#22658: Fix onboard ignoring OPENCLAW_GATEWAY_TOKEN env var
commands
size: S
trusted-contributor
Cluster:
Gateway Token Management
## What
`docker-setup.sh` generates a 64-char gateway token via `openssl rand -hex 32` and exports it as `OPENCLAW_GATEWAY_TOKEN`. But the onboard wizard ignores this env var and generates its own 48-char token via `randomToken()`, causing a token mismatch that breaks every CLI command after setup.
## Root cause
Neither the QuickStart path (`onboarding.gateway-config.ts`) nor the non-interactive path (`onboard-non-interactive/local/gateway-config.ts`) checks `process.env.OPENCLAW_GATEWAY_TOKEN` before falling back to `randomToken()`.
## Fix
- QuickStart: check env var after `quickstartGateway.token`, before `randomToken()`
- Non-interactive: check env var after `opts.gatewayToken`, before `randomToken()`
- Interactive prompt: pre-fill with env var value so user can accept it
## Test
Added e2e test verifying that when `OPENCLAW_GATEWAY_TOKEN` is set and no `--gateway-token` flag is passed, the env var value is written to config.
Closes #22638
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Fixed the onboard wizard to respect the `OPENCLAW_GATEWAY_TOKEN` environment variable during setup. The `docker-setup.sh` script generates a 64-character token via `openssl rand -hex 32` and exports it, but the onboarding flows were ignoring this and generating their own 48-character tokens via `randomToken()`, causing auth mismatches post-setup.
- Added `OPENCLAW_GATEWAY_TOKEN` env var fallback in non-interactive path (after `opts.gatewayToken`, before `randomToken()`)
- Added `OPENCLAW_GATEWAY_TOKEN` env var fallback in QuickStart path (after `quickstartGateway.token`, before `randomToken()`)
- Added `OPENCLAW_GATEWAY_TOKEN` env var as initial value for interactive token prompt
- Added e2e test verifying env var is used when no `--gateway-token` flag is passed
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk
- The fix is straightforward and correctly implements the documented precedence chain (explicit flag > env var > random generation). The test coverage validates the env var path, and the implementation properly uses `normalizeGatewayTokenInput()` to handle edge cases like "undefined" strings. All changes are localized to the onboarding flow and follow existing patterns in the codebase.
- No files require special attention
<sub>Last reviewed commit: 745fb78</sub>
<!-- greptile_other_comments_section -->
<!-- /greptile_comment -->
Most Similar PRs
#22662: fix: use OPENCLAW_GATEWAY_TOKEN env var in onboard QuickStart
by aiworks451 · 2026-02-21
87.8%
#19885: test(gateway,browser): isolate tests from ambient OPENCLAW_GATEWAY_...
by NewdlDewdl · 2026-02-18
82.7%
#23444: Gateway: move auth token storage to state dotenv by default
by bmendonca3 · 2026-02-22
80.9%
#19937: fix(gateway): validate token/password auth modes and isolate gatewa...
by NewdlDewdl · 2026-02-18
80.2%
#11455: fix(gateway): default gateway.mode to local when unset
by AnonO6 · 2026-02-07
78.3%
#9999: Docker: fix token mismatch and add dev setup workflow
by benclarkeio · 2026-02-06
78.1%
#8478: Security: remove --allow-unconfigured from default Dockerfile CMD
by uttej-badwane · 2026-02-04
78.1%
#6638: fix: make Dockerfile work on container platforms (Render, Railway, ...
by kaizen403 · 2026-02-01
77.7%
#23139: test: fix flaky auth tests when OPENCLAW_GATEWAY_TOKEN is present
by Imccccc · 2026-02-22
77.4%
#21651: fix(gateway): token fallback + operator.admin scope superset in pai...
by lan17 · 2026-02-20
77.2%