Portainer/LAN 场景下“WebUI 可用但 CLI unauthorized”排障剧本

• OpenClaw is running in Docker/Portainer with editable compose stack.
• You can inspect gateway logs and environment variables for auth settings.
• LAN client and server can test direct host:port connectivity.

1. Confirm WebUI and CLI are targeting the same gateway endpoint and protocol (http/https/ws).
2. Verify token/pairing credentials in CLI config match server runtime config exactly.
3. Check container port mappings and reverse-proxy headers for websocket/auth passthrough issues.
4. Run CLI auth tests from both host machine and LAN client to isolate network-vs-config root cause.
5. After fix, document a known-good compose + gateway auth template to prevent repeat incidents.

• Source is a help thread (not a finalized postmortem); exact root cause may vary per stack（需验证）.
• Avoid exposing management ports directly to WAN while troubleshooting.

This tip is aggregated from community/public sources and preserved with attribution.