chore(sync): mirror docs from openclaw/openclaw@016a0b4de9

2026-04-27 14:13:28 +00:00 · 2026-04-27 14:13:28 +00:00 · 21d8bbeae5
commit 21d8bbeae5
parent 4cdda7e2f5
3 changed files with 10 additions and 3 deletions
--- a/.openclaw-sync/source.json
+++ b/.openclaw-sync/source.json
@ -1,5 +1,5 @@
 {
  "repository": "openclaw/openclaw",
-  "sha": "d69eeeb2a82c6d7307bdcbde57b77ab9e25409ad",
-  "syncedAt": "2026-04-27T14:02:01.233Z"
+  "sha": "016a0b4de945196c75c8a790d8d41aafc6488171",
+  "syncedAt": "2026-04-27T14:12:09.219Z"
 }
--- a/docs/cli/devices.md
+++ b/docs/cli/devices.md
@ -102,7 +102,10 @@ caller already has.
 openclaw devices rotate --device <deviceId> --role operator --scope operator.read --scope operator.write
 ```

-Returns the new token payload as JSON.
+Returns rotation metadata as JSON. If the caller is rotating its own token while
+authenticated with that device token, the response also includes the replacement
+token so the client can persist it before reconnecting. Shared/admin rotations
+do not echo the bearer token.

 ### `openclaw devices revoke --device <id> --role <role>`

--- a/docs/gateway/protocol.md
+++ b/docs/gateway/protocol.md
@ -553,6 +553,10 @@ rather than the pre-handshake defaults.
  reused when the client is reusing the stored per-device token.
 - Device tokens can be rotated/revoked via `device.token.rotate` and
  `device.token.revoke` (requires `operator.pairing` scope).
+- `device.token.rotate` returns rotation metadata. It echoes the replacement
+  bearer token only for same-device calls that are already authenticated with
+  that device token, so token-only clients can persist their replacement before
+  reconnecting. Shared/admin rotations do not echo the bearer token.
 - Token issuance, rotation, and revocation stay bounded to the approved role set
  recorded in that device's pairing entry; token mutation cannot expand or
  target a device role that pairing approval never granted.