docs/cli/devices.md
openclaw devicesManage device pairing requests and device-scoped tokens.
--url <url>: Gateway WebSocket URL (defaults to gateway.remote.url when configured)--token <token>: Gateway token (if required)--password <password>: Gateway password (password auth)--timeout <ms>: RPC timeout--json: JSON output (recommended for scripting)openclaw devices listList pending pairing requests and paired devices.
openclaw devices list
openclaw devices list --json
For a pending request on an already-paired device, the output shows requested access next to the device's current approved access, so scope/role upgrades are visible instead of looking like a lost pairing.
openclaw devices approve [requestId] [--latest]Approve a pending pairing request by exact requestId. Omitting requestId, or passing --latest, only previews the newest pending request and exits (code 1); rerun with the exact request ID to approve.
openclaw devices approve
openclaw devices approve <requestId>
openclaw devices approve --latest
Approval behavior:
Requested vs Approved in openclaw devices list, or preview with --latest, before approving.node role or other non-operator role requires operator.admin. operator.pairing is enough for operator-device approvals, but only when the requested operator scopes stay within the caller's own scopes. See Operator scopes.gateway.nodes.pairing.autoApproveCidrs is configured, first-time role: node requests from matching client IPs can be auto-approved before they appear in this list. Disabled by default; never applies to operator/browser clients or upgrade requests.openclaw devices reject <requestId>Reject a pending device pairing request.
openclaw devices reject <requestId>
openclaw devices remove <deviceId>Remove one paired device entry.
openclaw devices remove <deviceId>
openclaw devices remove <deviceId> --json
A caller authenticated with a paired device token can remove only its own device entry. Removing another device requires operator.admin.
openclaw devices clear --yes [--pending]Clear paired devices in bulk. Gated by --yes.
openclaw devices clear --yes
openclaw devices clear --yes --pending
openclaw devices clear --yes --pending --json
--pending also rejects all pending pairing requests.
openclaw devices rotate --device <id> --role <role> [--scope <scope...>]Rotate a device token for a role, optionally updating its scopes.
openclaw devices rotate --device <deviceId> --role operator --scope operator.read --scope operator.write
--scope reuses the stored token's cached approved scopes on later reconnects. Passing explicit --scope values replaces the stored scope set for future cached-token reconnects.Returns rotation metadata as JSON. If the caller rotates its own token while authenticated with that device token, the response includes the replacement token so the client can persist it before reconnecting. Shared/admin rotations never echo the bearer token.
openclaw devices revoke --device <id> --role <role>Revoke a device token for a role.
openclaw devices revoke --device <deviceId> --role node
A non-admin paired-device caller can revoke only its own device token. Revoking another device's token requires operator.admin. The target scope set must also fit within the caller's own operator scopes; pairing-only callers cannot revoke admin/write operator tokens.
operator.pairing (or operator.admin) scope. Non-operator device roles always require operator.admin; see Operator scopes.remove, rotate, revoke) is self-only unless the caller has operator.admin.--url is passed, list/approve can fall back to local pairing state.Use this when Control UI or other clients keep failing with AUTH_TOKEN_MISMATCH, AUTH_DEVICE_TOKEN_MISMATCH, or AUTH_SCOPE_MISMATCH.
Confirm current gateway token source:
openclaw config get gateway.auth.token
List paired devices and identify the affected device id:
openclaw devices list
Rotate the operator token for the affected device:
openclaw devices rotate --device <deviceId> --role operator
If rotation is not enough, remove the stale pairing and approve again:
openclaw devices remove <deviceId>
openclaw devices list
openclaw devices approve <requestId>
Retry the client connection with the current shared token/password.
Notes:
deviceToken, then stored device token, then bootstrap token.AUTH_TOKEN_MISMATCH recovery can temporarily send both the shared token and the stored device token together for one bounded retry.AUTH_SCOPE_MISMATCH means the device token was recognized but does not carry the requested scope set; fix the pairing/scope approval contract before changing shared gateway auth.Related:
openclaw_gateway first-run approvalPaperclip agents connecting through the openclaw_gateway adapter go through the same first-run device pairing approval as any other new client. If Paperclip reports openclaw_gateway_pairing_required, approve the pending device and retry.
openclaw devices approve --latest
The preview prints the exact openclaw devices approve <requestId> command; verify the details, then rerun that command with the request ID to approve it. For a remote gateway or explicit credentials, pass the same options while previewing and approving:
openclaw devices approve --latest --url <gateway-ws-url> --token <gateway-token>
To avoid re-approving after every restart, configure a persistent adapterConfig.devicePrivateKeyPem in Paperclip instead of letting it generate a new ephemeral device identity each run:
{
"adapterConfig": {
"devicePrivateKeyPem": "<ed25519-private-key-pkcs8-pem>"
}
}
If approval keeps failing, run openclaw devices list first to confirm a pending request exists.