openclaw/docs/web/dashboard.md

summary, read_when, title

summary	read_when	title
Gateway dashboard (Control UI) access and auth	Changing dashboard authentication or exposure modes	Dashboard

Dashboard (Control UI)

The Gateway dashboard is the browser Control UI served at / by default (override with gateway.controlUi.basePath).

Quick open (local Gateway):

• http://127.0.0.1:18789/ (or http://localhost:18789/)

Key references:

• Control UI for usage and UI capabilities.
• Tailscale for Serve/Funnel automation.
• Web surfaces for bind modes and security notes.

Authentication is enforced at the WebSocket handshake via connect.params.auth (token or password). See gateway.auth in Gateway configuration.

Security note: the Control UI is an admin surface (chat, config, exec approvals). Do not expose it publicly. The UI stores the token in localStorage after first load. Prefer localhost, Tailscale Serve, or an SSH tunnel.

Fast path (recommended)

• After onboarding, the CLI auto-opens the dashboard and prints a clean (non-tokenized) link.
• Re-open anytime: openclaw dashboard (copies link, opens browser if possible, shows SSH hint if headless).
• If the UI prompts for auth, paste the token from gateway.auth.token (or OPENCLAW_GATEWAY_TOKEN) into Control UI settings.

Token basics (local vs remote)

• Localhost: open http://127.0.0.1:18789/.
• Token source: gateway.auth.token (or OPENCLAW_GATEWAY_TOKEN); the UI stores a copy in localStorage after you connect.
• Not localhost: use Tailscale Serve (tokenless if gateway.auth.allowTailscale: true), tailnet bind with a token, or an SSH tunnel. See Web surfaces.

If you see “unauthorized” / 1008

• Ensure the gateway is reachable (local: openclaw status; remote: SSH tunnel ssh -N -L 18789:127.0.0.1:18789 user@host then open http://127.0.0.1:18789/).
• Retrieve the token from the gateway host: openclaw config get gateway.auth.token (or generate one: openclaw doctor --generate-gateway-token).
• In the dashboard settings, paste the token into the auth field, then connect.