Can I still use HTTP for the Control UI?

No, as of OpenClaw 2026.2.21, plain HTTP is no longer supported for Control UI authentication due to security requirements. You must use HTTPS.

Do I need a real SSL certificate for my local network?

No, a self-signed certificate is sufficient for providing the secure context required by the gateway and modern browsers. Just be aware your browser will show a security warning you'll need to bypass.

Where does Nginx proxy the connection to?

The Nginx configuration should point `proxy_pass` to the port your OpenClaw gateway is actually running on, typically `http://127.0.0.1:8080` if you haven't changed the default gateway port.

Fix OpenClaw Control UI HTTP Auth Error After 2026.2.21 Update

TL;DR — Quick Fix

After OpenClaw 2026.2.21, `allowInsecureAuth: true` no longer allows token-only HTTP auth; you must use HTTPS, typically via Nginx with a self-signed certificate.

Run Diagnostics

Next Step

Fix now, then reduce repeat incidents

If this issue keeps coming back, validate your setup in Doctor first, then harden your config.

Open Doctor Harden Config

Error Signal

disconnected (1008): control ui requires device identity (use HTTPS or localhost secure context)

What's Happening

Your OpenClaw gateway (version 2026.2.21 and later) has changed how it handles Control UI authentication. Previously, setting gateway.controlUi.allowInsecureAuth: true let you use token-based auth over plain HTTP. Now, the gateway enforces device identity checks even with that setting. This check needs a secure context (HTTPS or localhost) which plain HTTP over a LAN doesn't provide, causing the connection to fail.

The error message shown in the Control UI (disconnected (1008): control ui requires device identity...) is now misleading because it still suggests setting allowInsecureAuth: true for token-only HTTP, which no longer works.

The Fix

The reliable workaround is to serve your OpenClaw gateway through a reverse proxy like Nginx and enable SSL, even with a self-signed certificate. This provides the secure context the gateway now requires.

Generate a self-signed certificate and key:
```
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/openclaw.key -out /etc/ssl/certs/openclaw.crt
```
Follow the prompts (you can fill in details like 'Common Name' with your gateway's IP or hostname).

Configure Nginx as a reverse proxy: Create or edit an Nginx server block (e.g., /etc/nginx/sites-enabled/openclaw).

server {
    listen 443 ssl;
    server_name your_gateway_ip_or_hostname; # e.g., 192.168.1.100

    ssl_certificate /etc/ssl/certs/openclaw.crt;
    ssl_certificate_key /etc/ssl/private/openclaw.key;

    location / {
        proxy_pass http://127.0.0.1:8080; # Assuming gateway runs on port 8080
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Reload Nginx:
```
sudo systemctl reload nginx
```

Now, access your Control UI via https://your_gateway_ip_or_hostname. Your browser will likely warn you about the self-signed certificate; accept the risk to proceed.

Why This Occurs

The change in OpenClaw version 2026.2.21 intentionally requires a secure context (like HTTPS) for the Control UI. This is because modern browser security features, specifically the Web Crypto API needed for device identity verification, are only available in secure contexts. Plain HTTP, especially over a LAN where it's not considered secure, doesn't enable these APIs, thus breaking the authentication flow.

Prevention

Always review the changelog for security-related updates. For network-accessible services, plan to use HTTPS, even for internal networks, to ensure compatibility with modern browser security requirements and prevent future authentication issues.

Last Updated: March 2026

Did this guide solve your problem?