What causes "missing scope: operator.read" in OpenClaw?

The API key configured in openclaw.json was generated without the operator.read scope. This scope is required for the Web UI to query session state and agent status.

How do I fix the operator.read scope error?

Regenerate your API key from your provider dashboard with all operator scopes enabled, then update the apiKey field in openclaw.json and restart the gateway.

Does this affect the CLI or only the Web UI?

The error surfaces in the Web UI because it makes direct API calls that require operator.read. CLI commands may still work if they use a different authentication path.

Fix: Web UI Error — missing scope: operator.read

Scope Missing From API Key

The API key in your openclaw.json was created without the operator.read scope. The Web UI cannot query agent state without it.

The OpenClaw Web UI makes direct API calls to read session status and agent state. These calls require the operator.read scope. If your key was generated before this scope was introduced, or was created with restricted permissions, you'll see this error on every page load.

Next Step

Fix now, then reduce repeat incidents

If this issue keeps coming back, validate your setup in Doctor first, then harden your config.

Open Doctor Harden Config

Need proactive alerts? Join Monitor early access.

Jump to Fix

Fix A: Regenerate API Key with Operator Scopes Fix B: Check Key Type (Personal vs Project) Fix C: Update openclaw.json Verify the Fix Still Broken?

What You See

Web UI Error: missing scope: operator.read

Error: insufficient_scope — operator.read required

Web UI loads but sessions show empty / spinning forever

Fix A: Regenerate Your API Key With Operator Scopes

The fastest fix is to regenerate your API key and make sure all operator scopes are selected during creation. Where to do this depends on your model provider:

Anthropic Console

console.anthropic.com/keys

Select "All permissions" or ensure operator.read and operator.write are checked

OpenAI Platform

platform.openai.com/api-keys

Create a key with "All" permissions (restricted keys may lack operator scopes)

OpenRouter

openrouter.ai/keys

Use a full-access key; provisioned keys may not expose operator scopes

Fix B: Check Key Type — Personal vs Project Key

Some providers distinguish between personal keys (full access) and project keys (scoped). The Web UI requires scopes that project keys sometimes omit by default.

If you are using a project-scoped key, switch to a personal key temporarily to confirm the error goes away. Then create a new project key with operator.read explicitly enabled.

Fix C: Update openclaw.json With the New Key

After generating a new key, update your config:

openclaw.json — API Key

{
  "llm": {
    "apiKey": "sk-YOUR-NEW-KEY-HERE",
    "model": "claude-sonnet-4-5"
  }
}

Then restart the gateway:

Restart Gateway

openclaw gateway restart

Verify the Fix

Open the Web UI and check that session status loads without errors. You can also confirm the key has the right scope from the CLI:

Check Gateway Status

openclaw status --verbose

Look for api_key_scopes: [operator.read, operator.write, ...] in the output. If the key is valid but scopes are missing, the gateway will log a warning on startup.

Still Broken?

Run the Doctor to check key validity and scope configuration automatically:

Run the Doctor

npx clawkit-doctor@latest

Checks API key validity, scope presence, and Web UI reachability.

Related Issues

Auth and key problems that often appear together:

Fix It Faster With Our Tools

Config Wizard

Generate a production-ready clawhub.json in 30 seconds.

Local Doctor

Diagnose Node.js, permissions, and config issues instantly.

Cost Simulator

Calculate your agent burn rate before you get surprised.

Gateway Monitor

Detect token spikes and gateway incidents before users complain.

Skill Finder

Describe your use case and find the right Claude Code skill instantly.

Did this guide solve your problem?