Complete reference for openclaw dashboard, launching the browser Control UI, handling token resolution, SSH tunnel hints for remote setups, and SecretRef error remediation.
What does Openclaw Dashboard do?
It’s a single command that resolves your auth token, constructs the correct dashboard URL, copies it to your clipboard, and opens it in your default browser, all in one step. It’s designed to be the fastest path from a fresh OpenClaw install to a working browser UI, even before external channels like WhatsApp or Telegram are configured. The command handles token resolution internally, which means you don’t need to manually look up or paste credentials to log into the Control UI.
Two Scenarios Where Behavior Differs
On a local machine with a GUI, openclaw dashboard opens the browser automatically. On a headless server or remote VPS, it can’t launch a browser, so it prints an SSH tunnel hint instead so you can forward the port locally. If your gateway.auth.token is a SecretRef that hasn’t resolved, the command intentionally blocks URL generation and prints explicit remediation steps, this is a security guardrail, not a bug. See §3 for both scenarios.
Commands
Two variants, one opens the browser automatically, the other stays in the terminal.
| openclaw dashboard Resolves your authentication token, prints the dashboard URL, copies it to your clipboard, and automatically attempts to open the Control UI in your default web browser. The URL is intentionally non-tokenized, your auth secret is never embedded in the URL string printed to terminal, stored in clipboard history, or passed as a browser launch argument. |
| openclaw dashboard –no-open Prints and copies the dashboard URL to your clipboard without attempting to automatically launch a browser. Use this in headless CI environments, when you want to paste the URL into a different browser or device, or when auto-open causes issues with your desktop environment. |
both variants
# Open browser automatically (default) openclaw dashboard # Print and copy URL only — no browser launch openclaw dashboard --no-open
Key Behaviors
Four behaviors worth understanding before you rely on this command in production or automated workflows.
Fastest Setup Path
Running this command is the fastest way to launch the browser UI and start chatting with your agent. As noted in the main OpenClaw Installation Guide, using the dashboard command is the recommended final step to verify your setup before you begin configuring external channels like Telegram or WhatsApp.
Remote / Headless Support
If your OpenClaw instance is running on a headless server or remote VPS, the command will print a helpful SSH tunnel hint so you know how to securely forward the port to your local machine. It won’t silently fail or open a nonexistent browser.
Token Resolution & Security
The command automatically resolves your gateway.auth.token (including SecretRefs). For security, it explicitly uses a non-tokenized URL to prevent your secrets from being exposed in terminal output, your clipboard history, or your browser’s launch arguments.
Unresolved SecretRef Blocking
If your gateway token is managed by a SecretRef but is currently unresolved, the command will purposefully block URL generation and instead print explicit remediation guidance so you can fix the missing secret. This is intentional, generating a URL with a broken token would result in an unusable dashboard.
Execution Flow
What the command does internally and where it branches based on your environment and token state.
execution path
openclaw dashboard │ ├── Resolve gateway.auth.token │ │ │ ├── ✓ Token resolved │ │ │ │ │ ├── Construct non-tokenized dashboard URL │ │ ├── Print URL to terminal │ │ ├── Copy URL to clipboard │ │ │ │ │ ├── Local machine with GUI → Open browser automatically │ │ └── Headless / remote VPS → Print SSH tunnel hint │ │ │ └── ✗ SecretRef unresolved │ └── Block URL generation │ └── Print remediation guidance │ └── Done
If you see a SecretRef error, do not try to manually construct the dashboard URL as a workaround. Fix the missing secret first using the remediation steps printed by the command, then re-run openclaw dashboard. A URL built against an unresolved token will result in an authentication failure in the browser.
On a remote server, use the SSH tunnel hint printed by the command to forward the dashboard port. A typical tunnel looks like ssh -L 19000:localhost:19000 user@your-server, then open the printed URL on your local machine.
