openclaw-mission-control/docs/openclaw_gateway_ws.md

Gateway WebSocket protocol

Connection Types

OpenClaw Mission Control supports both secure (wss://) and non-secure (ws://) WebSocket connections to gateways.

Secure Connections (wss://)

For production environments, always use wss:// (WebSocket Secure) connections with valid TLS certificates.

Self-Signed Certificates

You can enable support for self-signed TLS certificates with a toggle:

1. Navigate to the gateway configuration page (Settings → Gateways)
2. When creating or editing a gateway, enable: "Allow self-signed TLS certificates"
3. This applies to any wss:// gateway URL for that gateway configuration.

When enabled, Mission Control skips TLS certificate verification for that gateway connection.

Security Warning: Enabling this weakens transport security and should only be used when you explicitly trust the endpoint and network path. Prefer valid CA-signed certificates for production gateways.

Configuration Options

When configuring a gateway, you can specify:

• Gateway URL: The WebSocket endpoint (e.g., wss://localhost:18789 or ws://gateway:18789)
• Gateway Token: Optional authentication token. Tokens are currently returned in API responses; a future release will redact them from read endpoints. Treat gateway API responses as sensitive and store tokens securely.
• Workspace Root: The root directory for gateway files (e.g., ~/.openclaw)
• Allow self-signed TLS certificates: Toggle TLS certificate verification off for this gateway's wss:// connections (default: disabled)