ClawKit Logo
ClawKitReliability Toolkit

Fix "Device Token Mismatch" Error

Most Common Gateway Error

This is the #1 reported error in OpenClaw communities. If you see disconnected (1008): unauthorized: device token mismatch, this guide will fix it.

Next Step

Fix now, then reduce repeat incidents

If this issue keeps coming back, validate your setup in Doctor first, then harden your config.

Open DoctorHarden Config
Need proactive alerts? Join Monitor early access.

The device token mismatch error means your client's stored authentication token no longer matches what the Gateway expects. This usually happens after a Gateway restart, crash, update, or when a zombie process is running.

Jump to Your Situation

Quick Fix (30 seconds) Rotate / Reissue Device Token Zombie Process Holding Port After Gateway Update Break-glass Auth Settings openclaw doctor --fix Windows-Specific Issues Still Not Working

What the Error Looks Like

You'll see one or more of these messages:

disconnected (1008): unauthorized: device token mismatch
gateway closed (1008): unauthorized: device token mismatch
Error: gateway connect failed β€” unauthorized: device token mismatch
unauthorized: device token mismatch (rotate/reissue device token)

The (1008) is a WebSocket close code meaning "policy violation" β€” in this case, the Gateway rejected your client's device token.

Wrong page? Check your exact error message

THIS PAGE

unauthorized: device token mismatch

Per-device credential issue β€” token expired/rotated after Gateway restart. Fix: rotate/reset device token.

OTHER PAGE β†’

unauthorized: gateway token mismatch (set gateway.remote.token…)

Shared secret config mismatch β€” common in Docker. Fix: align gateway.auth.token and gateway.remote.token.

Your Gateway restarted β€” and you didn't know until it broke.

Get instant alerts when your Gateway goes down. Early access to Gateway Monitor β€” free.

Quick Fix (Works 80% of the Time)

Restart Gateway + Clear Browser

# Step 1: Restart the Gateway
openclaw gateway restart
# Step 2: Open the Dashboard in Incognito / Private window
# This forces a fresh device token handshake

Why Incognito? Your normal browser cached the old device token. Incognito starts clean.

If this didn't work, read on to identify the specific cause β€” or let the Doctor diagnose it for you:

Run Web Doctor (Paste Your Error)
openclaw doctor --fix

How to Rotate / Reissue the Device Token

The error message itself tells you: rotate/reissue device token. Here's how:

Method 1: CLI Command (Recommended)

Rotate Device Token
# Reissue a fresh device token
openclaw gateway token rotate

# Verify the new token is active
openclaw gateway token status

# Restart to apply
openclaw gateway restart

Method 2: Full Reset

If rotation doesn't work, do a full token reset:

Full Token Reset
# Stop the Gateway
openclaw gateway stop

# Remove stored device tokens
openclaw gateway token reset

# Start fresh
openclaw gateway start

After a token reset, all connected devices will need to re-authenticate. Open the Dashboard in a fresh browser window to complete the handshake.

Did the token reset fix it?

Yes, it worked No, still broken β†’ run Doctor

Cause: Zombie Process Holding the Port

The Hidden Killer

An old node.exe process crashed but didn't release port 18789. Your new Gateway starts, but clients connect to the dead process which has the old token β€” causing permanent mismatch errors.

How to Detect

Check Port 18789
# macOS / Linux
lsof -i :18789

# Windows
netstat -ano | findstr :18789

If you see a process listening on port 18789 while the Gateway is supposedly stopped, that's your zombie.

How to Fix

Kill Zombie Process
# macOS / Linux β€” kill the zombie
kill -9 <PID>

# Windows β€” kill the zombie (replace 9800 with your PID)
taskkill /PID 9800 /F

# Verify port is free
# macOS/Linux: lsof -i :18789 (should return nothing)
# Windows: netstat -ano | findstr :18789 (should return nothing)

# Now start clean
openclaw gateway start

Cause: After a Gateway Update

Updating OpenClaw can regenerate internal tokens. The client still holds the old token from before the update. Fix:

After Gateway Update
# Reinstall the service with new config
openclaw gateway install --force

# Restart
openclaw gateway restart

# Then open Dashboard in Incognito to get the new token

Cause: Break-glass Auth Settings Left On

If you previously enabled insecure auth settings for debugging (common advice in Discord), they may now be causing the mismatch instead of fixing it. Disable them:

Disable Break-glass Auth
# Revert break-glass settings
openclaw config set gateway.controlUi.allowInsecureAuth false
openclaw config set gateway.controlUi.dangerouslyDisableDeviceAuth false

# Restart
openclaw gateway restart

Security Warning

dangerouslyDisableDeviceAuth disables all device authentication. Never leave this on in production. It was designed as a temporary debugging tool only.

Auto-Fix with openclaw doctor

The built-in diagnostic tool can detect and fix token mismatch issues automatically:

Run the Doctor

# Diagnose the issue
openclaw doctor
# Auto-fix (includes token rotation + zombie cleanup)
openclaw doctor --fix

The --fix flag will: kill zombie processes, rotate device tokens, restart the Gateway, and verify connectivity.

You can also use our web-based Doctor tool to run diagnostics from your browser.

Windows-Specific Issues

On Windows, the device token mismatch is especially common due to how background processes work. Key differences:

Scheduled Task conflicts

The Windows Scheduled Task (service) may run a different Gateway instance than your CLI. Run openclaw gateway install --force to sync them.

Zombie processes are harder to find

Windows doesn't always release ports after crashes. Use netstat -ano | findstr :18789 and taskkill /PID <PID> /F to clean up.

Multiple derived ports

OpenClaw uses ports 18789, 18791, and 18792. A zombie on any of these can cause token issues. Check all three.

Windows Full Cleanup
# Kill all zombie processes on OpenClaw ports
netstat -ano | findstr "18789 18791 18792"
taskkill /PID <PID> /F

# Force reinstall the service
openclaw gateway install --force

# Restart
openclaw gateway restart

For a complete Windows troubleshooting walkthrough, see Fix Gateway Errors on Windows.

Decision Flowchart

If you've tried everything above, walk through this checklist:

1

Is a zombie process holding port 18789?

Kill it, then restart Gateway

2

Did you recently update OpenClaw?

Run openclaw gateway install --force

3

Are break-glass auth settings enabled?

Disable them and restart

4

Are you opening Dashboard in a normal browser?

Try Incognito/Private window instead

5

On Windows with Scheduled Task?

Check for task/CLI config mismatch

6

Multiple devices connecting?

Run openclaw gateway token reset to reissue for all

7

None of the above?

Run openclaw doctor --fix for automatic diagnosis

Still Stuck?

Run our diagnostic tool to catch issues automatically:

openclaw doctor --fix

Or use the web-based Doctor tool for a guided walkthrough.

Seeing Other Errors Too?

Device token issues often come with these related problems:

Gateway Lock Timeout

"gateway already running" after restart

Pairing Required (1008)

Docker or LAN device not approved

Browser Control Timeout

Browser automation stops responding

Windows Gateway Errors

Zombie processes, port conflicts, crash loops

Your token expired because the Gateway restarted β€” and you didn't know.

Gateway Monitor watches your instance 24/7 and sends an alert the second it goes down, so you can act before tokens expire.

Get Early Access

Fix It Faster With Our Tools

Config Wizard

Generate a production-ready clawhub.json in 30 seconds.

Local Doctor

Diagnose Node.js, permissions, and config issues instantly.

Cost Simulator

Calculate your agent burn rate before you get surprised.

Did this guide solve your problem?

Need Help?

Try our automated tools to solve common issues instantly.

Run Local DoctorConfig Wizard