Gateway auth token meets minimum length
What this checks
Checks that the gateway bearer token is long enough to resist brute-force attacks. OpenClaw emits a warning when a token is below the minimum recommended length.
Why it matters
A gateway auth token that's too short for example, a memorable word or a short random string provides much weaker protection than a properly-generated cryptographic token. Bearer tokens used for API access should have enough entropy to make brute-force attacks computationally infeasible. OpenClaw sets a minimum length threshold; tokens below it are flagged.
How to fix it
Generate a properly-sized random token and update the gateway
# Generate a 32-byte (64 hex character) random token:
openssl rand -hex 32
# Set it:
openclaw gateway auth set --type bearer --token <new-token>
openclaw gateway restartStore the new token securely. You'll need to update any clients (Slack apps, webhooks, mobile apps) that use the old token.
Technical details
| Field | Value |
|---|---|
| Control ID | NC-OC-014 |
| Domain | OC |
| Severity | High |
| Status | Stable |
| Data source | openclaw_security_audit |
| Source type | authoritative |
| CheckId | gateway.token_too_short |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v1.1.0 |
False positive notes
Only fires when a gateway auth token is set and is below OpenClaw's minimum length threshold. If no token is set at all, NC-OC-012 fires instead. If you've intentionally set a short token for local development, rotate it before any external exposure.
Suppress this finding
clawvitals exclude NC-OC-014 reason "local dev only not externally accessible"