Gateway Auth Bootstrap:默认生成并持久化 token,避免网关裸奔启动
问题/场景:网关在未显式配置鉴权时可能出现策略漂移,导致暴露风险。前置条件:可修改 OpenClaw 配置并重启网关。实施步骤:检查当前 auth 配置 → 未设置时让系统自动生成 token 并写入配置 → 仅在明确内网测试场景下手动设 mode=none。关键命令:openclaw gateway status、openclaw gateway restart。验证:重启后鉴权模式为 token 且配置中存在 gateway.auth.token。风险:将 mode=none 用于公网会被拒绝或带来安全风险,需验证绑定地址策略。来源:PR #20686。
GITHUBDiscovered 2026-02-19Author gumadeiras
Prerequisites
- You can access and edit OpenClaw gateway config with restart permission.
- Gateway host binding strategy (loopback vs non-loopback) is known before changing auth mode.
Steps
- Run `openclaw gateway status` and inspect whether auth mode/token are already configured.
- If auth is missing/unresolved, keep default secure bootstrap so startup resolves to token mode and persists token automatically.
- Only for explicit local testing, set `gateway.auth.mode: "none"` manually and avoid exposing non-loopback ports.
- Restart gateway and verify auth behavior from a fresh client connection.
Commands
openclaw gateway statusopenclaw gateway restartVerify
After restart, gateway reports token auth and unauthorized requests without token are rejected as expected.
Caveats
- `mode: none` is an advanced opt-out and should stay temporary; internet-exposed usage requires strict controls.
- Migration from older open deployments may need manual audit of historical config files(需验证).
Source attribution
This tip is aggregated from community/public sources and preserved with attribution.
Open original source ↗