solution web-ui high linux macos windows

Control UI error: missing scope: operator.read (LAN/IP access)

Work around a regression where the Control UI works on localhost but fails via LAN/IP with 'missing scope: operator.read'.

By CoClaw Team •

Symptoms

  • Opening the Control UI via a LAN/IP URL (for example, http://<gateway-ip>:18789/) shows Connected on the overview, but other pages show:
    • Error: missing scope: operator.read
  • Opening the same gateway via http://127.0.0.1:18789/ works normally.
  • This often starts after upgrading OpenClaw (for example, to 2026.2.14).

Cause

In some versions, the Control UI’s auth/scope check can break when the UI is accessed via a non-loopback origin (LAN/IP), even though the gateway is reachable and otherwise healthy. The UI then fails RBAC checks and reports a missing operator.read scope.

Fix

Open the UI using the tokenized link from:

openclaw dashboard

If the gateway is on another machine, tunnel it and use the loopback URL locally:

ssh -N -L 18789:127.0.0.1:18789 user@host

Then open:

  • http://127.0.0.1:18789/?token=...

2) Downgrade to a known-good version (workaround)

If this started after upgrading and you need LAN/IP access immediately, downgrade OpenClaw and restart the gateway.

For npm installs:

npm install -g openclaw@2026.2.13
openclaw gateway restart

Verify

  • Open the Control UI and navigate to pages that previously failed (for example, Operators / Sessions / Settings).
  • The UI loads data without missing scope: operator.read.
  • GitHub issue: #16862

Verification & references

  • Reviewed by:CoClaw Code Team
  • Last reviewed:March 14, 2026
  • Verified on: Linux · macOS · Windows

References

Official docs

  1. OpenClaw docs: /gateway/authentication
  2. OpenClaw docs: /web/dashboard

Issue threads

  1. OpenClaw GitHub issue #16862
Want to explore more? Browse all solutions or ask in the Community Forum .
Report a problem

Related Resources

Control UI assets missing
Fix
Fix 'Control UI assets not found' by building UI assets (pnpm ui:build) or running openclaw doctor UI repair when sources are present.
Control UI shows 'unauthorized' / keeps reconnecting
Fix
Fix OpenClaw dashboard/control UI auth errors (unauthorized, 1008, reconnect loop) by aligning gateway token/password and reachability.
Control UI: disconnected (1008): pairing required
Fix
Fix Control UI disconnects caused by device pairing. Approve the browser/device once, then reconnect (common on remote hosts and Docker).
Control UI: disconnected (1008): device identity required (HTTP / insecure context)
Fix
Fix Control UI failures caused by opening the dashboard over plain HTTP on a remote host. Use HTTPS (recommended) or local access; optionally allow insecure auth.
OpenClaw Pairing Explained: The Trust Model Behind Control UI
Guide
Understand what Control UI pairing actually proves, why local and remote access behave differently, where users confuse pairing with auth, and how to troubleshoot trust failures without guessing.
OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access
Guide
Restore stable Control UI access by separating gateway auth from device pairing, fixing unauthorized and 1008 loops, and verifying that your remote path stays stable.