solution web-ui high linux macos windows

Control UI error: missing scope: operator.read (LAN/IP access)

Work around a regression where the Control UI works on localhost but fails via LAN/IP with 'missing scope: operator.read'.

By CoClaw Team • • Updated June 8, 2026

Symptoms

  • Opening the Control UI via a LAN/IP URL (for example, http://<gateway-ip>:18789/) shows Connected on the overview, but other pages show:
    • Error: missing scope: operator.read
  • Opening the same gateway via http://127.0.0.1:18789/ works normally.
  • Older 2026.2-era reports tied this to specific LAN/IP upgrade regressions; current stable users should first verify tokenized loopback/dashboard access and pairing/origin behavior.

Cause

In some versions, the Control UI’s auth/scope check can break when the UI is accessed via a non-loopback origin (LAN/IP), even though the gateway is reachable and otherwise healthy. The UI then fails RBAC checks and reports a missing operator.read scope.

Fix

Open the UI using the tokenized link from:

openclaw dashboard

If the gateway is on another machine, tunnel it and use the loopback URL locally:

ssh -N -L 18789:127.0.0.1:18789 user@host

Then open:

  • http://127.0.0.1:18789/?token=...

2) If this started after an update: use generic rollback discipline

If loopback/tunnel access and pairing checks still fail and you need to roll back, do not jump to a historical pin. Follow the generic last-working-version flow in /guides/updating-and-migration, and pin only a version you have personally validated as working in your environment.

Verify

  • Open the Control UI and navigate to pages that previously failed (for example, Operators / Sessions / Settings).
  • The UI loads data without missing scope: operator.read.
  • GitHub issue: #16862

Verification & references

  • Reviewed by:CoClaw Code Team
  • Last reviewed:June 8, 2026
  • Verified on: Linux · macOS · Windows

References

Official docs

  1. OpenClaw docs: /gateway/authentication
  2. OpenClaw docs: /web/dashboard

Issue threads

  1. OpenClaw GitHub issue #16862
Want to explore more? Browse all solutions or ask in the Community Forum .
Report a problem

Related Resources

Control UI assets missing
Fix
Fix 'Control UI assets not found' by building UI assets (pnpm ui:build) or running openclaw doctor UI repair when sources are present.
Control UI shows 'unauthorized' / keeps reconnecting
Fix
Fix OpenClaw dashboard/control UI auth errors (unauthorized, 1008, reconnect loop) by aligning gateway token/password and reachability.
Control UI: disconnected (1008): pairing required
Fix
Fix Control UI disconnects caused by device pairing. Approve the browser/device once, then reconnect (common on remote hosts and Docker).
Control UI WebChat: queued user messages are processed but do not appear in the thread
Fix
Work around the Control UI limitation where a message sent during an active reply is queued internally but not rendered back into the WebChat conversation.
OpenClaw Pairing Explained: The Trust Model Behind Control UI
Guide
Understand what Control UI pairing actually proves, why local and remote access behave differently, where users confuse pairing with auth, and how to troubleshoot trust failures without guessing.
OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access
Guide
Restore stable Control UI access by separating gateway auth from device pairing, fixing unauthorized and 1008 loops, and verifying that your remote path stays stable.