diff --git a/backend/tests/test_gateway_ssl_context.py b/backend/tests/test_gateway_ssl_context.py
new file mode 100644
index 00000000..b5c4b667
--- /dev/null
+++ b/backend/tests/test_gateway_ssl_context.py
@@ -0,0 +1,54 @@
+"""Tests for SSL/TLS configuration in gateway RPC connections."""
+
+from __future__ import annotations
+
+import ssl
+
+from app.services.openclaw.gateway_rpc import GatewayConfig, _create_ssl_context
+
+
+def test_create_ssl_context_returns_none_for_ws_protocol() -> None:
+    """SSL context should be None for non-secure websocket connections."""
+    config = GatewayConfig(url="ws://gateway.example:18789/ws")
+    ssl_context = _create_ssl_context(config)
+
+    assert ssl_context is None
+
+
+def test_create_ssl_context_returns_none_for_wss_with_secure_mode() -> None:
+    """SSL context should be None for wss:// with default verification (secure mode)."""
+    config = GatewayConfig(url="wss://gateway.example:18789/ws", allow_insecure_tls=False)
+    ssl_context = _create_ssl_context(config)
+
+    assert ssl_context is None
+
+
+def test_create_ssl_context_disables_verification_when_allow_insecure_tls_true() -> None:
+    """SSL context should disable certificate verification when allow_insecure_tls is True."""
+    config = GatewayConfig(url="wss://gateway.example:18789/ws", allow_insecure_tls=True)
+    ssl_context = _create_ssl_context(config)
+
+    assert ssl_context is not None
+    assert isinstance(ssl_context, ssl.SSLContext)
+    assert ssl_context.check_hostname is False
+    assert ssl_context.verify_mode == ssl.CERT_NONE
+
+
+def test_create_ssl_context_respects_localhost_with_insecure_flag() -> None:
+    """SSL context for localhost should respect allow_insecure_tls flag."""
+    config = GatewayConfig(url="wss://localhost:18789/ws", allow_insecure_tls=True)
+    ssl_context = _create_ssl_context(config)
+
+    assert ssl_context is not None
+    assert ssl_context.check_hostname is False
+    assert ssl_context.verify_mode == ssl.CERT_NONE
+
+
+def test_create_ssl_context_respects_ip_address_with_insecure_flag() -> None:
+    """SSL context for IP addresses should respect allow_insecure_tls flag."""
+    config = GatewayConfig(url="wss://192.168.1.100:18789/ws", allow_insecure_tls=True)
+    ssl_context = _create_ssl_context(config)
+
+    assert ssl_context is not None
+    assert ssl_context.check_hostname is False
+    assert ssl_context.verify_mode == ssl.CERT_NONE