solution gateway high macos linux windows

Gateway: 'disconnected (1008): pairing required' after update (scope-upgrade)

If new connections (Control UI, sub-agents, cron announce, webchat) are rejected with WebSocket 1008 'pairing required' after an update or reinstall, approve only the device or scope-upgrade shown by logs.

By CoClaw Team •

Symptoms

  • The gateway is running, but new connections fail with:
    • disconnected (1008): pairing required (Control UI / webchat), or
    • gateway closed (1008): pairing required (CLI / sessions_spawn / cron announce).
  • One existing session may still work, but anything that opens a new WebSocket gets rejected.
  • This often starts after:
    • openclaw update,
    • openclaw gateway install --force,
    • deleting/resetting ~/.openclaw/identity / ~/.openclaw/devices,
    • changing gateway auth/bind settings.

Cause

OpenClaw enforces device pairing (and scoped device access) on gateway WebSocket connections.

Sometimes the device is already paired, but the new connection requests a higher scope (a scope upgrade). In that case the gateway still closes the connection with 1008: pairing required until the missing scope shown by logs is approved.

Fix

1) Approve the pending device request

openclaw devices list
openclaw devices approve <requestId>

Tip: if there is only one pending request, you can often do:

openclaw devices approve

2) If logs show a scope-upgrade, approve only the missing scope

Check logs before rotating anything:

openclaw logs --follow | rg -i "pairing required|scope-upgrade|devices"

If you see reason=scope-upgrade, use the current device CLI docs to approve or rotate only the missing scope named by the log. Do not assume every post-update pairing error requires an operator write scope.

3) Confirm what the gateway thinks is happening (logs)

On the gateway host:

openclaw logs --follow | rg -i "pairing required|scope-upgrade|devices"

If you do not see reason=scope-upgrade, treat it as ordinary pairing and do not rotate scopes.

Verify

  • Control UI loads without disconnect:
    • open http://127.0.0.1:18789/
  • Sub-agents work again:
    • retry your sessions_spawn call
  • Cron announce delivery no longer errors (if this was the trigger):
    • wait for the next cron run
  • CoClaw: Control UI pairing required: /troubleshooting/solutions/control-ui-pairing-required/

Verification & references

  • Reviewed by:CoClaw Code Team
  • Last reviewed:March 14, 2026
  • Verified on: macOS · Linux · Windows

References

Official docs

  1. OpenClaw docs: /cli/devices
  2. OpenClaw docs: /web/control-ui

Issue threads

  1. OpenClaw GitHub issue #21236
  2. OpenClaw GitHub issue #22298
  3. OpenClaw GitHub issue #22299
  4. OpenClaw GitHub issue #23044
Want to explore more? Browse all solutions or ask in the Community Forum .
Report a problem

Related Resources

Control UI: disconnected (1008): pairing required
Fix
Fix Control UI disconnects caused by device pairing. Approve the browser/device once, then reconnect (common on remote hosts and Docker).
Control UI: disconnected (1008): device identity required (HTTP / insecure context)
Fix
Fix Control UI failures caused by opening the dashboard over plain HTTP on a remote host. Use HTTPS or local access first; treat remote plain HTTP as an advanced documented exception.
Control UI: dashboard root returns plain-text 'Not Found' after upgrade (pnpm global install)
Fix
Fix cases where the gateway starts normally after an upgrade, but `/` returns plain-text `Not Found` until Control UI assets are copied out of the pnpm global package tree and `gateway.controlUi.root` points at that local copy.
Gateway: reverse proxy 502 / HTTP/0.9 after update (TLS auto-generate enabled)
Fix
Fix reverse proxy breakage after an update enables gateway TLS: disable gateway TLS or update your proxy to talk HTTPS to the gateway.
OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access
Guide
Restore stable Control UI access by separating gateway auth from device pairing, fixing unauthorized and 1008 loops, and verifying that your remote path stays stable.
OpenClaw Pairing Explained: The Trust Model Behind Control UI
Guide
Understand what Control UI pairing actually proves, why local and remote access behave differently, where users confuse pairing with auth, and how to troubleshoot trust failures without guessing.