​

Pairing

1. DM pairing (who is allowed to talk to the bot)
2. Node pairing (which devices/nodes are allowed to join the gateway network)

​

1) DM pairing (inbound chat access)

• 8 characters, uppercase, no ambiguous chars (0O1I).
• Expire after 1 hour. The bot only sends the pairing message when a new request is created (roughly once per hour per sender).
• Pending DM pairing requests are capped at 3 per channel by default; additional requests are ignored until one expires or is approved.

​

Approve a sender

openclaw pairing list telegram
openclaw pairing approve telegram <CODE>

​

Where the state lives

• Pending requests: <channel>-pairing.json
• Approved allowlist store: <channel>-allowFrom.json

​

2) Node device pairing (iOS/Android/macOS/headless nodes)

​

Pair via Telegram (recommended for iOS)

1. In Telegram, message your bot: /pair
2. The bot replies with two messages: an instruction message and a separate setup code message (easy to copy/paste in Telegram).
3. On your phone, open the OpenClaw iOS app → Settings → Gateway.
4. Paste the setup code and connect.
5. Back in Telegram: /pair approve

• url: the Gateway WebSocket URL (ws://... or wss://...)
• token: a short-lived pairing token

​

Approve a node device

openclaw devices list
openclaw devices approve <requestId>
openclaw devices reject <requestId>

​

Node pairing state storage

• pending.json (short-lived; pending requests expire)
• paired.json (paired devices + tokens)

​

Notes

• The legacy node.pair.* API (CLI: openclaw nodes pending/approve) is a separate gateway-owned pairing store. WS nodes still require device pairing.

​

Related docs

• Security model + prompt injection: Security
• Updating safely (run doctor): Updating
• Channel configs:
  • Telegram: Telegram
  • WhatsApp: WhatsApp
  • Signal: Signal
  • BlueBubbles (iMessage): BlueBubbles
  • iMessage (legacy): iMessage
  • Discord: Discord
  • Slack: Slack