openclaw devices
Manage device pairing requests and device-scoped tokens.
Common options
--url <url>: Gateway WebSocket URL (defaults togateway.remote.urlwhen configured)--token <token>: Gateway token (if required)--password <password>: Gateway password (password auth)--timeout <ms>: RPC timeout--json: JSON output (recommended for scripting)
Commands
openclaw devices list
List pending pairing requests and paired devices.
openclaw devices approve [requestId] [--latest]
Approve a pending pairing request by exact requestId. Omitting requestId, or passing --latest, only previews the newest pending request and exits (code 1); rerun with the exact request ID to approve.
If a device retries pairing with changed auth details (role, scopes, or public key), OpenClaw supersedes the previous pending entry with a new
requestId. Run openclaw devices list right before approval to get the current id.- If the device is already paired and requests broader scopes or role, OpenClaw keeps the existing approval and creates a new pending upgrade request. Compare
RequestedvsApprovedinopenclaw devices list, or preview with--latest, before approving. - Approving a
noderole or other non-operator role requiresoperator.admin.operator.pairingis enough for operator-device approvals, but only when the requested operator scopes stay within the caller’s own scopes. See Operator scopes. - If
gateway.nodes.pairing.autoApproveCidrsis configured, first-timerole: noderequests from matching client IPs can be auto-approved before they appear in this list. Disabled by default; never applies to operator/browser clients or upgrade requests.
openclaw devices reject <requestId>
Reject a pending device pairing request.
openclaw devices remove <deviceId>
Remove one paired device entry.
operator.admin.
openclaw devices clear --yes [--pending]
Clear paired devices in bulk. Gated by --yes.
--pending also rejects all pending pairing requests.
openclaw devices rotate --device <id> --role <role> [--scope <scope...>]
Rotate a device token for a role, optionally updating its scopes.
- The target role must already exist in that device’s approved pairing contract; rotation cannot mint a new unapproved role.
- Omitting
--scopereuses the stored token’s cached approved scopes on later reconnects. Passing explicit--scopevalues replaces the stored scope set for future cached-token reconnects. - A non-admin paired-device caller can rotate only its own device token, and the target scope set must stay within the caller’s own operator scopes; rotation cannot mint or preserve a broader token than the caller already has.
openclaw devices revoke --device <id> --role <role>
Revoke a device token for a role.
operator.admin. The target scope set must also fit within the caller’s own operator scopes; pairing-only callers cannot revoke admin/write operator tokens.
Notes
- These commands require
operator.pairing(oroperator.admin) scope. Non-operator device roles always requireoperator.admin; see Operator scopes. - Token rotation and revocation stay inside the device’s approved pairing role set and scope baseline. A stray cached token entry does not grant a token-management target.
- For paired-device token sessions, cross-device management (
remove,rotate,revoke) is self-only unless the caller hasoperator.admin. - Token rotation returns a new token (sensitive) — treat it like a secret.
- If pairing scope is unavailable on local loopback and no explicit
--urlis passed,list/approvecan fall back to local pairing state.
Token drift recovery checklist
Use this when Control UI or other clients keep failing withAUTH_TOKEN_MISMATCH, AUTH_DEVICE_TOKEN_MISMATCH, or AUTH_SCOPE_MISMATCH.
-
Confirm current gateway token source:
-
List paired devices and identify the affected device id:
-
Rotate the operator token for the affected device:
-
If rotation is not enough, remove the stale pairing and approve again:
- Retry the client connection with the current shared token/password.
- Normal reconnect auth precedence: explicit shared token/password first, then explicit
deviceToken, then stored device token, then bootstrap token. - Trusted
AUTH_TOKEN_MISMATCHrecovery can temporarily send both the shared token and the stored device token together for one bounded retry. AUTH_SCOPE_MISMATCHmeans the device token was recognized but does not carry the requested scope set; fix the pairing/scope approval contract before changing shared gateway auth.
Paperclip / openclaw_gateway first-run approval
Paperclip agents connecting through the openclaw_gateway adapter go through the same first-run device pairing approval as any other new client. If Paperclip reports openclaw_gateway_pairing_required, approve the pending device and retry.
openclaw devices approve <requestId> command; verify the details, then rerun that command with the request ID to approve it. For a remote gateway or explicit credentials, pass the same options while previewing and approving:
adapterConfig.devicePrivateKeyPem in Paperclip instead of letting it generate a new ephemeral device identity each run:
openclaw devices list first to confirm a pending request exists.