docs/cli/qr.md

---
summary: "CLI reference for `openclaw qr` (generate mobile pairing QR + setup code)"
read_when:
  - You want to pair a mobile node app with a gateway quickly
  - You need setup-code output for remote/manual sharing
title: "qr"
---

# `openclaw qr`

Generate a mobile pairing QR and setup code from your current Gateway configuration.

## Usage

```bash
openclaw qr
openclaw qr --setup-code-only
openclaw qr --json
openclaw qr --remote
openclaw qr --url wss://gateway.example/ws
```

## Options

- `--remote`: prefer `gateway.remote.url`; if it is unset, `gateway.tailscale.mode=serve|funnel` can still provide the remote public URL
- `--url <url>`: override gateway URL used in payload
- `--public-url <url>`: override public URL used in payload
- `--token <token>`: override which gateway token the bootstrap flow authenticates against
- `--password <password>`: override which gateway password the bootstrap flow authenticates against
- `--setup-code-only`: print only setup code
- `--no-ascii`: skip ASCII QR rendering
- `--json`: emit JSON (`setupCode`, `gatewayUrl`, `auth`, `urlSource`)

## Notes

- `--token` and `--password` are mutually exclusive.
- The setup code itself now carries an opaque short-lived `bootstrapToken`, not the shared gateway token/password.
- In the built-in node/operator bootstrap flow, the primary node token still lands with `scopes: []`.
- If bootstrap handoff also issues an operator token, it stays bounded to the bootstrap allowlist: `operator.approvals`, `operator.read`, `operator.talk.secrets`, `operator.write`.
- Bootstrap scope checks are role-prefixed. That operator allowlist only satisfies operator requests; non-operator roles still need scopes under their own role prefix.
- Mobile pairing fails closed for Tailscale/public `ws://` gateway URLs. Private LAN `ws://` remains supported, but Tailscale/public mobile routes should use Tailscale Serve/Funnel or a `wss://` gateway URL.
- With `--remote`, OpenClaw requires either `gateway.remote.url` or
  `gateway.tailscale.mode=serve|funnel`.
- With `--remote`, if effectively active remote credentials are configured as SecretRefs and you do not pass `--token` or `--password`, the command resolves them from the active gateway snapshot. If gateway is unavailable, the command fails fast.
- Without `--remote`, local gateway auth SecretRefs are resolved when no CLI auth override is passed:
  - `gateway.auth.token` resolves when token auth can win (explicit `gateway.auth.mode="token"` or inferred mode where no password source wins).
  - `gateway.auth.password` resolves when password auth can win (explicit `gateway.auth.mode="password"` or inferred mode with no winning token from auth/env).
- If both `gateway.auth.token` and `gateway.auth.password` are configured (including SecretRefs) and `gateway.auth.mode` is unset, setup-code resolution fails until mode is set explicitly.
- Gateway version skew note: this command path requires a gateway that supports `secrets.resolve`; older gateways return an unknown-method error.
- After scanning, approve device pairing with:
  - `openclaw devices list`
  - `openclaw devices approve <requestId>`
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			`---`
fix(pairing): align mobile setup with secure endpoints 2026-04-03 12:55:11 +05:30			summary: "CLI reference for `openclaw qr` (generate mobile pairing QR + setup code)"
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			`read_when:`
fix(pairing): align mobile setup with secure endpoints 2026-04-03 12:55:11 +05:30			`- You want to pair a mobile node app with a gateway quickly`
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			`- You need setup-code output for remote/manual sharing`
			`title: "qr"`
			`---`

			# `openclaw qr`

fix(pairing): align mobile setup with secure endpoints 2026-04-03 12:55:11 +05:30			`Generate a mobile pairing QR and setup code from your current Gateway configuration.`
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00
			`## Usage`

			```bash
			`openclaw qr`
			`openclaw qr --setup-code-only`
			`openclaw qr --json`
			`openclaw qr --remote`
fix: switch pairing setup codes to bootstrap tokens 2026-03-12 22:22:44 +00:00			`openclaw qr --url wss://gateway.example/ws`
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			```

			`## Options`

docs: refresh remote bootstrap refs 2026-04-04 14:17:47 +01:00			- `--remote`: prefer `gateway.remote.url`; if it is unset, `gateway.tailscale.mode=serve\|funnel` can still provide the remote public URL
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			- `--url <url>`: override gateway URL used in payload
			- `--public-url <url>`: override public URL used in payload
fix: switch pairing setup codes to bootstrap tokens 2026-03-12 22:22:44 +00:00			- `--token <token>`: override which gateway token the bootstrap flow authenticates against
			- `--password <password>`: override which gateway password the bootstrap flow authenticates against
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			- `--setup-code-only`: print only setup code
			- `--no-ascii`: skip ASCII QR rendering
			- `--json`: emit JSON (`setupCode`, `gatewayUrl`, `auth`, `urlSource`)

			`## Notes`

			- `--token` and `--password` are mutually exclusive.
fix: switch pairing setup codes to bootstrap tokens 2026-03-12 22:22:44 +00:00			- The setup code itself now carries an opaque short-lived `bootstrapToken`, not the shared gateway token/password.
docs: refresh bootstrap handoff token refs 2026-04-04 14:32:32 +01:00			- In the built-in node/operator bootstrap flow, the primary node token still lands with `scopes: []`.
			- If bootstrap handoff also issues an operator token, it stays bounded to the bootstrap allowlist: `operator.approvals`, `operator.read`, `operator.talk.secrets`, `operator.write`.
docs: refresh setup-code bootstrap scope mirrors 2026-04-04 18:48:26 +01:00			`- Bootstrap scope checks are role-prefixed. That operator allowlist only satisfies operator requests; non-operator roles still need scopes under their own role prefix.`
fix(pairing): allow private lan mobile ws 2026-04-03 13:21:39 +05:30			- Mobile pairing fails closed for Tailscale/public `ws://` gateway URLs. Private LAN `ws://` remains supported, but Tailscale/public mobile routes should use Tailscale Serve/Funnel or a `wss://` gateway URL.
docs: refresh remote bootstrap refs 2026-04-04 14:17:47 +01:00			- With `--remote`, OpenClaw requires either `gateway.remote.url` or
			`gateway.tailscale.mode=serve\|funnel`.
feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580 ) 2026-03-02 20:58:20 -06:00			- With `--remote`, if effectively active remote credentials are configured as SecretRefs and you do not pass `--token` or `--password`, the command resolves them from the active gateway snapshot. If gateway is unavailable, the command fails fast.
Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails (#35094 ) 2026-03-05 12:53:56 -06:00			- Without `--remote`, local gateway auth SecretRefs are resolved when no CLI auth override is passed:
			- `gateway.auth.token` resolves when token auth can win (explicit `gateway.auth.mode="token"` or inferred mode where no password source wins).
			- `gateway.auth.password` resolves when password auth can win (explicit `gateway.auth.mode="password"` or inferred mode with no winning token from auth/env).
			- If both `gateway.auth.token` and `gateway.auth.password` are configured (including SecretRefs) and `gateway.auth.mode` is unset, setup-code resolution fails until mode is set explicitly.
feat(secrets): expand SecretRef coverage across user-supplied credentials (#29580 ) 2026-03-02 20:58:20 -06:00			- Gateway version skew note: this command path requires a gateway that supports `secrets.resolve`; older gateways return an unknown-method error.
docs: align CLI docs and help surface 2026-02-22 20:04:08 +01:00			`- After scanning, approve device pairing with:`
			- `openclaw devices list`
			- `openclaw devices approve <requestId>`