docs/web/index.md
The Gateway serves a small browser Control UI (Vite + Lit) from the same port as the Gateway WebSocket:
http://<host>:18789/gateway.tls.enabled: true: https://<host>:18789/gateway.controlUi.basePath (e.g. /openclaw)Capabilities live in Control UI. This page covers bind modes, security, and other web-facing surfaces.
Control UI is enabled by default when assets are present (dist/control-ui):
{
gateway: {
controlUi: { enabled: true, basePath: "/openclaw" }, // basePath optional
},
}
When hooks.enabled=true, the Gateway also exposes a webhook endpoint on the same HTTP server. See hooks in Gateway configuration reference for auth and payloads.
POST /api/v1/admin/rpc exposes selected Gateway control-plane methods over HTTP. Off by default; registered only when the admin-http-rpc plugin is enabled. See Admin HTTP RPC for the auth model, allowed methods, and comparison with the WebSocket API.
```json5
{
gateway: {
bind: "loopback",
tailscale: { mode: "serve" },
},
}
```
Start the gateway:
```bash
openclaw gateway
```
Open `https://<magicdns>/` (or your configured `gateway.controlUi.basePath`).
Start the gateway (this non-loopback example uses shared-secret token auth):
```bash
openclaw gateway
```
Open `http://<tailscale-ip>:18789/` (or your configured `gateway.controlUi.basePath`).
`tailscale.mode: "funnel"` requires `gateway.auth.mode: "password"`; Serve and Funnel both require `gateway.bind: "loopback"`.
gateway.auth.mode: "trusted-proxy".connect.params.auth.token or connect.params.auth.password during the WebSocket handshake.gateway.tls.enabled: true, local dashboard/status helpers render https:// URLs and wss:// WebSocket URLs.trusted-proxy), the WebSocket auth check is satisfied from request headers instead of a shared secret.gateway.controlUi.allowedOrigins explicitly (full origins). Private same-origin loads are accepted without it for loopback, RFC1918/link-local, .local, .ts.net, and Tailscale CGNAT hosts.gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback: true enables Host-header origin fallback; this is a dangerous security downgrade.gateway.auth.allowTailscale: true (no token/password required). HTTP API endpoints do not use Tailscale identity headers; they always follow the gateway's normal HTTP auth mode. Set gateway.auth.allowTailscale: false to require explicit credentials even over Serve. This tokenless flow assumes the gateway host itself is trusted. See Tailscale and Security.The Gateway serves static files from dist/control-ui:
pnpm ui:build