GATEWAY • OpenClaw quick fix

Gateway token mismatch after repair? Verify before rotating.

A field report says `openclaw doctor --fix gateway` can appear clean while auth/profile state still disagrees with what the gateway expects. That lines up with two confirmed OpenClaw failure classes: gateway connection tokens must match exactly, and older auth-profile drift bugs have overwritten fresh credentials from stale gateway memory. Treat repair as incomplete until the gateway accepts a real smoke test.

In simple words: Make a safe copy if the step could change your setup, try the smallest check, then confirm OpenClaw is back to normal before doing more. The source link and commands stay below for people who want the technical detail.

Checklist

Snapshot first: run a verified backup or copy the current OpenClaw config/auth state before editing tokens or profiles.

Safe verification sequence

openclaw doctor --fix --dry-run
openclaw models status
openclaw models status --probe
# Restart the gateway with your normal service manager, then repeat the status/probe check.

Check the obvious mismatch: `gateway.auth.token` and `gateway.remote.token` must be the same secret in config or equivalent environment variables.

Gateway config shape to compare

{
  "gateway": {
    "auth": { "token": "YOUR_SECRET" },
    "remote": { "token": "YOUR_SECRET" }
  }
}

If provider auth is failing, inspect the active `auth-profiles.json` path for the affected agent/profile and compare it with the real source of truth for that provider.

Restart the gateway using your install's normal supervisor, then run a live gateway/auth smoke test; do not trust a repair command alone.

Only invalidate or delete the old token after the new token/profile passes verification, and keep the rollback note until the next agent run succeeds.

Success looks like

• The gateway accepts the CLI/agent connection without `unauthorized: gateway token mismatch`.

• Provider auth probes pass after the gateway restart instead of silently using stale cached credentials.

• The old token is kept available until the replacement has passed a real smoke test.

Source: GitHub issues + X field report · link

Before the next risky OpenClaw change

Turn this quick fix into a repeatable rollback path.

If this touches tokens, providers, upgrades, plugins, or shared-agent settings, do the free check first — then use a verified snapshot and one restore drill before trusting unattended work again.

What OpenClaw Safety Net adds

pre-change snapshot checklist
restore-drill steps before the real incident
gateway/config smoke test before agents run again

Use the free fix when: you only need to unblock this one low-risk change and can write the backup label, smoke result, and rollback trigger in your own notes.

Buy when: this same risk will happen again, another person needs to repeat the fix, or you want a purchase-to-first-GREEN receipt, restore drill, and written rollback record before agents run unattended.

Do not buy yet if: you have not tried the free checklist, you need live support, or you are not ready to make a verified backup before changing a working setup.

Use OpenClaw Safety Net before the risky change →

Free fix first; buy the playbook only when the rollback path needs a repeatable first-GREEN proof record.

Have a high‑value nugget? Submit it.