d093c2f9)
• latest release behavior: The latest release tag has the same QR-only CLI/login shape, so the requested fallback is not already shipped in v2026.5.20. (src/cli/channels-cli.ts:254, e510042870cf)
• missing phone-code symbols: A targeted search found no WhatsApp login requestPairingCode, pairingCode, or --phone-number implementation in the relevant current-main source/docs paths; hits were unrelated phone metadata in inbound mention handling. (a1c2d093c2f9)

Likely related people:

• steipete: Current blame on the QR-only WhatsApp login/docs and prior commits on channel login resolution and QR wrapper refactors make this a strong routing candidate for the login surface. (role: recent area contributor; confidence: high; commits: 4c210e22fa97, 4c8bb05c8950, d25ad6606968; files: extensions/whatsapp/src/login.ts, extensions/whatsapp/src/login-qr.ts, extensions/whatsapp/src/channel.ts)
• Marcus Castro: Recent WhatsApp account connection lifecycle and multi-account isolation work is adjacent to account-scoped login and credential state behavior. (role: recent WhatsApp lifecycle contributor; confidence: medium; commits: aa023e428306, 458a52610a4d; files: extensions/whatsapp)
• Val Alexander: Auth-capable channel auto-selection work is directly adjacent to the generic channels login flow that a phone-number option would expand. (role: channel auth contributor; confidence: medium; commits: c8f4b8533d8b; files: src/cli/channel-auth.ts)
• neeravmakwana: Recent work on flushing WhatsApp credentials before reconnect is relevant to the partial credential and retry-cleanup notes in this issue. (role: credential persistence contributor; confidence: medium; commits: 405c63fb3277; files: extensions/whatsapp/src/session.ts, extensions/whatsapp/src/auth-store.ts)

Remaining risk / open question:

• The linked PR changes channel auth API/CLI shape and WhatsApp credential cleanup, so the issue should not be closed until that PR has maintainer review and real behavior proof for both fresh login and retry after partial phone-code credentials.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a1c2d093c2f9.