From 87b210b34dfa708e49d176af6720a0a3ef62011d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 22 Feb 2026 05:32:04 +0000
Subject: [PATCH] docs: Add documentation for self-signed TLS certificate
 support

Co-authored-by: abhi1693 <5083532+abhi1693@users.noreply.github.com>
---
 docs/openclaw_gateway_ws.md | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/docs/openclaw_gateway_ws.md b/docs/openclaw_gateway_ws.md
index 5fc7b84e..96ecf979 100644
--- a/docs/openclaw_gateway_ws.md
+++ b/docs/openclaw_gateway_ws.md
@@ -1,3 +1,31 @@
 # Gateway WebSocket protocol
 
-Placeholder.
+## Connection Types
+
+OpenClaw Mission Control supports both secure (`wss://`) and non-secure (`ws://`) WebSocket connections to gateways.
+
+### Secure Connections (wss://)
+
+For production environments, always use `wss://` (WebSocket Secure) connections with valid TLS certificates.
+
+### Self-Signed Certificates
+
+For local development or trusted local networks, you can enable support for self-signed TLS certificates:
+
+1. Navigate to the gateway configuration page (Settings → Gateways)
+2. When creating or editing a gateway, check the box: **"Allow self-signed TLS certificates"**
+3. This option is useful for:
+   - Local development: `wss://localhost:18789`
+   - Trusted local networks: `wss://192.168.1.100:18789`
+
+**Security Warning**: Only enable this option for localhost or gateways on trusted local networks. Do not use self-signed certificates for production gateways accessible over the internet.
+
+## Configuration Options
+
+When configuring a gateway, you can specify:
+
+- **Gateway URL**: The WebSocket endpoint (e.g., `wss://localhost:18789` or `ws://gateway:18789`)
+- **Gateway Token**: Optional authentication token
+- **Workspace Root**: The root directory for gateway files (e.g., `~/.openclaw`)
+- **Allow self-signed TLS certificates**: Enable/disable self-signed certificate support (default: disabled)
+