OpenClaw’s Token-Auth Scope Bug Shows Agent Observability Has a Trust Boundary Problem

The most honest thing about OpenClaw issue #81775 is that both sides of the bug are defensible. A WebSocket client authenticates with the configured shared gateway token, requests operator read scopes, and successfully connects. Then the gateway returns payload.auth.scopes: [], which means every useful observability subscription fails with missing scope: operator.read. From a security perspective, refusing to turn a bare shared token into an all-powerful operator principal is sane. From an operations perspective, a “successful” connection that cannot observe anything is a trapdoor with a friendly handshake.

The issue was filed on May 14 at 09:36 UTC and closed minutes later as a duplicate or satellite of canonical gateway auth-scope work. That closure should not be read as dismissal. The report preserves the important product evidence: ClawMetry’s sync daemon cannot subscribe to live per-session message events, and channel adapters keep inbound Telegram, Signal, WhatsApp, and Discord conversations in memory rather than JSONL files. The only visible path for message bodies is live session subscription; gateway.log captures outbound sendMessage acknowledgments but not the inbound content operators need for a real timeline.

Observability daemons are principals, not decorations

The reported environment is specific enough to be useful: OpenClaw 2026.5.7, local gateway at ws://127.0.0.1:18789, gateway.auth.mode: "token", loopback bind, and a 48-character token in gateway.auth.token. A Python WebSocket client sends role: "operator", requests operator.admin and operator.read, and presents the configured token. The gateway accepts the connection but returns no scopes. Methods such as sessions.messages.subscribe, sessions.subscribe, logs.tail, and channels.status fail. health still works, which is the runtime equivalent of telling a starving operator the restaurant has electricity.

This is where “agent observability” stops being dashboard garnish. To observe an agent, a tool needs access to runtime surfaces that are sensitive by definition: session messages, tool calls, logs, channel status, and sometimes human conversation bodies. A dashboard that can read every inbound Slack DM, Telegram update, Signal message, WhatsApp thread, or Discord mention is not passive. It is a privileged observer of the user’s communication fabric.

That is why the naive fix — “just grant the token admin” — is wrong. Static tokens are credentials. Static tokens with broad operator scopes are powerful credentials. A headless deployment may need noninteractive read access, but that should be an explicit trust decision in configuration, not a side effect of knowing the shared token. The canonical proposal, issue #80836, points in the right direction with gateway.auth.tokenScopes for headless or single-tenant deployments. The shape is attractive because it turns an implicit hope into an explicit contract: this token grants these scopes under these deployment assumptions.

The empty-scope handshake is secure and hostile at the same time

OpenClaw’s current behavior appears to come from a conservative rule: device-less shared-token clients have scopes cleared, with related work tracked in issue #60225 around shouldClearUnboundScopesForMissingDeviceIdentity(). That is understandable. Device identity, user presence, and interactive approval are important parts of an operator trust model. If the runtime cannot bind a client to a known device, clearing scopes prevents a leaked token from silently becoming a universal read/write/admin credential.

But security controls still need to be legible. Returning a successful connection with empty scopes makes client authors discover the policy one method failure at a time. That wastes operator time and encourages worse workarounds: log scraping, side-file access, privileged local shells, or asking users to punch larger holes than necessary. A cleaner contract would make the result explicit at connect time: authenticated but unscoped, requested scopes denied because token scopes are not configured, here are the config keys and risks. Good security says no. Great security says no in a way that keeps people from building a bypass out of frustration.

ClawMetry makes the tension concrete. Its repository describes the product as “See your agent think. Real-time observability dashboard for OpenClaw AI agents.” It had 301 stars, 50 forks, 65 open issues, and a same-day push during the research window. That is enough signal to treat this as an ecosystem requirement rather than one user’s odd integration. Once third-party observability tools exist, the platform needs a capability model for them. Pretending they are outside the threat model is how dashboards become shadow operators.

The design bar should be high. Static read scopes should be bounded by bind address, documented as capable of reading message bodies, and easy to rotate. Admin scopes should be treated much more cautiously than read-only subscription scopes. The runtime should distinguish channel status, logs, session metadata, message bodies, and mutation APIs instead of collapsing everything into one operator bucket. And observability tools should be designed to request the minimum needed capability. If a timeline renderer needs session-message subscriptions, it should not ask for mutation rights. If it stores message bodies, it should make retention and redaction an operator choice.

For OpenClaw operators, this issue is a useful audit prompt. List every tool that connects to your gateway. Identify how it authenticates, which scopes it needs, whether it can read human message bodies, and where it stores them. If your deployment is loopback-only and single-tenant, read-scoped token grants may be acceptable. If your gateway is remote, proxied, or shared, static token scopes deserve more suspicion. Do not paper over missing observability by handing dashboards filesystem access to transcripts or full admin credentials. That is not observability; that is an incident report waiting for a timestamp.

The editorial take is simple: you cannot prove what an agent did without letting something watch it, and letting something watch it is authorization. OpenClaw’s token-scope bug is not merely a WebSocket nuisance. It is the observability trust boundary arriving on schedule.

Sources: OpenClaw issue #81775, issue #80836, issue #60225, issue #42157, ClawMetry, awesome-openclaw