Files
openclaw/docs/cli/qr.md
Jesse Merhi 64318d7624 Rework Android gateway onboarding setup (#98752)
* feat(android): rework gateway onboarding setup

* fix(android): restore protocol mismatch onboarding guidance

* fix(android): sync onboarding native i18n

* fix(android): preserve LAN manual setup prefill

* fix(android): refine onboarding node approval step

* fix(android): polish onboarding recovery actions

* test(android): cover onboarding protocol mismatch copy

* fix(android): separate onboarding node approval

* fix(android): guard onboarding node approval transitions

* fix(android): keep onboarding approval states reachable

* fix(android): wait for node access before onboarding continue

* fix(android): refresh node approval after operator handoff

* fix(android): refresh onboarding approval states

* fix(android): require approval after onboarding permission changes

* fix(android): keep onboarding approval gates active

* fix(android): preserve permission reapproval state

* fix(android): skip node approval on legacy gateways

* fix(android): wait for node approval refresh

* fix(android): preserve camera setting on upgrade

* fix(android): avoid stuck approval check spinner

* fix(android): request talk secrets on operator connects

* fix(android): avoid missed node approval completion

* fix(android): keep nearby LAN setup local

* fix(android): complete onboarding after node approval

* fix(android): reconcile onboarding with gateway auth plans

* chore(android): refresh native i18n inventory after rebase

* Fix Android onboarding review edge cases

* Fix native i18n onboarding sentinels
2026-07-03 21:20:12 +10:00

3.1 KiB

summary, read_when, title
summary read_when title
CLI reference for `openclaw qr` (generate mobile pairing QR + setup code)
You want to pair a mobile node app with a gateway quickly
You need setup-code output for remote/manual sharing
QR

openclaw qr

Generate a mobile pairing QR and setup code from your current Gateway configuration.

Usage

openclaw qr
openclaw qr --setup-code-only
openclaw qr --json
openclaw qr --remote
openclaw qr --url wss://gateway.example/ws

Options

  • --remote: prefer gateway.remote.url; if it is unset, gateway.tailscale.mode=serve|funnel can still provide the remote public URL
  • --url <url>: override gateway URL used in payload
  • --public-url <url>: override public URL used in payload
  • --token <token>: override which gateway token the bootstrap flow authenticates against
  • --password <password>: override which gateway password the bootstrap flow authenticates against
  • --setup-code-only: print only setup code
  • --no-ascii: skip ASCII QR rendering
  • --json: emit JSON (setupCode, gatewayUrl, auth, urlSource)

Notes

  • --token and --password are mutually exclusive.
  • The setup code itself now carries an opaque short-lived bootstrapToken, not the shared gateway token/password.
  • Built-in setup-code bootstrap returns a primary node token with scopes: [] plus a bounded operator handoff token for trusted mobile onboarding.
  • The handed-off operator token is limited to operator.approvals, operator.read, operator.talk.secrets, and operator.write; pairing mutation scopes and operator.admin still require a separate approved operator pairing or token flow.
  • Mobile pairing fails closed for Tailscale/public ws:// gateway URLs. Private LAN addresses and .local Bonjour hosts remain supported over ws://, but Tailscale/public mobile routes should use Tailscale Serve/Funnel or a wss:// gateway URL.
  • With --remote, OpenClaw requires either gateway.remote.url or gateway.tailscale.mode=serve|funnel.
  • With --remote, if effectively active remote credentials are configured as SecretRefs and you do not pass --token or --password, the command resolves them from the active gateway snapshot. If gateway is unavailable, the command fails fast.
  • Without --remote, local gateway auth SecretRefs are resolved when no CLI auth override is passed:
    • gateway.auth.token resolves when token auth can win (explicit gateway.auth.mode="token" or inferred mode where no password source wins).
    • gateway.auth.password resolves when password auth can win (explicit gateway.auth.mode="password" or inferred mode with no winning token from auth/env).
  • If both gateway.auth.token and gateway.auth.password are configured (including SecretRefs) and gateway.auth.mode is unset, setup-code resolution fails until mode is set explicitly.
  • Gateway version skew note: this command path requires a gateway that supports secrets.resolve; older gateways return an unknown-method error.
  • After scanning, approve device pairing with:
    • openclaw devices list
    • openclaw devices approve <requestId>