Dashboard (Control UI)
The Gateway dashboard is the browser Control UI served at/ by default
(override with gateway.controlUi.basePath).
Quick open (local Gateway):
Key references:
- Control UI for usage and UI capabilities.
- Tailscale for Serve/Funnel automation.
- Web surfaces for bind modes and security notes.
connect.params.auth
(token or password). See gateway.auth in Gateway configuration.
Security note: the Control UI is an admin surface (chat, config, exec approvals).
Do not expose it publicly. The UI stores the token in localStorage after first load.
Prefer localhost, Tailscale Serve, or an SSH tunnel.
Fast path (recommended)
- After onboarding, the CLI auto-opens the dashboard and prints a clean (non-tokenized) link.
- Re-open anytime:
openclaw dashboard(copies link, opens browser if possible, shows SSH hint if headless). - If the UI prompts for auth, paste the token from
gateway.auth.token(orOPENCLAW_GATEWAY_TOKEN) into Control UI settings.
Token basics (local vs remote)
- Localhost: open
http://127.0.0.1:18789/. - Token source:
gateway.auth.token(orOPENCLAW_GATEWAY_TOKEN); the UI stores a copy in localStorage after you connect. - Not localhost: use Tailscale Serve (tokenless if
gateway.auth.allowTailscale: true), tailnet bind with a token, or an SSH tunnel. See Web surfaces.
If you see “unauthorized” / 1008
- Ensure the gateway is reachable (local:
openclaw status; remote: SSH tunnelssh -N -L 18789:127.0.0.1:18789 user@hostthen openhttp://127.0.0.1:18789/). - Retrieve the token from the gateway host:
openclaw config get gateway.auth.token(or generate one:openclaw doctor --generate-gateway-token). - In the dashboard settings, paste the token into the auth field, then connect.