What does OpenClaw Control UI requires device identity mean?

It means the browser dashboard connection did not present an approved device identity or trusted remote path, so the gateway rejected the WebSocket session.

Is allowedOrigins enough to fix device identity required errors?

No. allowedOrigins controls which browser origins may connect. Device identity and pairing are separate checks that still apply to remote or non-loopback dashboards.

Should I expose OpenClaw Control UI on public HTTP?

No. Use localhost, an SSH tunnel, HTTPS with explicit allowed origins, Tailscale with the expected identity behavior, or managed hosting.

Usage Tips

OpenClaw "Control UI requires device identity" fix for VPS and remote dashboards

Problem statement: you opened the OpenClaw dashboard from a VPS, LAN IP, hosting-provider button, HTTPS proxy, or Tailscale route and the WebSocket closes with 1008 or Control UI requires device identity. This is not just a random token problem. Secure browser context, origin allowlisting, gateway URL, pairing, and browser device identity are separate layers.

Fast answer

For quick local access, open http://127.0.0.1:18789/ or use an SSH tunnel back to localhost. For real remote access, use HTTPS or Tailscale with explicit gateway.controlUi.allowedOrigins, then complete device pairing when required. Do not expose a public unauthenticated Control UI or use wildcard origins as a production fix.

What the error means

The Control UI is served by the OpenClaw gateway and communicates over WebSocket. Local loopback browser connections are treated differently from remote LAN, VPS, or public HTTP connections. A new browser/device generally needs a stable device identity and one-time approval. If the browser cannot present that identity, or if the gateway does not trust the route, the connection can fail with a policy close such as 1008.

Fix path by setup

Same machine: open http://127.0.0.1:18789/ or http://localhost:18789/. Avoid switching between localhost, LAN IP, and a public hostname while debugging.
Remote VPS: use an SSH tunnel to localhost, or put HTTPS in front of the gateway and add the exact browser origin to gateway.controlUi.allowedOrigins.
Tailscale Serve: keep the browser identity requirement in mind. Tailscale can provide a trusted route only when identity verification and browser device identity expectations are met.
Hosted or managed: prefer a route that keeps gateway URL, token handling, HTTPS, allowed origins, and device identity expectations stable across restarts.

Limited managed setup experiment

Fix once. Stop recurring Control UI device identity failures.

If this keeps coming back, you can either move the setup path into managed OpenClaw hosting or book the constrained launch package for one workspace. The experiment is deliberately scoped: one hosted instance, first-run configuration, channel/setup guidance where supported, one smoke test, and a handoff note.

$199 managed setup One hosted OpenClaw workspace, one 30-minute onboarding/debug session or equivalent async help, and a 7-day setup-specific follow-up.

Clear boundaries before work starts No custom development, enterprise/SRE support, unsupported self-hosting repair, or open-ended third-party debugging.

Includes hosted instance setup, first-run configuration, channel/setup guidance where supported, smoke test, and handoff note
Excludes unlimited support, custom workflow/code work, unsupported self-hosting repair, and third-party provider outages
Limited weekly slots keep the experiment operationally safe while setup time and lead quality are measured

If you would rather compare options first, review OpenClaw cloud hosting or see the best OpenClaw hosting options before deciding.

Book managed setup - $199 setup, limited weekly slots Move this setup to Lobsterland Keep self-hosted: apply fix checklist

OpenClaw import first screen in OpenClaw Setup dashboard (light theme) — 1) Paste import payload

OpenClaw import first screen in OpenClaw Setup dashboard (dark theme) — 1) Paste import payload

OpenClaw import completed screen in OpenClaw Setup dashboard (light theme) — 2) Review and launch

OpenClaw import completed screen in OpenClaw Setup dashboard (dark theme) — 2) Review and launch

What not to do

Do not set allowedOrigins = ["*"] for production remote access.
Do not assume a hosting provider dashboard button supplies OpenClaw device identity.
Do not disable device authentication as the first fix.
Do not mix public HTTP, HTTPS, IP access, localhost, and Tailscale hostnames in the same debug run.

Verification checklist

openclaw gateway status shows the dashboard URL you intend to use.
The browser URL uses localhost for local access or HTTPS/WSS for remote access.
The exact browser origin appears in gateway.controlUi.allowedOrigins for public non-loopback deployments.
openclaw devices list and approval flow handle the first browser/device pairing when required.
Gateway logs no longer show device identity required, origin not allowed, or repeated unauthorized loops.

Managed hosting option

If your team is moving from a laptop install to a VPS, Lobsterland gives you a managed OpenClaw route with HTTPS, dashboard wiring, restart-safe config, and stable remote access expectations.

See OpenClaw cloud hosting Open dashboard