diff --git a/docs/gateway/configuration-reference.md b/docs/gateway/configuration-reference.md index 27cc236b9f8..67c325ff5c4 100644 --- a/docs/gateway/configuration-reference.md +++ b/docs/gateway/configuration-reference.md @@ -2159,7 +2159,8 @@ See [Plugins](/tools/plugin). - `controlUi.allowedOrigins`: explicit browser-origin allowlist for Gateway WebSocket connects. Required when browser clients are expected from non-loopback origins. - `controlUi.dangerouslyAllowHostHeaderOriginFallback`: dangerous mode that enables Host-header origin fallback for deployments that intentionally rely on Host-header origin policy. - `remote.transport`: `ssh` (default) or `direct` (ws/wss). For `direct`, `remote.url` must be `ws://` or `wss://`. -- `gateway.remote.token` is for remote CLI calls only; does not enable local gateway auth. +- `gateway.remote.token` / `.password` are remote-client credential fields. They do not configure gateway auth by themselves. +- Local gateway call paths can use `gateway.remote.*` as fallback when `gateway.auth.*` is unset. - `trustedProxies`: reverse proxy IPs that terminate TLS. Only list proxies you control. - `allowRealIpFallback`: when `true`, the gateway accepts `X-Real-IP` if `X-Forwarded-For` is missing. Default `false` for fail-closed behavior. - `gateway.tools.deny`: extra tool names blocked for HTTP `POST /tools/invoke` (extends default deny list). diff --git a/docs/gateway/remote.md b/docs/gateway/remote.md index 52b6e095390..68170fe2b88 100644 --- a/docs/gateway/remote.md +++ b/docs/gateway/remote.md @@ -107,8 +107,8 @@ Gateway call/probe credential resolution now follows one shared contract: - Explicit credentials (`--token`, `--password`, or tool `gatewayToken`) always win. - Local mode defaults: - - token: `OPENCLAW_GATEWAY_TOKEN` -> `gateway.auth.token` - - password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway.auth.password` + - token: `OPENCLAW_GATEWAY_TOKEN` -> `gateway.auth.token` -> `gateway.remote.token` + - password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway.auth.password` -> `gateway.remote.password` - Remote mode defaults: - token: `gateway.remote.token` -> `OPENCLAW_GATEWAY_TOKEN` -> `gateway.auth.token` - password: `OPENCLAW_GATEWAY_PASSWORD` -> `gateway.remote.password` -> `gateway.auth.password` @@ -134,7 +134,8 @@ Short version: **keep the Gateway loopback-only** unless you’re sure you need - **Loopback + SSH/Tailscale Serve** is the safest default (no public exposure). - **Non-loopback binds** (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) must use auth tokens/passwords. -- `gateway.remote.token` is **only** for remote CLI calls — it does **not** enable local auth. +- `gateway.remote.token` / `.password` are client credential sources. They do **not** configure server auth by themselves. +- Local call paths can use `gateway.remote.*` as fallback when `gateway.auth.*` is unset. - `gateway.remote.tlsFingerprint` pins the remote TLS cert when using `wss://`. - **Tailscale Serve** can authenticate Control UI/WebSocket traffic via identity headers when `gateway.auth.allowTailscale: true`; HTTP API endpoints still diff --git a/docs/gateway/security/index.md b/docs/gateway/security/index.md index f0503acc059..55e2a076766 100644 --- a/docs/gateway/security/index.md +++ b/docs/gateway/security/index.md @@ -686,8 +686,10 @@ Set a token so **all** WS clients must authenticate: Doctor can generate one for you: `openclaw doctor --generate-gateway-token`. -Note: `gateway.remote.token` is **only** for remote CLI calls; it does not -protect local WS access. +Note: `gateway.remote.token` / `.password` are client credential sources. They +do **not** protect local WS access by themselves. +Local call paths can use `gateway.remote.*` as fallback when `gateway.auth.*` +is unset. Optional: pin remote TLS with `gateway.remote.tlsFingerprint` when using `wss://`. Local device pairing: diff --git a/docs/help/faq.md b/docs/help/faq.md index ff9c1ad4536..cd12c790f53 100644 --- a/docs/help/faq.md +++ b/docs/help/faq.md @@ -1405,7 +1405,8 @@ Non-loopback binds **require auth**. Configure `gateway.auth.mode` + `gateway.au Notes: -- `gateway.remote.token` is for **remote CLI calls** only; it does not enable local gateway auth. +- `gateway.remote.token` / `.password` do **not** enable local gateway auth by themselves. +- Local call paths can use `gateway.remote.*` as fallback when `gateway.auth.*` is unset. - The Control UI authenticates via `connect.params.auth.token` (stored in app/UI settings). Avoid putting tokens in URLs. ### Why do I need a token on localhost now