--- summary: "CLI reference for `openclaw devices` (device pairing + token rotation/revocation)" read_when: - You are approving device pairing requests - You need to rotate or revoke device tokens title: "Devices" --- # `openclaw devices` Manage device pairing requests and device-scoped tokens. ## Common options - `--url `: Gateway WebSocket URL (defaults to `gateway.remote.url` when configured) - `--token `: Gateway token (if required) - `--password `: Gateway password (password auth) - `--timeout `: RPC timeout - `--json`: JSON output (recommended for scripting) When you set `--url`, the CLI does not fall back to config or environment credentials. Pass `--token` or `--password` explicitly, or the command errors. ## Commands ### `openclaw devices list` List pending pairing requests and paired devices. ```bash openclaw devices list openclaw devices list --json ``` For a pending request on an already-paired device, the output shows requested access next to the device's current approved access, so scope/role upgrades are visible instead of looking like a lost pairing. Paired device display names use this precedence: operator label (`operatorLabel` from `devices rename`), then client `displayName`, then `clientId`, then `deviceId`. ### `openclaw devices approve [requestId] [--latest]` Approve a pending pairing request by exact `requestId`. Omitting `requestId`, or passing `--latest`, only previews the newest pending request and exits (code 1); rerun with the exact request ID to approve. ```bash openclaw devices approve openclaw devices approve openclaw devices approve --latest ``` If a device retries pairing with changed auth details (role, scopes, or public key), OpenClaw supersedes the previous pending entry with a new `requestId`. Run `openclaw devices list` right before approval to get the current id. Approval behavior: - If the device is already paired and requests broader scopes or role, OpenClaw keeps the existing approval and creates a new pending upgrade request. Compare `Requested` vs `Approved` in `openclaw devices list`, or preview with `--latest`, before approving. - Approving a `node` role or other non-operator role requires `operator.admin`. `operator.pairing` is enough for operator-device approvals, but only when the requested operator scopes stay within the caller's own scopes. See [Operator scopes](/gateway/operator-scopes). - If `gateway.nodes.pairing.autoApproveCidrs` is configured, first-time `role: node` requests from matching client IPs can be auto-approved before they appear in this list. Disabled by default; never applies to operator/browser clients or upgrade requests. - `gateway.nodes.pairing.sshVerify` (on by default) auto-approves first-time `role: node` requests when the gateway verifies the device key over SSH to the node host. Requests may therefore resolve to approved shortly after appearing. Set `sshVerify: false` to disable SSH verification; this is independent of `autoApproveCidrs`, so unset that too for manual-only pairing. ### `openclaw devices reject ` Reject a pending device pairing request. ```bash openclaw devices reject ``` ### `openclaw devices remove ` Remove one paired device entry. ```bash openclaw devices remove openclaw devices remove --json ``` A caller authenticated with a paired device token can remove only its **own** device entry. Removing another device requires `operator.admin`. ### `openclaw devices rename --device --name