let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: update gateway auth docs and clients

Browse Source
This commit is contained in:
Peter Steinberger
2026-01-11 01:51:07 +01:00
parent d33285a9cd
commit b0b4b33b6b
28 changed files with 283 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/web/control-ui.md
View File

@@ -25,6 +25,7 @@ Auth is supplied during the WebSocket handshake via:
- `connect.params.auth.token`
- `connect.params.auth.password`
The dashboard settings panel lets you store a token; passwords are not persisted.
The onboarding wizard generates a gateway token by default, so paste it here on first connect.
## What it can do (today)
- Chat with the model via Gateway WS (`chat.history`, `chat.send`, `chat.abort`)
@@ -65,9 +66,9 @@ Open:
- `https://<magicdns>/` (or your configured `gateway.controlUi.basePath`)
By default, the gateway trusts Tailscale identity headers in serve mode. You can still set
`CLAWDBOT_GATEWAY_TOKEN` or `gateway.auth` if you want a shared secret instead.
`gateway.auth` (or `CLAWDBOT_GATEWAY_TOKEN`) if you want a shared secret instead.
### Bind to tailnet + token (legacy)
### Bind to tailnet + token
```bash
clawdbot gateway --bind tailnet --token "$(openssl rand -hex 32)"

9
docs/web/index.md
View File

@@ -56,13 +56,14 @@ clawdbot gateway
Open:
- `https://<magicdns>/` (or your configured `gateway.controlUi.basePath`)
### Tailnet bind + token (legacy)
### Tailnet bind + token
```json5
{
gateway: {
bind: "tailnet",
controlUi: { enabled: true }
controlUi: { enabled: true },
auth: { mode: "token", token: "your-token" }
}
}
```
@@ -70,7 +71,6 @@ Open:
Then start the gateway (token required for non-loopback binds):
```bash
export CLAWDBOT_GATEWAY_TOKEN="…your token…"
clawdbot gateway
```
@@ -91,7 +91,8 @@ Open:
## Security notes
- Binding the Gateway to a non-loopback address **requires** auth (`CLAWDBOT_GATEWAY_TOKEN` or `gateway.auth`).
- Binding the Gateway to a non-loopback address **requires** auth (`gateway.auth` or `CLAWDBOT_GATEWAY_TOKEN`).
- The wizard generates a gateway token by default (even on loopback).
- The UI sends `connect.params.auth.token` or `connect.params.auth.password`.
- Use `gateway.auth.allowTailscale: false` to require explicit credentials even in Serve mode.
- `gateway.tailscale.mode: "funnel"` requires `gateway.auth.mode: "password"` (shared password).