Beginner
macOS / Linux / Windows (WSL2) / Docker / VPS / Self-hosted
Estimated time: 10 min

OpenClaw Symptom-First Triage Card: Stop Guessing, Find the Right Layer

A scannable triage flow for non-hardcore operators: map what you see (unauthorized, pairing required 1008, gateway disconnected 4008, no output, only chats) to the correct fix page, with a minimal command pack to prove each layer.

Implementation Steps

Use status + probes to prove whether the gateway, model path, and channel path are actually healthy.

If you keep “trying fixes” without a layer model, OpenClaw will punish you with wasted time.

This page is the opposite: start from what you see, run a tiny command pack, and land on the correct fix page.

0) The 60-second command pack (gateway host)

Run on the machine/container that runs the gateway:

openclaw status --all
openclaw gateway status
openclaw models status --probe
openclaw channels status --probe
openclaw logs --limit 200 --plain

If you can only do one thing: run openclaw status --all and stop guessing.

1) Symptom cards (what you see -> what it usually is -> where to go)

A) Control UI says “unauthorized” (or keeps reconnecting)

This is usually:

  • token mismatch (wrong gateway, wrong env override), or
  • you opened the raw URL instead of the tokenized dashboard link.

Do this:

B) Control UI / TUI says “pairing required (1008)”

This is usually:

  • a new device identity that was never approved, often triggered by using a new origin (LAN/tailnet/reverse proxy).

Do this:

C) “Gateway disconnected (4008)” or “can’t connect to gateway”

This is usually:

  • the gateway isn’t running,
  • you’re hitting the wrong host/port,
  • bind is loopback-only but you are connecting remotely,
  • or auth is misaligned.

Do this:

D) “It only chats” / “it won’t use tools anymore”

This is usually:

  • tools.profile became narrower after an upgrade, or
  • a deny rule or per-agent override is still pinning tools.

Do this:

E) “No output” / “nothing comes back” / “everything looks rate-limited”

This is usually:

  • model auth/quota/provider failure,
  • a relay/api-mode mismatch,
  • or a false rate limit classification that poisons your route.

Do this:

F) Docker/VPS “works” but Control UI is unreachable

This is usually:

  • bind is still loopback,
  • health checks are killing the service,
  • state is not persisted (token/devices reset on restart),
  • or TLS/reverse proxy expectations changed after an update.

Do this:

G) “It stops when I close the terminal” (or after SSH disconnect)

This is usually:

  • you never installed a supervisor/daemon, so the gateway is just a foreground process.

Do this:

2) Verification (prove the fix, do not trust vibes)

After any fix:

  1. rerun the 60-second command pack, and
  2. do one real action:
    • dashboard refresh without loops (openclaw dashboard), or
    • send a test message on your channel.

If you cannot reproduce success twice in a row, you do not have a fix yet.

Verification & references

  • Reviewed by:CoClaw Editorial Team
  • Last reviewed:March 14, 2026
  • Verified on: macOS · Linux · Windows (WSL2) · Docker · VPS · Self-hosted

References

  1. OpenClaw docs — Control UI auth and pairingOfficial docs
  2. OpenClaw docs — Deployment troubleshootingOfficial docs
  3. OpenClaw docs — Relay/API proxy troubleshootingOfficial docs
  4. OpenClaw GitHub repositoryGitHub

Related Resources

OpenClaw CLI Command Cheat Sheet (and the Reddit FAQ)
Guide
Use the right OpenClaw CLI command for the job: map symptoms to the correct layer, run a minimal diagnosis pack, and know what evidence to capture before you change config or ask for help.
OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access
Guide
Restore stable Control UI access by separating gateway auth from device pairing, fixing unauthorized and 1008 loops, and verifying that your remote path stays stable.
OpenClaw Not Responding: Fix 'no output', Incorrect API, Rate Limits, and Silent Failures
Guide
A high-signal checklist for when OpenClaw stops replying (TUI shows '(no output)', channels go quiet, or logs show 401/403/429). Covers config precedence, provider auth, model allowlists, relay API-mode mismatch, and rate-limit/billing traps.
Control UI: disconnected (1008): pairing required
Fix
Fix Control UI disconnects caused by device pairing. Approve the browser/device once, then reconnect (common on remote hosts and Docker).
TUI: '(no output)' or no response after sending a message
Fix
If the OpenClaw TUI shows '(no output)' or appears stuck, check connection status, gateway logs, model auth, and whether your provider only supports minimal chat payloads but not real OpenClaw runtime requests.
Gateway: 'disconnected (1008): pairing required' after update (scope-upgrade / operator.write)
Fix
If new connections (Control UI, sub-agents, cron announce, webchat) are rejected with WebSocket 1008 'pairing required' after an update or reinstall, you may need to approve a device scope-upgrade (often `operator.write`).

Need live assistance?

Ask in the community forum or Discord support channels.

Get Support