Troubleshooting
If you only have 2 minutes, use this page as a triage front door.First 60 seconds
Run this exact ladder in order:openclaw status→ shows configured channels and no obvious auth errors.openclaw status --all→ full report is present and shareable.openclaw gateway probe→ expected gateway target is reachable (Reachable: yes).RPC: limited - missing scope: operator.readis degraded diagnostics, not a connect failure.openclaw gateway status→Runtime: runningandRPC probe: ok.openclaw doctor→ no blocking config/service errors.openclaw channels status --probe→ reachable gateway returns live per-account transport state plus probe/audit results such asworksoraudit ok; if the gateway is unreachable, the command falls back to config-only summaries.openclaw logs --follow→ steady activity, no repeating fatal errors.
Anthropic long context 429
If you see:HTTP 429: rate_limit_error: Extra usage is required for long context requests,
go to /gateway/troubleshooting#anthropic-429-extra-usage-required-for-long-context.
Plugin install fails with missing openclaw extensions
If install fails withpackage.json missing openclaw.extensions, the plugin package
is using an old shape that OpenClaw no longer accepts.
Fix in the plugin package:
- Add
openclaw.extensionstopackage.json. - Point entries at built runtime files (usually
./dist/index.js). - Republish the plugin and run
openclaw plugins install <package>again.
Decision tree
No replies
No replies
Runtime: runningRPC probe: ok- Your channel shows transport connected and, where supported,
worksoraudit okinchannels status --probe - Sender appears approved (or DM policy is open/allowlist)
drop guild message (mention required→ mention gating blocked the message in Discord.pairing request→ sender is unapproved and waiting for DM pairing approval.blocked/allowlistin channel logs → sender, room, or group is filtered.
Dashboard or Control UI will not connect
Dashboard or Control UI will not connect
Dashboard: http://...is shown inopenclaw gateway statusRPC probe: ok- No auth loop in logs
device identity required→ HTTP/non-secure context cannot complete device auth.origin not allowed→ browserOriginis not allowed for the Control UI gateway target.AUTH_TOKEN_MISMATCHwith retry hints (canRetryWithDeviceToken=true) → one trusted device-token retry may occur automatically.- That cached-token retry reuses the cached scope set stored with the paired
device token. Explicit
deviceToken/ explicitscopescallers keep their requested scope set instead. - On the async Tailscale Serve Control UI path, failed attempts for the same
{scope, ip}are serialized before the limiter records the failure, so a second concurrent bad retry can already showretry later. too many failed authentication attempts (retry later)from a localhost browser origin → repeated failures from that sameOriginare temporarily locked out; another localhost origin uses a separate bucket.- repeated
unauthorizedafter that retry → wrong token/password, auth mode mismatch, or stale paired device token. gateway connect failed:→ UI is targeting the wrong URL/port or unreachable gateway.
Gateway will not start or service installed but not running
Gateway will not start or service installed but not running
Service: ... (loaded)Runtime: runningRPC probe: ok
Gateway start blocked: set gateway.mode=localorexisting config is missing gateway.mode→ gateway mode is remote, or the config file is missing the local-mode stamp and should be repaired.refusing to bind gateway ... without auth→ non-loopback bind without a valid gateway auth path (token/password, or trusted-proxy where configured).another gateway instance is already listeningorEADDRINUSE→ port already taken.
Channel connects but messages do not flow
Channel connects but messages do not flow
- Channel transport is connected.
- Pairing/allowlist checks pass.
- Mentions are detected where required.
mention required→ group mention gating blocked processing.pairing/pending→ DM sender is not approved yet.not_in_channel,missing_scope,Forbidden,401/403→ channel permission token issue.
Cron or heartbeat did not fire or did not deliver
Cron or heartbeat did not fire or did not deliver
cron.statusshows enabled with a next wake.cron runsshows recentokentries.- Heartbeat is enabled and not outside active hours.
cron: scheduler disabled; jobs will not run automatically→ cron is disabled.heartbeat skippedwithreason=quiet-hours→ outside configured active hours.requests-in-flight→ main lane busy; heartbeat wake was deferred.unknown accountId→ heartbeat delivery target account does not exist.
Node is paired but tool fails camera canvas screen exec
Node is paired but tool fails camera canvas screen exec
- Node is listed as connected and paired for role
node. - Capability exists for the command you are invoking.
- Permission state is granted for the tool.
NODE_BACKGROUND_UNAVAILABLE→ bring node app to foreground.*_PERMISSION_REQUIRED→ OS permission was denied/missing.SYSTEM_RUN_DENIED: approval required→ exec approval is pending.SYSTEM_RUN_DENIED: allowlist miss→ command not on exec allowlist.
Exec suddenly asks for approval
Exec suddenly asks for approval
- If
tools.exec.hostis unset, the default isauto. host=autoresolves tosandboxwhen a sandbox runtime is active,gatewayotherwise.host=autois routing only; the no-prompt “YOLO” behavior comes fromsecurity=fullplusask=offon gateway/node.- On
gatewayandnode, unsettools.exec.securitydefaults tofull. - Unset
tools.exec.askdefaults tooff. - Result: if you are seeing approvals, some host-local or per-session policy tightened exec away from the current defaults.
- Set only
tools.exec.host=gatewayif you just want stable host routing. - Use
security=allowlistwithask=on-missif you want host exec but still want review on allowlist misses. - Enable sandbox mode if you want
host=autoto resolve back tosandbox.
Approval required.→ command is waiting on/approve ....SYSTEM_RUN_DENIED: approval required→ node-host exec approval is pending.exec host=sandbox requires a sandbox runtime for this session→ implicit/explicit sandbox selection but sandbox mode is off.
Browser tool fails
Browser tool fails
- Browser status shows
running: trueand a chosen browser/profile. openclawstarts, orusercan see local Chrome tabs.
unknown command "browser"orunknown command 'browser'→plugins.allowis set and does not includebrowser.Failed to start Chrome CDP on port→ local browser launch failed.browser.executablePath not found→ configured binary path is wrong.browser.cdpUrl must be http(s) or ws(s)→ the configured CDP URL uses an unsupported scheme.browser.cdpUrl has invalid port→ the configured CDP URL has a bad or out-of-range port.No Chrome tabs found for profile="user"→ the Chrome MCP attach profile has no open local Chrome tabs.Remote CDP for profile "<name>" is not reachable→ the configured remote CDP endpoint is not reachable from this host.Browser attachOnly is enabled ... not reachableorBrowser attachOnly is enabled and CDP websocket ... is not reachable→ attach-only profile has no live CDP target.- stale viewport / dark-mode / locale / offline overrides on attach-only or remote CDP profiles → run
openclaw browser stop --browser-profile <name>to close the active control session and release emulation state without restarting the gateway.
Related
- FAQ — frequently asked questions
- Gateway Troubleshooting — gateway-specific issues
- Doctor — automated health checks and repairs
- Channel Troubleshooting — channel connectivity issues
- Automation Troubleshooting — cron and heartbeat issues