diff --git a/src/browser/control-auth.ts b/src/browser/control-auth.ts
index 8c828bcaad1..636d771ed34 100644
--- a/src/browser/control-auth.ts
+++ b/src/browser/control-auth.ts
@@ -58,6 +58,11 @@ export async function ensureBrowserControlAuth(params: {
     return { auth };
   }
 
+  // Respect explicit trusted-proxy mode (no token/password needed).
+  if (params.cfg.gateway?.auth?.mode === "trusted-proxy") {
+    return { auth };
+  }
+
   // Re-read latest config to avoid racing with concurrent config writers.
   const latestCfg = loadConfig();
   const latestAuth = resolveBrowserControlAuth(latestCfg, env);
@@ -67,6 +72,9 @@ export async function ensureBrowserControlAuth(params: {
   if (latestCfg.gateway?.auth?.mode === "password") {
     return { auth: latestAuth };
   }
+  if (latestCfg.gateway?.auth?.mode === "trusted-proxy") {
+    return { auth: latestAuth };
+  }
 
   const generatedToken = crypto.randomBytes(24).toString("hex");
   const nextCfg: OpenClawConfig = {