The new version of OpenClaw's Control UI is no longer "open the web page and you can use it", but introduces a three-layer authentication mechanism:
- Gateway Token
- Device Token
- Pairing (Device Authorization)
If any step is missing, the following will appear:
origin not allowedtoken mismatchdevice_token_mismatchpairing required
Below is the full opening process.
1. Start OpenClaw (Docker)
Ensure containers are functioning properly:
docker ps
See something like:
openclaw-openclaw-gateway-1 Up (healthy)
Indicates that the service is normal.
2. Access the Control UI
Browser open:
http://你的服务器IP:18789
Or (in your case):
https://openclaw.cloudplus.im
If you are accessing from a domain name, you will need to configure the following:
Allowed Sources (Required)
docker exec openclaw-openclaw-gateway-1 openclaw config set gateway.controlUi.allowedOrigins '["https://你的域名"]'
3. Set up the Gateway Token
If the logs appear:
(auth=token)
Indicate that authentication is enabled.
Set a token manually (recommended):
docker exec openclaw-openclaw-gateway-1 openclaw config set gateway.auth.token 'abc123456'
docker restart openclaw-openclaw-gateway-1
Then on the Control UI page, type:
abc123456
4. Dealing with browser device conflicts (important)
If it appears:
device_token_mismatch
Explanation The browser caches old device information.
Resolution:
- Open using incognito mode
- Or clear the cache / localStorage for that domain
5. Device Pairing (Core Steps)
The first visit is sure to appear:
pairing required
Go inside the container to see the device to be approved:
docker exec -it openclaw-openclaw-gateway-1 sh
openclaw devices list
You will see:
Pending (1)
Request: xxxxxxxx
Executive approval:
openclaw devices approve <Request ID>
For example:
openclaw devices approve a9cdc750-684c-41b1-b39f-2fc166cc428c
6. Complete the connection
When you're done:
- The page is automatically connected
- WebSocket no longer reports errors
- The Control UI works normally
7. Comparison table of common errors
| Error | Cause | Solved |
|---|---|---|
| origin not allowed | The domain name is not whitelisted | Configure allowedOrigins |
| token mismatch | token inconsistency | Reset the token |
| device_token_mismatch | Browser caches old devices | Clear cache / traceless |
| pairing required | Unauthorized devices | approve device |
8. Essential understanding (key points)
New OpenClaw Control UI = Three Layers of Security:
浏览器 → Token认证 → 设备认证 → 人工批准 → 网关
Not the "open and use" tool before, but:
👉 An Agent console with device authorization
Summary in one sentence
To open the new Control UI, you must complete:
Allow domain name + set token + clear browser state + manually approve device
If you want to write a blog/video later, this title can also be used:
👉 "OpenClaw New Control UI Full Process Stepping Guide (from Can't Open to Completely Open)"