docs: refresh control-ui shared-secret mirrors

docs/install/hetzner.md

@@ -225,7 +225,8 @@ For the generic Docker flow, see [Docker](/install/docker).
 
     `http://127.0.0.1:18789/`
 
-    Paste your gateway token.
+    Paste the configured shared secret. This guide uses the gateway token by
+    default; if you switched to password auth, use that password instead.
 
   </Step>
 </Steps>

docs/install/kubernetes.md

@@ -31,7 +31,8 @@ kubectl port-forward svc/openclaw 18789:18789 -n openclaw
 open http://localhost:18789
 ```
 
-Retrieve the gateway token and paste it into the Control UI:
+Retrieve the configured shared secret for the Control UI. This deploy script
+creates a gateway token by default:
 
 ```bash
 kubectl get secret openclaw-secrets -n openclaw -o jsonpath='{.data.OPENCLAW_GATEWAY_TOKEN}' | base64 -d

docs/web/control-ui.md

@@ -29,8 +29,12 @@ Auth is supplied during the WebSocket handshake via:
 - `connect.params.auth.password`
 - Tailscale Serve identity headers when `gateway.auth.allowTailscale: true`
 - trusted-proxy identity headers when `gateway.auth.mode: "trusted-proxy"`
-  The dashboard settings panel keeps a token for the current browser tab session and selected gateway URL; passwords are not persisted.
-  Onboarding generates a gateway token by default, so shared-secret setups usually paste that here on first connect.
+
+The dashboard settings panel keeps a token for the current browser tab session
+and selected gateway URL; passwords are not persisted. Onboarding generates a
+gateway token by default, so shared-secret setups usually paste that token here
+on first connect, but password auth works too when `gateway.auth.mode` is
+`"password"`.
 
 ## Device pairing (first connection)