Hardening: refresh stale device pairing requests and pending metadata (#50695)

* Docs: clarify device pairing supersede behavior * Device pairing: supersede pending requests on auth changes
2026-03-20 22:40:58 +00:00 · 2026-03-19 18:26:06 -05:00
parent 9486f6e379
commit 8e132aed6e
19 changed files with 452 additions and 41 deletions
--- a/docs/cli/devices.md
+++ b/docs/cli/devices.md
@@ -21,6 +21,9 @@ openclaw devices list
 openclaw devices list --json
 ```

+Pending request output includes the requested role and scopes so approvals can
+be reviewed before you approve.
+
 ### `openclaw devices remove <deviceId>`

 Remove one paired device entry.
@@ -45,6 +48,11 @@ openclaw devices clear --yes --pending --json
 Approve a pending device pairing request. If `requestId` is omitted, OpenClaw
 automatically approves the most recent pending request.

+Note: if a device retries pairing with changed auth details (role/scopes/public
+key), OpenClaw supersedes the previous pending entry and issues a new
+`requestId`. Run `openclaw devices list` right before approval to use the
+current ID.
+
 ```
 openclaw devices approve
 openclaw devices approve <requestId>
--- a/docs/cli/node.md
+++ b/docs/cli/node.md
@@ -111,6 +111,10 @@ openclaw devices list
 openclaw devices approve <requestId>
 ```

+If the node retries pairing with changed auth details (role/scopes/public key),
+the previous pending request is superseded and a new `requestId` is created.
+Run `openclaw devices list` again before approval.
+
 The node host stores its node id, token, display name, and gateway connection info in
 `~/.openclaw/node.json`.