2025-12-18 22:40:46 +00:00
---
summary: "Browser-based control UI for the Gateway (chat, nodes, config)"
read_when:
- You want to operate the Gateway from a browser
- You want Tailnet access without SSH tunnels
2026-01-31 16:04:03 -05:00
title: "Control UI"
2025-12-18 22:40:46 +00:00
---
2026-01-31 21:13:13 +09:00
2025-12-18 22:40:46 +00:00
# Control UI (browser)
2026-01-03 17:54:52 +01:00
The Control UI is a small **Vite + Lit ** single-page app served by the Gateway:
2025-12-18 22:40:46 +00:00
2026-01-03 17:54:52 +01:00
- default: `http://<host>:18789/`
2026-01-30 03:15:10 +01:00
- optional prefix: set `gateway.controlUi.basePath` (e.g. `/openclaw` )
2025-12-18 22:40:46 +00:00
It speaks **directly to the Gateway WebSocket ** on the same port.
2026-01-07 00:41:31 +01:00
## Quick open (local)
If the Gateway is running on the same computer, open:
2026-02-06 10:08:59 -05:00
- [http://127.0.0.1:18789/ ](http://127.0.0.1:18789/ ) (or [http://localhost:18789/ ](http://localhost:18789/ ))
2026-01-07 00:41:31 +01:00
2026-01-30 03:15:10 +01:00
If the page fails to load, start the Gateway first: `openclaw gateway` .
2026-01-07 00:41:31 +01:00
2025-12-21 00:34:39 +00:00
Auth is supplied during the WebSocket handshake via:
2026-01-31 21:13:13 +09:00
2025-12-21 00:34:39 +00:00
- `connect.params.auth.token`
2025-12-23 13:13:09 +00:00
- `connect.params.auth.password`
2026-04-04 14:14:54 +01:00
- Tailscale Serve identity headers when `gateway.auth.allowTailscale: true`
- trusted-proxy identity headers when `gateway.auth.mode: "trusted-proxy"`
2026-04-04 21:05:12 +01:00
The dashboard settings panel keeps a token for the current browser tab session
2026-04-04 21:11:16 +01:00
and selected gateway URL; passwords are not persisted. Onboarding usually
generates a gateway token for shared-secret auth on first connect, but password
auth works too when `gateway.auth.mode` is `"password"` .
2025-12-21 00:34:39 +00:00
2026-02-01 08:03:55 -08:00
## Device pairing (first connection)
When you connect to the Control UI from a new browser or device, the Gateway
requires a **one-time pairing approval ** — even if you're on the same Tailnet
with `gateway.auth.allowTailscale: true` . This is a security measure to prevent
unauthorized access.
**What you'll see: ** "disconnected (1008): pairing required"
**To approve the device: **
``` bash
# List pending requests
openclaw devices list
# Approve by request ID
openclaw devices approve <requestId>
```
2026-03-19 18:26:06 -05:00
If the browser retries pairing with changed auth details (role/scopes/public
key), the previous pending request is superseded and a new `requestId` is
created. Re-run `openclaw devices list` before approval.
2026-02-01 08:03:55 -08:00
Once approved, the device is remembered and won't require re-approval unless
you revoke it with `openclaw devices revoke --device <id> --role <role>` . See
[Devices CLI ](/cli/devices ) for token rotation and revocation.
**Notes: **
2026-02-01 18:51:44 +00:00
2026-04-04 16:12:56 +01:00
- Direct local loopback browser connections (`127.0.0.1` / `localhost` ) are
auto-approved.
- Tailnet and LAN browser connects still require explicit approval, even when
they originate from the same machine.
2026-02-01 08:03:55 -08:00
- Each browser profile generates a unique device ID, so switching browsers or
clearing browser data will require re-pairing.
2026-03-05 16:57:59 -05:00
## Language support
2026-04-06 02:44:15 +01:00
The Control UI can localize itself on first load based on your browser locale.
To override it later, open **Overview -> Gateway Access -> Language ** . The
locale picker lives in the Gateway Access card, not under Appearance.
2026-03-05 16:57:59 -05:00
2026-04-05 18:31:02 +01:00
- Supported locales: `en` , `zh-CN` , `zh-TW` , `pt-BR` , `de` , `es` , `ja-JP` , `ko` , `fr` , `tr` , `uk` , `id` , `pl`
2026-03-05 16:57:59 -05:00
- Non-English translations are lazy-loaded in the browser.
- The selected locale is saved in browser storage and reused on future visits.
- Missing translation keys fall back to English.
2025-12-18 22:40:46 +00:00
## What it can do (today)
2026-01-31 21:13:13 +09:00
2026-01-16 00:28:43 +00:00
- Chat with the model via Gateway WS (`chat.history` , `chat.send` , `chat.abort` , `chat.inject` )
2026-01-03 20:37:57 +01:00
- Stream tool calls + live tool output cards in Chat (agent events)
2026-04-04 15:07:32 +01:00
- Channels: built-in plus bundled/external plugin channels status, QR login, and per-channel config (`channels.status` , `web.login.*` , `config.patch` )
2025-12-21 00:34:39 +00:00
- Instances: presence list + refresh (`system-presence` )
2026-04-04 18:25:03 +01:00
- Sessions: list + per-session model/thinking/fast/verbose/reasoning overrides (`sessions.list` , `sessions.patch` )
2026-04-05 17:16:49 -07:00
- Dreams: dreaming status, enable/disable toggle, and Dream Diary reader (`doctor.memory.status` , `doctor.memory.dreamDiary` , `config.patch` )
2026-02-22 23:05:42 -06:00
- Cron jobs: list/add/edit/run/enable/disable + run history (`cron.*` )
2025-12-21 00:34:39 +00:00
- Skills: status, enable/disable, install, API key updates (`skills.*` )
- Nodes: list + caps (`node.list` )
2026-01-18 15:23:36 +00:00
- Exec approvals: edit gateway or node allowlists + ask policy for `exec host=gateway/node` (`exec.approvals.*` )
2026-01-30 03:15:10 +01:00
- Config: view/edit `~/.openclaw/openclaw.json` (`config.get` , `config.set` )
2026-01-08 01:29:56 +01:00
- Config: apply + restart with validation (`config.apply` ) and wake the last active session
2026-01-15 04:05:01 +00:00
- Config writes include a base-hash guard to prevent clobbering concurrent edits
2026-03-30 23:55:03 -05:00
- Config writes (`config.set` /`config.apply` /`config.patch` ) also preflight active SecretRef resolution for refs in the submitted config payload; unresolved active submitted refs are rejected before write
2026-04-04 20:14:25 +01:00
- Config schema + form rendering (`config.schema` / `config.schema.lookup` ,
2026-04-04 20:38:15 +01:00
including field `title` / `description` , matched UI hints, immediate child
2026-04-04 21:43:09 +01:00
summaries, docs metadata on nested object/wildcard/array/composition nodes,
plus plugin + channel schemas when available); Raw JSON editor is
2026-04-04 20:38:15 +01:00
available only when the snapshot has a safe raw round-trip
2026-03-30 23:55:03 -05:00
- If a snapshot cannot safely round-trip raw text, Control UI forces Form mode and disables Raw mode for that snapshot
- Structured SecretRef object values are rendered read-only in form text inputs to prevent accidental object-to-string corruption
2025-12-21 00:34:39 +00:00
- Debug: status/health/models snapshots + event log + manual RPC calls (`status` , `health` , `models.list` )
2026-01-08 03:43:46 +00:00
- Logs: live tail of gateway file logs with filter/export (`logs.tail` )
2026-01-08 01:29:56 +01:00
- Update: run a package/git update + restart (`update.run` ) with a restart report
2025-12-18 22:40:46 +00:00
2026-02-03 13:44:29 -08:00
Cron jobs panel notes:
2026-02-03 16:53:46 -08:00
- For isolated jobs, delivery defaults to announce summary. You can switch to none if you want internal-only runs.
- Channel/target fields appear when announce is selected.
2026-02-16 02:36:00 -08:00
- Webhook mode uses `delivery.mode = "webhook"` with `delivery.to` set to a valid HTTP(S) webhook URL.
- For main-session jobs, webhook and none delivery modes are available.
2026-02-22 23:05:42 -06:00
- Advanced edit controls include delete-after-run, clear agent override, cron exact/stagger options,
agent model/thinking overrides, and best-effort delivery toggles.
- Form validation is inline with field-level errors; invalid values disable the save button until fixed.
2026-02-15 16:14:17 -08:00
- Set `cron.webhookToken` to send a dedicated bearer token, if omitted the webhook is sent without an auth header.
2026-02-16 02:36:00 -08:00
- Deprecated fallback: stored legacy jobs with `notify: true` can still use `cron.webhook` until migrated.
2026-02-03 13:44:29 -08:00
2026-01-10 17:23:16 +01:00
## Chat behavior
- `chat.send` is **non-blocking ** : it acks immediately with `{ runId, status: "started" }` and the response streams via `chat` events.
- Re-sending with the same `idempotencyKey` returns `{ status: "in_flight" }` while running, and `{ status: "ok" }` after completion.
2026-02-16 21:50:01 -05:00
- `chat.history` responses are size-bounded for UI safety. When transcript entries are too large, Gateway may truncate long text fields, omit heavy metadata blocks, and replace oversized messages with a placeholder (`[chat.history omitted: message too large]` ).
2026-04-04 22:21:26 +01:00
- `chat.history` also strips display-only inline directive tags from visible assistant text (for example `[[reply_to_*]]` and `[[audio_as_voice]]` ), plain-text tool-call XML payloads (including `<tool_call>...</tool_call>` , `<function_call>...</function_call>` , `<tool_calls>...</tool_calls>` , `<function_calls>...</function_calls>` , and truncated tool-call blocks), and leaked ASCII/full-width model control tokens, and omits assistant entries whose whole visible text is only the exact silent token `NO_REPLY` / `no_reply` .
2026-01-16 00:28:43 +00:00
- `chat.inject` appends an assistant note to the session transcript and broadcasts a `chat` event for UI-only updates (no agent run, no channel delivery).
2026-04-04 18:25:03 +01:00
- The chat header model and thinking pickers patch the active session immediately through `sessions.patch` ; they are persistent session overrides, not one-turn-only send options.
2026-01-10 17:23:16 +01:00
- Stop:
- Click **Stop ** (calls `chat.abort` )
2026-02-24 04:02:18 +00:00
- Type `/stop` (or standalone abort phrases like `stop` , `stop action` , `stop run` , `stop openclaw` , `please stop` ) to abort out-of-band
2026-01-10 17:23:16 +01:00
- `chat.abort` supports `{ sessionKey }` (no `runId` ) to abort all active runs for that session
2026-02-15 16:55:28 -08:00
- Abort partial retention:
- When a run is aborted, partial assistant text can still be shown in the UI
- Gateway persists aborted partial assistant text into transcript history when buffered output exists
- Persisted entries include abort metadata so transcript consumers can tell abort partials from normal completion output
2026-01-10 17:23:16 +01:00
2025-12-18 22:40:46 +00:00
## Tailnet access (recommended)
2025-12-21 00:34:39 +00:00
### Integrated Tailscale Serve (preferred)
Keep the Gateway on loopback and let Tailscale Serve proxy it with HTTPS:
``` bash
2026-01-30 03:15:10 +01:00
openclaw gateway --tailscale serve
2025-12-21 00:34:39 +00:00
```
Open:
2026-01-31 21:13:13 +09:00
2026-01-03 17:54:52 +01:00
- `https://<magicdns>/` (or your configured `gateway.controlUi.basePath` )
2025-12-21 00:34:39 +00:00
2026-02-21 13:03:08 +01:00
By default, Control UI/WebSocket Serve requests can authenticate via Tailscale identity headers
2026-01-30 03:15:10 +01:00
(`tailscale-user-login` ) when `gateway.auth.allowTailscale` is `true` . OpenClaw
2026-01-26 12:47:53 +00:00
verifies the identity by resolving the `x-forwarded-for` address with
`tailscale whois` and matching it to the header, and only accepts these when the
request hits loopback with Tailscale’ s `x-forwarded-*` headers. Set
2026-04-04 14:02:29 +01:00
`gateway.auth.allowTailscale: false` if you want to require explicit shared-secret
credentials even for Serve traffic. Then use `gateway.auth.mode: "token"` or
`"password"` .
2026-04-04 14:30:02 +01:00
For that async Serve identity path, failed auth attempts for the same client IP
and auth scope are serialized before rate-limit writes. Concurrent bad retries
from the same browser can therefore show `retry later` on the second request
instead of two plain mismatches racing in parallel.
2026-02-21 12:52:45 +01:00
Tokenless Serve auth assumes the gateway host is trusted. If untrusted local
code may run on that host, require token/password auth.
2025-12-21 00:34:39 +00:00
2026-01-11 01:51:07 +01:00
### Bind to tailnet + token
2025-12-18 22:40:46 +00:00
``` bash
2026-01-30 03:15:10 +01:00
openclaw gateway --bind tailnet --token " $( openssl rand -hex 32) "
2025-12-18 22:40:46 +00:00
```
Then open:
2026-01-31 21:13:13 +09:00
2026-01-03 17:54:52 +01:00
- `http://<tailscale-ip>:18789/` (or your configured `gateway.controlUi.basePath` )
2025-12-18 22:40:46 +00:00
2026-04-04 14:14:54 +01:00
Paste the matching shared secret into the UI settings (sent as
`connect.params.auth.token` or `connect.params.auth.password` ).
2025-12-18 22:40:46 +00:00
2026-01-21 23:58:30 +00:00
## Insecure HTTP
If you open the dashboard over plain HTTP (`http://<lan-ip>` or `http://<tailscale-ip>` ),
the browser runs in a **non-secure context ** and blocks WebCrypto. By default,
2026-01-30 03:15:10 +01:00
OpenClaw **blocks ** Control UI connections without device identity.
2026-01-21 23:58:30 +00:00
2026-04-04 13:52:19 +01:00
Documented exceptions:
- localhost-only insecure HTTP compatibility with `gateway.controlUi.allowInsecureAuth=true`
- successful operator Control UI auth through `gateway.auth.mode: "trusted-proxy"`
- break-glass `gateway.controlUi.dangerouslyDisableDeviceAuth=true`
2026-01-21 23:58:30 +00:00
**Recommended fix: ** use HTTPS (Tailscale Serve) or open the UI locally:
2026-01-31 21:13:13 +09:00
2026-01-21 23:58:30 +00:00
- `https://<magicdns>/` (Serve)
- `http://127.0.0.1:18789/` (on the gateway host)
2026-02-21 12:55:18 +01:00
**Insecure-auth toggle behavior: **
2026-01-21 23:58:30 +00:00
``` json5
{
gateway: {
controlUi: { allowInsecureAuth: true },
bind: "tailnet",
2026-01-31 21:13:13 +09:00
auth: { mode: "token", token: "replace-me" },
},
2026-01-21 23:58:30 +00:00
}
```
2026-03-10 17:05:57 -05:00
`allowInsecureAuth` is a local compatibility toggle only:
- It allows localhost Control UI sessions to proceed without device identity in
non-secure HTTP contexts.
- It does not bypass pairing checks.
- It does not relax remote (non-localhost) device identity requirements.
2026-02-21 12:55:18 +01:00
**Break-glass only: **
``` json5
{
gateway: {
controlUi: { dangerouslyDisableDeviceAuth: true },
bind: "tailnet",
auth: { mode: "token", token: "replace-me" },
},
}
```
`dangerouslyDisableDeviceAuth` disables Control UI device identity checks and is a
severe security downgrade. Revert quickly after emergency use.
2026-01-21 23:58:30 +00:00
2026-04-04 13:52:19 +01:00
Trusted-proxy note:
- successful trusted-proxy auth can admit **operator ** Control UI sessions without
device identity
- this does **not ** extend to node-role Control UI sessions
- same-host loopback reverse proxies still do not satisfy trusted-proxy auth; see
[Trusted Proxy Auth ](/gateway/trusted-proxy-auth )
2026-01-21 23:58:30 +00:00
See [Tailscale ](/gateway/tailscale ) for HTTPS setup guidance.
2025-12-18 22:40:46 +00:00
## Building the UI
The Gateway serves static files from `dist/control-ui` . Build them with:
``` bash
2026-01-09 07:02:42 +00:00
pnpm ui:build # auto-installs UI deps on first run
2025-12-18 22:40:46 +00:00
```
2026-01-03 17:54:52 +01:00
Optional absolute base (when you want fixed asset URLs):
``` bash
2026-01-30 03:15:10 +01:00
OPENCLAW_CONTROL_UI_BASE_PATH = /openclaw/ pnpm ui:build
2026-01-03 17:54:52 +01:00
```
2025-12-18 22:40:46 +00:00
For local development (separate dev server):
``` bash
2026-01-09 07:02:42 +00:00
pnpm ui:dev # auto-installs UI deps on first run
2025-12-18 22:40:46 +00:00
```
Then point the UI at your Gateway WS URL (e.g. `ws://127.0.0.1:18789` ).
2026-01-22 05:05:30 +00:00
## Debugging/testing: dev server + remote Gateway
The Control UI is static files; the WebSocket target is configurable and can be
different from the HTTP origin. This is handy when you want the Vite dev server
locally but the Gateway runs elsewhere.
2026-01-31 21:13:13 +09:00
1. Start the UI dev server: `pnpm ui:dev`
2. Open a URL like:
2026-01-22 05:05:30 +00:00
``` text
http://localhost:5173/?gatewayUrl=ws://<gateway-host>:18789
```
Optional one-time auth (if needed):
``` text
2026-03-07 18:33:19 +00:00
http://localhost:5173/?gatewayUrl=wss://<gateway-host>:18789#token=<gateway-token>
2026-01-22 05:05:30 +00:00
```
Notes:
2026-01-31 21:13:13 +09:00
2026-01-22 05:05:30 +00:00
- `gatewayUrl` is stored in localStorage after load and removed from the URL.
2026-03-17 22:18:42 -05:00
- `token` should be passed via the URL fragment (`#token=...` ) whenever possible. Fragments are not sent to the server, which avoids request-log and Referer leakage. Legacy `?token=` query params are still imported once for compatibility, but only as a fallback, and are stripped immediately after bootstrap.
2026-03-07 18:33:19 +00:00
- `password` is kept in memory only.
2026-02-04 18:59:44 -05:00
- When `gatewayUrl` is set, the UI does not fall back to config or environment credentials.
Provide `token` (or `password` ) explicitly. Missing explicit credentials is an error.
2026-01-22 05:05:30 +00:00
- Use `wss://` when the Gateway is behind TLS (Tailscale Serve, HTTPS proxy, etc.).
2026-02-03 16:00:57 -08:00
- `gatewayUrl` is only accepted in a top-level window (not embedded) to prevent clickjacking.
2026-02-24 01:52:15 +00:00
- Non-loopback Control UI deployments must set `gateway.controlUi.allowedOrigins`
explicitly (full origins). This includes remote dev setups.
2026-03-17 09:35:02 -07:00
- Do not use `gateway.controlUi.allowedOrigins: ["*"]` except for tightly controlled
local testing. It means allow any browser origin, not “match whatever host I am
using.”
2026-02-24 01:52:15 +00:00
- `gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true` enables
Host-header origin fallback mode, but it is a dangerous security mode.
2026-02-03 16:00:57 -08:00
Example:
``` json5
{
gateway: {
controlUi: {
allowedOrigins: ["http://localhost:5173"],
},
},
}
```
2026-01-22 05:05:30 +00:00
Remote access setup details: [Remote access ](/gateway/remote ).
2026-03-31 14:34:43 +09:00
## Related
- [Dashboard ](/web/dashboard ) — gateway dashboard
- [WebChat ](/web/webchat ) — browser-based chat interface
- [TUI ](/web/tui ) — terminal user interface
- [Health Checks ](/gateway/health ) — gateway health monitoring