The Error
You open the OpenClaw Control UI in your browser and see:
openclaw origin not allowed (open the control ui from the gateway
host or allow it in gateway.controlui.allowedorigins)Your gateway is running, but the Control UI refuses to load.
What’s Happening
The gateway is checking the Origin header from your browser request against its list of allowed origins. Your browser’s URL doesn’t match any entry in gateway.controlui.allowedorigins.
This is different from the “non-loopback” startup error — here the gateway did start, but it’s rejecting your specific browser connection.
Quick Diagnosis
Step 1: Check what URL is in your browser’s address bar. Example:
http://192.168.1.100:18789Step 2: Check what origins are allowed:
openclaw status
# or
cat ~/.openclaw/openclaw.json | grep -A5 allowedoriginsStep 3: Compare. The origin in your browser must exactly match one of the allowed entries. Common mismatches:
| Browser URL | Allowed Origin | Match? |
|---|---|---|
http://192.168.1.100:18789 | http://192.168.1.100:18789 | ✅ |
http://192.168.1.100:18789 | https://192.168.1.100:18789 | ❌ (http vs https) |
http://myserver:18789 | http://192.168.1.100:18789 | ❌ (hostname vs IP) |
http://192.168.1.100:18789/ | http://192.168.1.100:18789 | ✅ (trailing slash is stripped) |
http://192.168.1.100 | http://192.168.1.100:18789 | ❌ (missing port) |
The Fix
Add your browser’s exact URL as an allowed origin:
openclaw configure --set gateway.controlui.allowedorigins='["http://192.168.1.100:18789"]'
openclaw gateway restartIf you access from multiple machines or URLs, add them all:
{
"gateway": {
"controlui": {
"allowedorigins": [
"http://192.168.1.100:18789",
"http://homelab.local:18789",
"https://openclaw.mydomain.com"
]
}
}
}Common Causes
1. Accessing via IP but configured with hostname (or vice versa)
# You configured:
allowedorigins: ["http://myserver:18789"]
# But you're browsing to:
http://192.168.1.50:18789
# → origin mismatch!Fix: add both the hostname and IP to allowedorigins.
2. HTTP vs HTTPS mismatch
If you’re behind a reverse proxy that terminates TLS:
# Browser shows: https://openclaw.example.com
# But allowedorigins has: http://openclaw.example.comFix: use the https:// version in allowedorigins.
3. Port mismatch or missing port
# Behind a reverse proxy on port 443:
# Browser shows: https://openclaw.example.com (no port = 443)
# allowedorigins has: https://openclaw.example.com:18789Fix: match the port the browser sees, not the gateway’s internal port.
4. Accessing from localhost vs network
If you configured allowedorigins for your network IP but then try http://localhost:18789 from the server itself — mismatch. Add both:
"allowedorigins": [
"http://localhost:18789",
"http://192.168.1.100:18789"
]Still Not Working?
Enable debug logging:
OPENCLAW_LOG_LEVEL=debug openclaw gateway restartCheck the gateway logs for the exact origin being rejected:
openclaw gateway logsThe log will show something like:
origin rejected: "http://192.168.1.100:18789" not in allowed listUse that exact string in your allowedorigins array.