nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs: refresh http endpoint auth refs

This commit is contained in:
Peter Steinberger 2026-04-04 13:56:01 +01:00
parent 032dbf0ec6
commit 6cff644dc9
No known key found for this signature in database
3 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/gateway/openai-http-api.md
View File

@ -25,14 +25,25 @@ Under the hood, requests are executed as a normal Gateway agent run (same codepa
## Authentication
Uses the Gateway auth configuration. Send a bearer token:
Uses the Gateway auth configuration.
- `Authorization: Bearer <token>`
Common HTTP auth paths:
- shared-secret auth (`gateway.auth.mode="token"` or `"password"`):
`Authorization: Bearer <token-or-password>`
- trusted identity-bearing HTTP auth (`gateway.auth.mode="trusted-proxy"`):
route through the configured identity-aware proxy and let it inject the
required identity headers
- private-ingress open auth (`gateway.auth.mode="none"`):
no auth header required
Notes:
- When `gateway.auth.mode="token"`, use `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`).
- When `gateway.auth.mode="password"`, use `gateway.auth.password` (or `OPENCLAW_GATEWAY_PASSWORD`).
- When `gateway.auth.mode="trusted-proxy"`, the HTTP request must come from a
configured non-loopback trusted proxy source; same-host loopback proxies do
not satisfy this mode.
- If `gateway.auth.rateLimit` is configured and too many auth failures occur, the endpoint returns `429` with `Retry-After`.
## Security boundary (important)

5
docs/gateway/openresponses-http-api.md
View File

@ -22,7 +22,10 @@ Under the hood, requests are executed as a normal Gateway agent run (same codepa
Operational behavior matches [OpenAI Chat Completions](/gateway/openai-http-api):
- use `Authorization: Bearer <token>` with the normal Gateway auth config
- use the matching Gateway HTTP auth path:
- shared-secret auth (`gateway.auth.mode="token"` or `"password"`): `Authorization: Bearer <token-or-password>`
- trusted-proxy auth (`gateway.auth.mode="trusted-proxy"`): identity-aware proxy headers from a configured non-loopback trusted proxy source
- private-ingress open auth (`gateway.auth.mode="none"`): no auth header
- treat the endpoint as full operator access for the gateway instance
- for shared-secret auth modes (`token` and `password`), ignore narrower bearer-declared `x-openclaw-scopes` values and restore the normal full operator defaults
- for trusted identity-bearing HTTP modes (for example trusted proxy auth or `gateway.auth.mode="none"`), honor `x-openclaw-scopes` when present and otherwise fall back to the normal operator default scope set

15
docs/gateway/tools-invoke-http-api.md
View File

@ -17,14 +17,25 @@ Default max payload size is 2 MB.
## Authentication
Uses the Gateway auth configuration. Send a bearer token:
Uses the Gateway auth configuration.
- `Authorization: Bearer <token>`
Common HTTP auth paths:
- shared-secret auth (`gateway.auth.mode="token"` or `"password"`):
`Authorization: Bearer <token-or-password>`
- trusted identity-bearing HTTP auth (`gateway.auth.mode="trusted-proxy"`):
route through the configured identity-aware proxy and let it inject the
required identity headers
- private-ingress open auth (`gateway.auth.mode="none"`):
no auth header required
Notes:
- When `gateway.auth.mode="token"`, use `gateway.auth.token` (or `OPENCLAW_GATEWAY_TOKEN`).
- When `gateway.auth.mode="password"`, use `gateway.auth.password` (or `OPENCLAW_GATEWAY_PASSWORD`).
- When `gateway.auth.mode="trusted-proxy"`, the HTTP request must come from a
configured non-loopback trusted proxy source; same-host loopback proxies do
not satisfy this mode.
- If `gateway.auth.rateLimit` is configured and too many auth failures occur, the endpoint returns `429` with `Retry-After`.
## Security boundary (important)