vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 15:40:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(gateway): clarify backend RPC pairing

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-25 23:24:36 +01:00
parent d74b6359fd
commit 41b27024bb
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/gateway/protocol.md
View File

@@ -577,11 +577,13 @@ rather than the pre-handshake defaults.
trusted shared-secret helper flows.
- Same-host tailnet or LAN connects are still treated as remote for pairing and
require approval.
- All WS clients must include `device` identity during `connect` (operator + node).
Control UI can omit it only in these modes:
- WS clients normally include `device` identity during `connect` (operator +
node). The only device-less operator exceptions are explicit trust paths:
- `gateway.controlUi.allowInsecureAuth=true` for localhost-only insecure HTTP compatibility.
- successful `gateway.auth.mode: "trusted-proxy"` operator Control UI auth.
- `gateway.controlUi.dangerouslyDisableDeviceAuth=true` (break-glass, severe security downgrade).
- direct-loopback `gateway-client` backend RPCs authenticated with the shared
gateway token/password.
- All connections must sign the server-provided `connect.challenge` nonce.
### Device auth migration diagnostics