What is allowinsecureauth?
The gateway.controlui.allowinsecureauth setting controls whether the OpenClaw Control UI allows authentication over unencrypted HTTP connections. By default, it is disabled β meaning the gateway requires HTTPS (TLS) for any authentication flow.
When you try to authenticate to the Control UI over plain HTTP, you will see an error like:
insecure auth not allowed β use HTTPS or set gateway.controlui.allowinsecureauth=trueThis is a security feature. Sending authentication tokens over unencrypted HTTP means anyone on the network can intercept your credentials.
When you might need it
There are legitimate scenarios where you need to enable this:
Local development
If you are running OpenClaw on localhost or 127.0.0.1 and accessing the Control UI from the same machine, the traffic never leaves your loopback interface. Network interception is not a realistic threat:
openclaw configure --set gateway.controlui.allowinsecureauth=true
openclaw gateway restartBehind a TLS-terminating reverse proxy
If you have Nginx, Caddy, or Traefik handling TLS termination in front of OpenClaw, the connection between the proxy and the gateway is internal. The proxy-to-gateway hop is typically on localhost or a private network:
Client β HTTPS β Nginx β HTTP β OpenClaw gateway (localhost:18789)In this case, enabling allowinsecureauth is acceptable because the external-facing connection is encrypted.
Tailscale or WireGuard tunnels
Traffic inside a Tailscale or WireGuard tunnel is already encrypted at the network layer. Running HTTP inside an encrypted tunnel is safe:
# Gateway bound to Tailscale interface
openclaw configure --set gateway.bind=tailnet
openclaw configure --set gateway.controlui.allowinsecureauth=true
openclaw gateway restartConfiguration
Enable via CLI
openclaw configure --set gateway.controlui.allowinsecureauth=true
openclaw gateway restartEnable in config file
Edit ~/.openclaw/openclaw.json:
{
"gateway": {
"controlui": {
"allowinsecureauth": true,
"allowedorigins": ["http://192.168.1.100:18789"]
}
}
}Then restart:
openclaw gateway restartEnvironment variable
export OPENCLAW_GATEWAY_CONTROLUI_ALLOWINSECUREAUTH=true
openclaw gateway restartSecurity risks
Enabling this on a public network or internet-facing deployment is dangerous:
- Credential interception β authentication tokens sent in plain text can be captured by anyone on the same network segment
- Session hijacking β intercepted tokens can be replayed to impersonate your session
- Man-in-the-middle β an attacker can intercept and modify requests between your browser and the gateway
Risk matrix
| Scenario | Risk | Enable? |
|---|---|---|
| localhost / 127.0.0.1 | None | β Safe |
| Behind TLS reverse proxy | Low | β Acceptable |
| Tailscale / WireGuard | None | β Safe |
| LAN without encryption | Medium | β οΈ Proceed with caution |
| Public internet | Critical | β Never |
| Cloud VM with public IP | Critical | β Never |
Safer alternatives
Instead of enabling allowinsecureauth, consider these approaches:
1. Use a reverse proxy with free TLS
Caddy automatically provisions Letβs Encrypt certificates:
openclaw.yourdomain.com {
reverse_proxy localhost:18789
}Zero configuration TLS. The Control UI gets HTTPS automatically.
2. Use Tailscale HTTPS
Tailscale provides HTTPS certificates for your Tailscale hostnames:
tailscale cert openclaw-serverThen configure OpenClaw to use the generated certificate.
3. Self-signed certificates
For internal deployments where you control all clients:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesConfigure OpenClaw to use TLS with the self-signed cert, then add it to your browserβs trust store.
Troubleshooting
βinsecure auth not allowedβ after enabling
Make sure you restarted the gateway:
openclaw gateway restartVerify the setting took effect:
openclaw statusStill getting auth errors
Check that gateway.controlui.allowedorigins is also configured correctly. Both settings must be satisfied β the origin must be allowed AND the auth transport must be acceptable.
