solution gateway high macos linux windows

Gateway: 'disconnected (1008): pairing required' after update (scope-upgrade / operator.write)

If new connections (Control UI, sub-agents, cron announce, webchat) are rejected with WebSocket 1008 'pairing required' after an update or reinstall, you may need to approve a device scope-upgrade (often `operator.write`).

By CoClaw Team

Symptoms

  • The gateway is running, but new connections fail with:
    • disconnected (1008): pairing required (Control UI / webchat), or
    • gateway closed (1008): pairing required (CLI / sessions_spawn / cron announce).
  • One existing session may still work, but anything that opens a new WebSocket gets rejected.
  • This often starts after:
    • openclaw update,
    • openclaw gateway install --force,
    • deleting/resetting ~/.openclaw/identity / ~/.openclaw/devices,
    • changing gateway auth/bind settings.

Cause

OpenClaw enforces device pairing (and scoped device access) on gateway WebSocket connections.

Sometimes the device is already paired, but the new connection requests a higher scope (a scope upgrade), for example operator.write. In that case the gateway still closes the connection with 1008: pairing required until the scope upgrade is approved.

Fix

1) Approve the pending device request

openclaw devices list
openclaw devices approve <requestId>

Tip: if there is only one pending request, you can often do:

openclaw devices approve

2) If it is a scope-upgrade: rotate the operator token with operator.write

First find the paired device id:

openclaw devices list --json

Then rotate the operator token to include the missing scope(s):

openclaw devices rotate --device <deviceId> --role operator \
  --scope operator.read --scope operator.write

If your setup requires additional operator scopes, include them in the rotate command as well.

3) Confirm what the gateway thinks is happening (logs)

On the gateway host:

openclaw logs --follow | rg -i "pairing required|scope-upgrade|devices"

If you see reason=scope-upgrade in logs, step (2) is usually required.

Verify

  • Control UI loads without disconnect:
    • open http://127.0.0.1:18789/
  • Sub-agents work again:
    • retry your sessions_spawn call
  • Cron announce delivery no longer errors (if this was the trigger):
    • wait for the next cron run
  • CoClaw: Control UI pairing required: /troubleshooting/solutions/control-ui-pairing-required/

Verification & references

  • Reviewed by:CoClaw Editorial Team
  • Last reviewed:March 14, 2026
  • Verified on: macOS · Linux · Windows

References

Official docs

  1. OpenClaw docs: /cli/devices
  2. OpenClaw docs: /web/control-ui

Issue threads

  1. OpenClaw GitHub issue #21236
  2. OpenClaw GitHub issue #22298
  3. OpenClaw GitHub issue #22299
  4. OpenClaw GitHub issue #23044
Want to explore more? Browse all solutions or ask in the Community Forum .
Report a problem

Related Resources

Control UI: disconnected (1008): pairing required
Fix
Fix Control UI disconnects caused by device pairing. Approve the browser/device once, then reconnect (common on remote hosts and Docker).
Control UI error: missing scope: operator.read (LAN/IP access)
Fix
Work around a regression where the Control UI works on localhost but fails via LAN/IP with 'missing scope: operator.read'.
Control UI: disconnected (1008): device identity required (HTTP / insecure context)
Fix
Fix Control UI failures caused by opening the dashboard over plain HTTP on a remote host. Use HTTPS (recommended) or local access; optionally allow insecure auth.
Control UI: dashboard root returns plain-text 'Not Found' after upgrade (pnpm global install)
Fix
Fix cases where the gateway starts normally after an upgrade, but `/` returns plain-text `Not Found` until Control UI assets are copied out of the pnpm global package tree and `gateway.controlUi.root` points at that local copy.
OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access
Guide
A practical guide to Control UI failures: why 'unauthorized' happens, how tokenized dashboard links work, what 'disconnected (1008): pairing required' really means, and how to connect safely to a remote gateway.
OpenClaw CLI Command Cheat Sheet (and the Reddit FAQ)
Guide
A task-first map of OpenClaw commands, plus the recurring questions from Reddit: gateway disconnected (4008), dashboard unauthorized, pairing required (1008), TUI loops, and “what do I run to debug this?”