ClawKit LogoClawKit

Fix "Device Identity Required" Error

Not the Same as "Pairing Required"

"Device identity required" means the client doesn't have a device identity at all (no ID + cryptographic keys). "Pairing required" means the identity exists but hasn't been approved yet. This error happens before pairing can even begin.

The gateway requires every connecting client to present a device identity — a unique ID and cryptographic key pair. If the client can't generate or present one, the gateway closes the connection with code 1008.

Jump to Fix

Control UI Over LAN (Most Common) HTTPS / Secure Context CLI Node Mode Bypass Device Auth (Dev Only) Still Not Working

What the Error Looks Like

disconnected (1008): device identity required
gateway closed (1008): device identity required
node host gateway closed (1008): device identity required
disconnected (1008): control ui requires https or localhost (secure context)

The last variant (control ui requires https or localhost) is the same root cause — the browser can't generate device identity keys because it's not in a secure context.

Control UI Over LAN (Most Common)

This is the #1 cause. You're accessing the Control UI from another device on your network (e.g., http://192.168.1.100:18789) instead of http://localhost:18789.

Why This Fails

Browsers only allow crypto.subtle (needed to generate device identity keys) in secure contexts: HTTPS or localhost. When you access via a LAN IP over HTTP, the browser refuses to generate the keys, so the client has no device identity to present.

http://localhost:18789— secure context (works)
https://192.168.1.100:18789— secure context (works)
http://192.168.1.100:18789— NOT secure (fails)

Fix: Use HTTPS or Token URL

Option A: Access via Token URL (Easiest)

The gateway provides a tokenized URL that bypasses the device identity requirement:

Get tokenized URL
# The gateway prints the token URL on startup
openclaw gateway start

# Or access directly:
# http://192.168.1.100:18789/?token=YOUR_APP_TOKEN

Option B: Use Tailscale / Cloudflare Tunnel

For proper HTTPS over LAN, use a tunneling service:

Tailscale (recommended for LAN)
# Install Tailscale on both machines
# Then access via Tailscale hostname (HTTPS automatic)
https://your-machine.tailnet-name.ts.net:18789

CLI Node Mode

When running openclaw node run, the CLI must present a device identity. If it can't find or generate one, you get this error.

Provide identity explicitly
# Provide node ID and display name
openclaw node run --node-id my-worker --display-name "Build Server"

# Or pre-approve in the gateway config
openclaw devices list
openclaw devices approve <request-id>

Bypass Device Auth (Development Only)

Security Warning

Disabling device auth removes an important security layer. Only use this in development or trusted local networks. Never use in production or on internet-exposed gateways.

Disable device auth (dev only)
openclaw config set gateway.controlUi.dangerouslyDisableDeviceAuth true
openclaw config set gateway.controlUi.allowInsecureAuth true
openclaw gateway restart

Note: On older versions, the dangerouslyDisableDeviceAuth setting was ignored due to a bug (fixed in PRs #17572, #17705). Make sure you're on the latest version:

Update to latest
npm install -g openclaw@latest

Still Not Working?

Run the Doctor

npx clawkit-doctor@latest

Or use the web-based Error Doctor to paste the full error and get matched fixes.

Seeing Other Errors Too?

Device identity issues often come with these related problems:

Pairing Required

Identity exists but not yet approved

Gateway Token Mismatch

Shared secret between client and gateway

Device Token Mismatch

Per-device credential expired or rotated

Connection Refused

Gateway not running or port blocked

Did this guide solve your problem?

Need Help?

Try our automated tools to solve common issues instantly.

Run Local DoctorConfig Wizard