fix: update gateway auth docs and clients

2026-01-11 01:51:07 +01:00
parent d33285a9cd
commit b0b4b33b6b
28 changed files with 283 additions and 67 deletions
--- a/docs/start/faq.md
+++ b/docs/start/faq.md
@@ -198,6 +198,12 @@ Notes:
 - `gateway.remote.token` is for **remote CLI calls** only; it does not enable local gateway auth.
 - The Control UI authenticates via `connect.params.auth.token` (stored in app/UI settings). Avoid putting tokens in URLs.

+### Why do I need a token on localhost now?
+
+The wizard generates a gateway token by default (even on loopback) so **local WS clients must authenticate**. This blocks other local processes from calling the Gateway. Paste the token into the Control UI settings (or your client config) to connect.
+
+If you **really** want open loopback, remove `gateway.auth` from your config. Doctor can generate a token for you any time: `clawdbot doctor --generate-gateway-token`.
+
 ### Do I have to restart after changing config?

 The Gateway watches the config and supports hot‑reload:
--- a/docs/start/getting-started.md
+++ b/docs/start/getting-started.md
@@ -68,6 +68,7 @@ What you’ll choose:
 - **Providers**: WhatsApp QR login, Telegram/Discord bot tokens, etc.
 - **Daemon**: background install (launchd/systemd; WSL2 uses systemd)
  - **Runtime**: Node (recommended; required for WhatsApp) or Bun (faster, but incompatible with WhatsApp)
+- **Gateway token**: the wizard generates one by default (even on loopback) and stores it in `gateway.auth.token`.

 Wizard doc: [Wizard](/start/wizard)

@@ -95,6 +96,7 @@ clawdbot gateway --port 18789 --verbose
 ```

 Dashboard (local loopback): `http://127.0.0.1:18789/`
+If a token is configured, paste it into the Control UI settings (stored as `connect.params.auth.token`).

 ⚠️ **WhatsApp + Bun warning:** Baileys (WhatsApp Web library) uses a WebSocket
 path that is currently incompatible with Bun and can cause memory corruption on
--- a/docs/start/onboarding.md
+++ b/docs/start/onboarding.md
@@ -32,7 +32,8 @@ Where does the **Gateway** run?
 - **Configure later:** skip setup and leave the app unconfigured.

 Gateway auth tip:
- If you only use Clawdbot locally (loopback), auth can be **Off**.
+- The wizard now generates a **token** even for loopback, so local WS clients must authenticate.
+- If you disable auth, any local process can connect; use that only on fully trusted machines.
 - Use a **token** for multi‑machine access or non‑loopback binds.

 ## 2) Local-only auth (Anthropic OAuth)
--- a/docs/start/wizard.md
+++ b/docs/start/wizard.md
@@ -32,7 +32,7 @@ The wizard starts with **QuickStart** (defaults) vs **Advanced** (full control).
 - Local gateway (loopback)
 - Workspace default (or existing workspace)
 - Gateway port **18789**
- Gateway auth **Off** (loopback only)
+- Gateway auth **Token** (auto‑generated, even on loopback)
 - Tailscale exposure **Off**
 - Telegram + WhatsApp DMs default to **allowlist** (you’ll be prompted for your phone number)

@@ -96,8 +96,9 @@ Tip: `--json` does **not** imply non-interactive mode. Use `--non-interactive` (

 4) **Gateway**
   - Port, bind, auth mode, tailscale exposure.
-   - Auth recommendation: keep **Off** for single-machine loopback setups. Use **Token** for multi-machine access or non-loopback binds.
-   - Non‑loopback binds require auth.
+   - Auth recommendation: keep **Token** even for loopback so local WS clients must authenticate.
+   - Disable auth only if you fully trust every local process.
+   - Non‑loopback binds still require auth.

 5) **Providers**
   - WhatsApp: optional QR login.
@@ -135,7 +136,7 @@ Remote mode configures a local client to connect to a Gateway elsewhere.

 What you’ll set:
 - Remote Gateway URL (`ws://...`)
- Optional token
+- Token if the remote Gateway requires auth (recommended)

 Notes:
 - No remote installs or daemon changes are performed.