- default:
http://<host>:18789/ - with
gateway.tls.enabled: true:https://<host>:18789/ - optional prefix: set
gateway.controlUi.basePath(e.g./openclaw)
Config (default-on)
Control UI is enabled by default when assets are present (dist/control-ui):
Webhooks
Whenhooks.enabled=true, the Gateway also exposes a webhook endpoint on the same HTTP server. See hooks in Gateway configuration reference for auth and payloads.
Admin HTTP RPC
POST /api/v1/admin/rpc exposes selected Gateway control-plane methods over HTTP. Off by default; registered only when the admin-http-rpc plugin is enabled. See Admin HTTP RPC for the auth model, allowed methods, and comparison with the WebSocket API.
Tailscale access
- Integrated Serve (recommended)
- Tailnet bind + token
- Public internet (Funnel)
Keep the Gateway on loopback and let Tailscale Serve proxy it:Start the gateway:Open
https://<magicdns>/ (or your configured gateway.controlUi.basePath).Security notes
- Gateway auth is required by default: token, password, trusted-proxy, or Tailscale Serve identity headers when enabled.
- Non-loopback binds still require gateway auth: token/password auth or an identity-aware reverse proxy with
gateway.auth.mode: "trusted-proxy". - The onboarding wizard creates shared-secret auth by default and usually generates a gateway token, even on loopback.
- In shared-secret mode, the UI sends
connect.params.auth.tokenorconnect.params.auth.passwordduring the WebSocket handshake. - With
gateway.tls.enabled: true, local dashboard/status helpers renderhttps://URLs andwss://WebSocket URLs. - In identity-bearing modes (Tailscale Serve,
trusted-proxy), the WebSocket auth check is satisfied from request headers instead of a shared secret. - For public non-loopback Control UI deployments, set
gateway.controlUi.allowedOriginsexplicitly (full origins). Private same-origin loads are accepted without it for loopback, RFC1918/link-local,.local,.ts.net, and Tailscale CGNAT hosts. gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback: trueenables Host-header origin fallback; this is a dangerous security downgrade.- With Serve, Tailscale identity headers satisfy Control UI/WebSocket auth when
gateway.auth.allowTailscale: true(no token/password required). HTTP API endpoints do not use Tailscale identity headers; they always follow the gateway’s normal HTTP auth mode. Setgateway.auth.allowTailscale: falseto require explicit credentials even over Serve. This tokenless flow assumes the gateway host itself is trusted. See Tailscale and Security.
Building the UI
The Gateway serves static files fromdist/control-ui: