openclaw/docs/web/dashboard.md

---
summary: "Gateway dashboard (Control UI) access and auth"
read_when:
  - Changing dashboard authentication or exposure modes
title: "Dashboard"
---

# Dashboard (Control UI)

The Gateway dashboard is the browser Control UI served at `/` by default
(override with `gateway.controlUi.basePath`).

Quick open (local Gateway):

- [http://127.0.0.1:18789/](http://127.0.0.1:18789/) (or [http://localhost:18789/](http://localhost:18789/))

Key references:

- [Control UI](/web/control-ui) for usage and UI capabilities.
- [Tailscale](/gateway/tailscale) for Serve/Funnel automation.
- [Web surfaces](/web) for bind modes and security notes.

Authentication is enforced at the WebSocket handshake via `connect.params.auth`
(token or password). See `gateway.auth` in [Gateway configuration](/gateway/configuration).

Security note: the Control UI is an **admin surface** (chat, config, exec approvals).
Do not expose it publicly. The UI keeps dashboard URL tokens in memory for the current tab
and strips them from the URL after load.
Prefer localhost, Tailscale Serve, or an SSH tunnel.

## Fast path (recommended)

- After onboarding, the CLI auto-opens the dashboard and prints a clean (non-tokenized) link.
- Re-open anytime: `openclaw dashboard` (copies link, opens browser if possible, shows SSH hint if headless).
- If the UI prompts for auth, paste the token from `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`) into Control UI settings.

## Token basics (local vs remote)

- **Localhost**: open `http://127.0.0.1:18789/`.
- **Token source**: `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`); `openclaw dashboard` can pass it via URL fragment for one-time bootstrap, but the Control UI does not persist gateway tokens in localStorage.
- If `gateway.auth.token` is SecretRef-managed, `openclaw dashboard` prints/copies/opens a non-tokenized URL by design. This avoids exposing externally managed tokens in shell logs, clipboard history, or browser-launch arguments.
- If `gateway.auth.token` is configured as a SecretRef and is unresolved in your current shell, `openclaw dashboard` still prints a non-tokenized URL plus actionable auth setup guidance.
- **Not localhost**: use Tailscale Serve (tokenless for Control UI/WebSocket if `gateway.auth.allowTailscale: true`, assumes trusted gateway host; HTTP APIs still need token/password), tailnet bind with a token, or an SSH tunnel. See [Web surfaces](/web).

## If you see “unauthorized” / 1008

- Ensure the gateway is reachable (local: `openclaw status`; remote: SSH tunnel `ssh -N -L 18789:127.0.0.1:18789 user@host` then open `http://127.0.0.1:18789/`).
- Retrieve or supply the token from the gateway host:
  - Plaintext config: `openclaw config get gateway.auth.token`
  - SecretRef-managed config: resolve the external secret provider or export `OPENCLAW_GATEWAY_TOKEN` in this shell, then rerun `openclaw dashboard`
  - No token configured: `openclaw doctor --generate-gateway-token`
- In the dashboard settings, paste the token into the auth field, then connect.
feat(gateway): add tailscale auth + pam 2025-12-21 00:44:39 +00:00			`---`
			`summary: "Gateway dashboard (Control UI) access and auth"`
			`read_when:`
			`- Changing dashboard authentication or exposure modes`
Docs: add nav titles across docs (#5689) 2026-01-31 16:04:03 -05:00			`title: "Dashboard"`
feat(gateway): add tailscale auth + pam 2025-12-21 00:44:39 +00:00			`---`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
feat(gateway): add tailscale auth + pam 2025-12-21 00:44:39 +00:00			`# Dashboard (Control UI)`

feat: configurable control ui base path 2026-01-03 17:54:52 +01:00			The Gateway dashboard is the browser Control UI served at `/` by default
			(override with `gateway.controlUi.basePath`).
feat(gateway): add tailscale auth + pam 2025-12-21 00:44:39 +00:00
docs: reorganize documentation structure 2026-01-07 00:41:31 +01:00			`Quick open (local Gateway):`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
Docs: enable markdownlint autofixables except list numbering (#10476) * docs(markdownlint): enable autofixable rules except list numbering * docs(zalo): fix malformed bot platform link 2026-02-06 10:08:59 -05:00			`- [http://127.0.0.1:18789/](http://127.0.0.1:18789/) (or [http://localhost:18789/](http://localhost:18789/))`
docs: reorganize documentation structure 2026-01-07 00:41:31 +01:00
feat(gateway): add tailscale auth + pam 2025-12-21 00:44:39 +00:00			`Key references:`
chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
Docs: fix internal links 2026-01-10 14:51:21 -06:00			`- [Control UI](/web/control-ui) for usage and UI capabilities.`
			`- [Tailscale](/gateway/tailscale) for Serve/Funnel automation.`
			`- [Web surfaces](/web) for bind modes and security notes.`
feat(gateway): add tailscale auth + pam 2025-12-21 00:44:39 +00:00
			Authentication is enforced at the WebSocket handshake via `connect.params.auth`
Docs: fix internal links 2026-01-10 14:51:21 -06:00			(token or password). See `gateway.auth` in [Gateway configuration](/gateway/configuration).
docs: add dashboard faq 2026-01-12 19:14:00 +00:00
feat: surface security audit + docs 2026-01-26 19:58:54 +00:00			`Security note: the Control UI is an admin surface (chat, config, exec approvals).`
fix(dashboard): keep gateway tokens out of URL storage 2026-03-07 18:33:19 +00:00			`Do not expose it publicly. The UI keeps dashboard URL tokens in memory for the current tab`
			`and strips them from the URL after load.`
feat: surface security audit + docs 2026-01-26 19:58:54 +00:00			`Prefer localhost, Tailscale Serve, or an SSH tunnel.`

docs: add dashboard faq 2026-01-12 19:14:00 +00:00			`## Fast path (recommended)`

fix: silence unused hook token url param (#9436) * fix: Gateway authentication token exposed in URL query parameters * fix: silence unused hook token url param * fix: remove gateway auth tokens from URLs (#9436) (thanks @coygeek) * test: fix Windows path separators in audit test (#9436) --------- Co-authored-by: George Pickett <gpickett00@gmail.com> 2026-02-05 18:08:29 -08:00			`- After onboarding, the CLI auto-opens the dashboard and prints a clean (non-tokenized) link.`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			- Re-open anytime: `openclaw dashboard` (copies link, opens browser if possible, shows SSH hint if headless).
fix: silence unused hook token url param (#9436) * fix: Gateway authentication token exposed in URL query parameters * fix: silence unused hook token url param * fix: remove gateway auth tokens from URLs (#9436) (thanks @coygeek) * test: fix Windows path separators in audit test (#9436) --------- Co-authored-by: George Pickett <gpickett00@gmail.com> 2026-02-05 18:08:29 -08:00			- If the UI prompts for auth, paste the token from `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`) into Control UI settings.
docs: add dashboard faq 2026-01-12 19:14:00 +00:00
docs: clarify dashboard token auth 2026-01-13 05:31:26 +00:00			`## Token basics (local vs remote)`

fix: silence unused hook token url param (#9436) * fix: Gateway authentication token exposed in URL query parameters * fix: silence unused hook token url param * fix: remove gateway auth tokens from URLs (#9436) (thanks @coygeek) * test: fix Windows path separators in audit test (#9436) --------- Co-authored-by: George Pickett <gpickett00@gmail.com> 2026-02-05 18:08:29 -08:00			- Localhost: open `http://127.0.0.1:18789/`.
fix(dashboard): keep gateway tokens out of URL storage 2026-03-07 18:33:19 +00:00			- Token source: `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`); `openclaw dashboard` can pass it via URL fragment for one-time bootstrap, but the Control UI does not persist gateway tokens in localStorage.
Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails (#35094) 2026-03-05 12:53:56 -06:00			- If `gateway.auth.token` is SecretRef-managed, `openclaw dashboard` prints/copies/opens a non-tokenized URL by design. This avoids exposing externally managed tokens in shell logs, clipboard history, or browser-launch arguments.
			- If `gateway.auth.token` is configured as a SecretRef and is unresolved in your current shell, `openclaw dashboard` still prints a non-tokenized URL plus actionable auth setup guidance.
fix(gateway): scope tailscale tokenless auth to websocket 2026-02-21 13:03:08 +01:00			- Not localhost: use Tailscale Serve (tokenless for Control UI/WebSocket if `gateway.auth.allowTailscale: true`, assumes trusted gateway host; HTTP APIs still need token/password), tailnet bind with a token, or an SSH tunnel. See [Web surfaces](/web).
docs: clarify dashboard token auth 2026-01-13 05:31:26 +00:00
docs: add dashboard faq 2026-01-12 19:14:00 +00:00			`## If you see “unauthorized” / 1008`

fix: silence unused hook token url param (#9436) * fix: Gateway authentication token exposed in URL query parameters * fix: silence unused hook token url param * fix: remove gateway auth tokens from URLs (#9436) (thanks @coygeek) * test: fix Windows path separators in audit test (#9436) --------- Co-authored-by: George Pickett <gpickett00@gmail.com> 2026-02-05 18:08:29 -08:00			- Ensure the gateway is reachable (local: `openclaw status`; remote: SSH tunnel `ssh -N -L 18789:127.0.0.1:18789 user@host` then open `http://127.0.0.1:18789/`).
Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails (#35094) 2026-03-05 12:53:56 -06:00			`- Retrieve or supply the token from the gateway host:`
			- Plaintext config: `openclaw config get gateway.auth.token`
			- SecretRef-managed config: resolve the external secret provider or export `OPENCLAW_GATEWAY_TOKEN` in this shell, then rerun `openclaw dashboard`
			- No token configured: `openclaw doctor --generate-gateway-token`
fix: silence unused hook token url param (#9436) * fix: Gateway authentication token exposed in URL query parameters * fix: silence unused hook token url param * fix: remove gateway auth tokens from URLs (#9436) (thanks @coygeek) * test: fix Windows path separators in audit test (#9436) --------- Co-authored-by: George Pickett <gpickett00@gmail.com> 2026-02-05 18:08:29 -08:00			`- In the dashboard settings, paste the token into the auth field, then connect.`