docs/cli/devices.md

---
summary: "CLI reference for `openclaw devices` (device pairing + token rotation/revocation)"
read_when:
  - You are approving device pairing requests
  - You need to rotate or revoke device tokens
title: "devices"
---

# `openclaw devices`

Manage device pairing requests and device-scoped tokens.

## Commands

### `openclaw devices list`

List pending pairing requests and paired devices.

```
openclaw devices list
openclaw devices list --json
```

### `openclaw devices approve [requestId] [--latest]`

Approve a pending device pairing request. If `requestId` is omitted, OpenClaw
automatically approves the most recent pending request.

```
openclaw devices approve
openclaw devices approve <requestId>
openclaw devices approve --latest
```

### `openclaw devices reject <requestId>`

Reject a pending device pairing request.

```
openclaw devices reject <requestId>
```

### `openclaw devices rotate --device <id> --role <role> [--scope <scope...>]`

Rotate a device token for a specific role (optionally updating scopes).

```
openclaw devices rotate --device <deviceId> --role operator --scope operator.read --scope operator.write
```

### `openclaw devices revoke --device <id> --role <role>`

Revoke a device token for a specific role.

```
openclaw devices revoke --device <deviceId> --role node
```

## Common options

- `--url <url>`: Gateway WebSocket URL (defaults to `gateway.remote.url` when configured).
- `--token <token>`: Gateway token (if required).
- `--password <password>`: Gateway password (password auth).
- `--timeout <ms>`: RPC timeout.
- `--json`: JSON output (recommended for scripting).

Note: when you set `--url`, the CLI does not fall back to config or environment credentials.
Pass `--token` or `--password` explicitly. Missing explicit credentials is an error.

## Notes

- Token rotation returns a new token (sensitive). Treat it like a secret.
- These commands require `operator.pairing` (or `operator.admin`) scope.
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			`---`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			summary: "CLI reference for `openclaw devices` (device pairing + token rotation/revocation)"
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			`read_when:`
			`- You are approving device pairing requests`
			`- You need to rotate or revoke device tokens`
Docs: add nav titles across docs (#5689) 2026-01-31 16:04:03 -05:00			`title: "devices"`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			`---`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			# `openclaw devices`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00
			`Manage device pairing requests and device-scoped tokens.`

			`## Commands`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			### `openclaw devices list`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00
			`List pending pairing requests and paired devices.`

			```
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw devices list`
			`openclaw devices list --json`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			```

CLI: approve latest pending device request 2026-02-17 14:08:04 +00:00			### `openclaw devices approve [requestId] [--latest]`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00
CLI: approve latest pending device request 2026-02-17 14:08:04 +00:00			Approve a pending device pairing request. If `requestId` is omitted, OpenClaw
			`automatically approves the most recent pending request.`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00
			```
CLI: approve latest pending device request 2026-02-17 14:08:04 +00:00			`openclaw devices approve`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw devices approve <requestId>`
CLI: approve latest pending device request 2026-02-17 14:08:04 +00:00			`openclaw devices approve --latest`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			```

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			### `openclaw devices reject <requestId>`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00
			`Reject a pending device pairing request.`

			```
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw devices reject <requestId>`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			```

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			### `openclaw devices rotate --device <id> --role <role> [--scope <scope...>]`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00
			`Rotate a device token for a specific role (optionally updating scopes).`

			```
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw devices rotate --device <deviceId> --role operator --scope operator.read --scope operator.write`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			```

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			### `openclaw devices revoke --device <id> --role <role>`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00
			`Revoke a device token for a specific role.`

			```
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`openclaw devices revoke --device <deviceId> --role node`
feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			```

			`## Common options`

			- `--url <url>`: Gateway WebSocket URL (defaults to `gateway.remote.url` when configured).
			- `--token <token>`: Gateway token (if required).
			- `--password <password>`: Gateway password (password auth).
			- `--timeout <ms>`: RPC timeout.
			- `--json`: JSON output (recommended for scripting).

Security: Prevent gateway credential exfiltration via URL override (#9179) * Gateway: require explicit auth for url overrides * Gateway: scope credential blocking to non-local URLs only Address review feedback: the previous fix blocked credential fallback for ALL URL overrides, which was overly strict and could break workflows that use --url to switch between loopback/tailnet without passing credentials. Now credential fallback is only blocked for non-local URLs (public IPs, external hostnames). Local addresses (127.0.0.1, localhost, private IPs like 192.168.x.x, 10.x.x.x, tailnet 100.x.x.x) still get credential fallback as before. This maintains the security fix (preventing credential exfiltration to attacker-controlled URLs) while preserving backward compatibility for legitimate local URL overrides. * Security: require explicit credentials for gateway url overrides (#8113) (thanks @victormier) * Gateway: reuse explicit auth helper for url overrides (#8113) (thanks @victormier) * Tests: format gateway chat test (#8113) (thanks @victormier) * Tests: require explicit auth for gateway url overrides (#8113) (thanks @victormier) --------- Co-authored-by: Victor Mier <victormier@gmail.com> 2026-02-04 18:59:44 -05:00			Note: when you set `--url`, the CLI does not fall back to config or environment credentials.
			Pass `--token` or `--password` explicitly. Missing explicit credentials is an error.

feat: add device token auth and devices cli 2026-01-20 10:29:13 +00:00			`## Notes`

			`- Token rotation returns a new token (sensitive). Treat it like a secret.`
			- These commands require `operator.pairing` (or `operator.admin`) scope.