1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

---
title: "Chrome Extension Relay Authentication Failing with 401 - Valid HMAC Token Rejected"
date: 2026-03-03
description: "The OpenClaw Chrome extension relay server rejects valid HMAC-SHA256 derived authentication tokens with 401 Unauthorized, preventing the browser extension from connecting despite correct configuration."
tags: ["chrome-extension", "authentication", "hmac", "relay", "401", "browser-control"]
sources:
  - platform: "GitHub Issue"
    id: "openclaw#32449"
    url: "https://github.com/openclaw/openclaw/issues/32449"
openclaw_version: "2026.3.1"
---

## Symptom

When using the OpenClaw Chrome extension to connect to the browser control server, authentication fails with a **401 Unauthorized** error, even when:

- The HMAC-SHA256 token is correctly derived using the formula: `HMAC(gatewayToken, "openclaw-extension-relay-v1:{port}")`
- The gateway token matches the configured token in `~/.openclaw/openclaw.json`
- The correct relay port (18791) is being used

**Error Response:**

Derived relay token: 31ef63af71285c00acf36a78a3a33619a34b947fa99c4d8b149f5566b22d219f Response status: 401 Response body: Unauthorized

**Extension UI Error:**

Gateway token rejected. Check token and save again.

**Verification Commands That Fail:**
```bash
# Using derived HMAC token
curl -H "x-openclaw-relay-token: 31ef63af71285c00acf36a78a3a33619a34b947fa99c4d8b149f5566b22d219f" \
  http://127.0.0.1:18791/json/version
# Returns: 401 Unauthorized

# Using direct Bearer token
curl -H "Authorization: Bearer fc001f30ef28a2a7e12f6f39e46ac4337cbfaff08c00585c" \
  http://127.0.0.1:18791/
# Returns: 401 Unauthorized

Root Cause Analysis

Based on the issue investigation, several potential root causes have been identified:

1. Browser Control Server May Not Support Extension Relay Auth

The browser control server (port 18791) appears to only support direct Bearer token authentication for API calls, not the HMAC-derived relay tokens that the Chrome extension generates. The server logs show:

Browser control listening on http://127.0.0.1:18791/ (auth=token)

However, the x-openclaw-relay-token header used by the extension may not be recognized by the authentication handler.

2. Dual Setup Configuration Conflict

The user’s setup involved two different installation methods:

• Desktop app installation (Feb 9) stores state in: ~/Library/Application Support/OpenClaw/
• CLI installation (Feb 13) stores state in: ~/.openclaw/

This dual setup may create conflicting authentication configurations where the extension and gateway have mismatched token references.

3. Port Derivation Documentation Mismatch

The documentation states the relay port should be Gateway + 3 (18792), but the server actually listens on Gateway + 2 (18791). This discrepancy may indicate incomplete extension relay initialization:

2026-03-03T02:19:26.049Z info browser/server Browser control listening on http://127.0.0.1:18791/

4. Missing HMAC Token Verification Logic

The HMAC token derivation logic in the extension appears correct and matches background-utils.js, but the server-side verification may be:

• Not implemented
• Using a different derivation formula
• Checking against the wrong secret key

Solution

As this is a confirmed bug in OpenClaw version 2026.3.1, the following workarounds and diagnostic steps are provided:

Immediate Workarounds (Attempted - None Successful)

The following workarounds were attempted by the reporter but did not resolve the issue:

• ✅ Updated to OpenClaw 2026.3.1
• ✅ Reinstalled browser extension multiple times
• ✅ Verified gateway token correctness
• ✅ Tested with correct port 18791
• ✅ Verified HMAC derivation logic
• ✅ Restarted gateway multiple times

Diagnostic Steps

1. Verify the browser control server is running:

   1	openclaw browser status

2. Check gateway logs for authentication attempts:

   1	openclaw logs --grep "auth" --grep "401" --grep "relay"

3. Verify port configuration:

   1 2	# Check actual relay port from gateway config cat ~/.openclaw/openclaw.json | grep -A5 '"gateway"'

4. Test direct gateway connectivity (bypass extension relay):

   1 2	curl http://127.0.0.1:18789/json/version \ -H "Authorization: Bearer YOUR_TOKEN"

Temporary Alternative: Use CDP Direct Connection

Until the extension relay authentication is fixed, consider using a direct CDP connection instead of the extension driver:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

{
  "browser": {
    "profiles": {
      "chrome": {
        "driver": "cdp",
        "cdpPort": 9222,
        "executablePath": "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
      }
    }
  }
}

Prevention

To avoid this issue:

1. Use Single Installation Method: Avoid mixing desktop app and CLI installations on the same system. Choose either:

   • Desktop app only (for GUI-based workflows)
   • CLI only (for automated/scripted workflows)

2. Clean State Before Fresh Install: If switching installation methods:

   1 2 3 4

   # Remove both state directories before fresh install rm -rf ~/Library/Application\ Support/OpenClaw/ rm -rf ~/.openclaw/ npm install -g openclaw

3. Document Your Configuration: Keep a record of:

   • Installation method used
   • Gateway port and token
   • Browser control port
   • Extension configuration

4. Verify Extension Port: Use port Gateway + 2 (e.g., if gateway is on 18789, use 18791) until documentation is corrected.

Additional Information

Environment Details:

• OpenClaw Version: 2026.3.1 (2a8ac97)
• OS: macOS (Darwin 25.3.0 arm64)
• Node Version: v22.22.0
• Gateway Mode: local
• Gateway Port: 18789
• Browser Control Port: 18791

Related Files:

• Extension source: ~/.openclaw/browser/chrome-extension/
• Gateway config: ~/.openclaw/openclaw.json
• Extension utils: background-utils.js (HMAC derivation logic)

Reported Against:

• GitHub Issue: openclaw#32449

Status: This is a confirmed bug in OpenClaw 2026.3.1 requiring a fix in the browser control server’s authentication handler to properly accept HMAC-derived relay tokens via the x-openclaw-relay-token header.