LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-04-20 21:23:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: refresh shared-secret default mirrors

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-04 21:11:16 +01:00
parent 0738ed8d19
commit e2b841d7d0
6 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/gateway/network-model.md
View File

@@ -15,7 +15,7 @@ process that owns channel connections and the WebSocket control plane.
## Core rules
- One Gateway per host is recommended. It is the only process allowed to own the WhatsApp Web session. For rescue bots or strict isolation, run multiple gateways with isolated profiles and ports. See [Multiple gateways](/gateway/multiple-gateways).
- Loopback first: the Gateway WS defaults to `ws://127.0.0.1:18789`. The wizard generates a gateway token by default, even for loopback. For non-loopback access, use a valid gateway auth path: shared-secret token/password auth, or a correctly configured non-loopback `trusted-proxy` deployment. Tailnet/mobile setups usually work best through Tailscale Serve or another `wss://` endpoint instead of raw tailnet `ws://`.
- Loopback first: the Gateway WS defaults to `ws://127.0.0.1:18789`. The wizard creates shared-secret auth by default and usually generates a token, even for loopback. For non-loopback access, use a valid gateway auth path: shared-secret token/password auth, or a correctly configured non-loopback `trusted-proxy` deployment. Tailnet/mobile setups usually work best through Tailscale Serve or another `wss://` endpoint instead of raw tailnet `ws://`.
- Nodes connect to the Gateway WS over LAN, tailnet, or SSH as needed. The legacy TCP bridge is deprecated.
- Canvas host is served by the Gateway HTTP server on the **same port** as the Gateway (default `18789`):
- `/__openclaw__/canvas/`

2
docs/install/exe-dev.md
View File

@@ -17,7 +17,7 @@ This page assumes exe.dev's default **exeuntu** image. If you picked a different
1. [https://exe.new/openclaw](https://exe.new/openclaw)
2. Fill in your auth key/token as needed
3. Click on "Agent" next to your VM and wait for Shelley to finish provisioning
4. Open `https://<vm-name>.exe.xyz/` and authenticate with the configured shared secret (this guide uses a gateway token by default)
4. Open `https://<vm-name>.exe.xyz/` and authenticate with the configured shared secret (this guide uses token auth by default, but password auth works too if you switch `gateway.auth.mode`)
5. Approve any pending device pairing requests with `openclaw devices approve <requestId>`
## What you need

7
docs/install/gcp.md
View File

@@ -317,13 +317,16 @@ For the generic Docker flow, see [Docker](/install/docker).
`http://127.0.0.1:18789/`
Fetch a fresh tokenized dashboard link:
Reprint a clean dashboard link:
```bash
docker compose run --rm openclaw-cli dashboard --no-open
```
Paste the token from that URL.
If the UI prompts for shared-secret auth, paste the configured token or
password into Control UI settings. This Docker flow writes a token by
default; if you switch the container config to password auth, use that
password instead.
If Control UI shows `unauthorized` or `disconnected (1008): pairing required`, approve the browser device:

2
docs/install/kubernetes.md
View File

@@ -32,7 +32,7 @@ open http://localhost:18789
```
Retrieve the configured shared secret for the Control UI. This deploy script
creates a gateway token by default:
creates token auth by default:
```bash
kubectl get secret openclaw-secrets -n openclaw -o jsonpath='{.data.OPENCLAW_GATEWAY_TOKEN}' | base64 -d

7
docs/web/control-ui.md
View File

@@ -31,10 +31,9 @@ Auth is supplied during the WebSocket handshake via:
- trusted-proxy identity headers when `gateway.auth.mode: "trusted-proxy"`
The dashboard settings panel keeps a token for the current browser tab session
and selected gateway URL; passwords are not persisted. Onboarding generates a
gateway token by default, so shared-secret setups usually paste that token here
on first connect, but password auth works too when `gateway.auth.mode` is
`"password"`.
and selected gateway URL; passwords are not persisted. Onboarding usually
generates a gateway token for shared-secret auth on first connect, but password
auth works too when `gateway.auth.mode` is `"password"`.
## Device pairing (first connection)

3
docs/web/index.md
View File

@@ -97,7 +97,8 @@ Open:
- Gateway auth is required by default (token, password, trusted-proxy, or Tailscale Serve identity headers when enabled).
- Non-loopback binds still **require** gateway auth. In practice that means token/password auth or an identity-aware reverse proxy with `gateway.auth.mode: "trusted-proxy"`.
- The wizard generates a gateway token by default (even on loopback).
- The wizard creates shared-secret auth by default and usually generates a
gateway token (even on loopback).
- In shared-secret mode, the UI sends `connect.params.auth.token` or
`connect.params.auth.password`.
- In identity-bearing modes such as Tailscale Serve or `trusted-proxy`, the