Skip to main content
🎓 Claude Code Masterclass Learn AI-assisted development on Udemy — plus the companion book on Leanpub & Amazon. Start Learning
Fix OpenClaw origin not allowed error
DevOps

Fix: Origin Not Allowed — OpenClaw Control UI

Fix the 'origin not allowed (open the control ui from the gateway host or allow it in gateway.controlui.allowedorigins)' OpenClaw error in under 2 minutes.

LB
Luca Berton
· 2 min read

The Error

You open the OpenClaw Control UI in your browser and see:

openclaw origin not allowed (open the control ui from the gateway
host or allow it in gateway.controlui.allowedorigins)

Your gateway is running, but the Control UI refuses to load.

What’s Happening

The gateway is checking the Origin header from your browser request against its list of allowed origins. Your browser’s URL doesn’t match any entry in gateway.controlui.allowedorigins.

This is different from the “non-loopback” startup error — here the gateway did start, but it’s rejecting your specific browser connection.

Quick Diagnosis

Step 1: Check what URL is in your browser’s address bar. Example:

http://192.168.1.100:18789

Step 2: Check what origins are allowed:

openclaw status
# or
cat ~/.openclaw/openclaw.json | grep -A5 allowedorigins

Step 3: Compare. The origin in your browser must exactly match one of the allowed entries. Common mismatches:

Browser URLAllowed OriginMatch?
http://192.168.1.100:18789http://192.168.1.100:18789
http://192.168.1.100:18789https://192.168.1.100:18789❌ (http vs https)
http://myserver:18789http://192.168.1.100:18789❌ (hostname vs IP)
http://192.168.1.100:18789/http://192.168.1.100:18789✅ (trailing slash is stripped)
http://192.168.1.100http://192.168.1.100:18789❌ (missing port)

The Fix

Add your browser’s exact URL as an allowed origin:

openclaw configure --set gateway.controlui.allowedorigins='["http://192.168.1.100:18789"]'
openclaw gateway restart

If you access from multiple machines or URLs, add them all:

{
  "gateway": {
    "controlui": {
      "allowedorigins": [
        "http://192.168.1.100:18789",
        "http://homelab.local:18789",
        "https://openclaw.mydomain.com"
      ]
    }
  }
}

Common Causes

1. Accessing via IP but configured with hostname (or vice versa)

# You configured:
allowedorigins: ["http://myserver:18789"]

# But you're browsing to:
http://192.168.1.50:18789
# → origin mismatch!

Fix: add both the hostname and IP to allowedorigins.

2. HTTP vs HTTPS mismatch

If you’re behind a reverse proxy that terminates TLS:

# Browser shows: https://openclaw.example.com
# But allowedorigins has: http://openclaw.example.com

Fix: use the https:// version in allowedorigins.

3. Port mismatch or missing port

# Behind a reverse proxy on port 443:
# Browser shows: https://openclaw.example.com (no port = 443)
# allowedorigins has: https://openclaw.example.com:18789

Fix: match the port the browser sees, not the gateway’s internal port.

4. Accessing from localhost vs network

If you configured allowedorigins for your network IP but then try http://localhost:18789 from the server itself — mismatch. Add both:

"allowedorigins": [
  "http://localhost:18789",
  "http://192.168.1.100:18789"
]

Still Not Working?

Enable debug logging:

OPENCLAW_LOG_LEVEL=debug openclaw gateway restart

Check the gateway logs for the exact origin being rejected:

openclaw gateway logs

The log will show something like:

origin rejected: "http://192.168.1.100:18789" not in allowed list

Use that exact string in your allowedorigins array.

Frequently Asked Questions

What does the OpenClaw "origin not allowed" error mean?

The gateway compares your browser's Origin header against gateway.controlui.allowedorigins and finds no match, so it refuses to load the Control UI. The gateway itself is running fine — it is only rejecting your specific browser connection.

How do I fix "origin not allowed" in OpenClaw?

Add your browser's exact URL to the allowlist and restart the gateway. Run openclaw config set gateway.controlui.allowedorigins '["http://192.168.1.100:18789"]' followed by openclaw gateway restart, using the precise protocol, host, and port shown in your browser's address bar.

Why does the origin still not match after I add it?

The origin must match exactly on protocol, host, and port. http versus https, a hostname versus its IP address, or a missing or extra port all count as a mismatch. Run openclaw gateway logs to see the exact origin string being rejected and copy it verbatim into allowedorigins.

Is "origin not allowed" the same as the non-loopback startup error?

No. "Origin not allowed" happens at runtime when the gateway is already running but rejects your browser. The "non-loopback control ui requires allowedorigins" error instead stops the gateway from starting at all.

Related Articles

Fix OpenClaw ERR_STRING_TOO_LONG bloated session error
DevOps

Fix OpenClaw ERR_STRING_TOO_LONG Session Error

OpenClaw agent fails with 'Cannot create a string longer than 0x1fffffe8 characters'? It's a bloated session JSONL hitting Node's string limit. Here's the fix.

Google Search Console growth analysis with a Python script
DevOps

Turn Google Search Console Data Into a Growth Plan

Run one dependency-free Python script on your Search Console export to surface the SEO levers that move traffic: CTR bands and striking-distance pages.

Argo CD: GitOps Continuous Deployment for Kubernetes
DevOps

Argo CD: GitOps Continuous Deployment for Kubernetes

Production-ready Argo CD setup — ApplicationSets, multi-cluster sync, RBAC, notifications, and progressive delivery patterns.

Buildah vs Kaniko: Container Image Building Without Docker
DevOps

Buildah vs Kaniko: Container Image Building Without Docker

Buildah vs Kaniko for rootless, daemonless container image builds in CI/CD: security, performance, Kubernetes integration, and pipeline examples.

All Articles

Free 30-min AI & Cloud consultation

Book Now