fix: silence unused hook token url param (#9436)

* fix: Gateway authentication token exposed in URL query parameters * fix: silence unused hook token url param * fix: remove gateway auth tokens from URLs (#9436) (thanks @coygeek) * test: fix Windows path separators in audit test (#9436) --------- Co-authored-by: George Pickett <gpickett00@gmail.com>
2026-04-19 06:37:28 +00:00 · 2026-02-05 18:08:29 -08:00
parent b1430aaaca
commit 717129f7f9
22 changed files with 107 additions and 172 deletions
--- a/docs/install/exe-dev.md
+++ b/docs/install/exe-dev.md
@@ -103,9 +103,10 @@ server {

 ## 5) Access OpenClaw and grant privileges

-Access `https://<vm-name>.exe.xyz/?token=YOUR-TOKEN-FROM-TERMINAL` (see the Control UI output from onboarding). Approve
-devices with `openclaw devices list` and `openclaw devices approve <requestId>`. When in doubt,
-use Shelley from your browser!
+Access `https://<vm-name>.exe.xyz/` (see the Control UI output from onboarding). If it prompts for auth, paste the
+token from `gateway.auth.token` on the VM (retrieve with `openclaw config get gateway.auth.token`, or generate one
+with `openclaw doctor --generate-gateway-token`). Approve devices with `openclaw devices list` and
+`openclaw devices approve <requestId>`. When in doubt, use Shelley from your browser!

 ## Remote Access