Gateway authentication not configured
What this checks
Checks that the OpenClaw gateway has an authentication token configured. A gateway without auth is accessible to any client that can reach it no credentials required.
Why it matters
The gateway is the entry point to your OpenClaw installation. Without authentication, anyone who can reach your gateway URL can send commands to your agent, read responses, and impersonate the operator. This is the most direct path to full unauthorised access no exploit needed, just an HTTP request.
How to fix it
Set a gateway auth token
Generate a strong random token:
openssl rand -hex 32Set it on the gateway:
openclaw gateway auth set --type bearer --token <your-token>Then restart the gateway: openclaw gateway restart
Store the token securely you'll need it to configure any clients (Slack apps, webhooks, mobile apps) that connect to this gateway.
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-012 |
| Domain | OC |
| Severity | Critical |
| Status | Stable |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| CheckId | gateway.loopback_no_auth |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v1.1.0 |
False positive notes
None expected. This is a binary configuration check either a gateway auth token is set or it isn't.
Suppress this finding
clawvitals exclude NC-OC-012 reason "your reason here"