diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 805a1bb3c..685f18d10 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "d69eeeb2a82c6d7307bdcbde57b77ab9e25409ad", - "syncedAt": "2026-04-27T14:02:01.233Z" + "sha": "016a0b4de945196c75c8a790d8d41aafc6488171", + "syncedAt": "2026-04-27T14:12:09.219Z" } diff --git a/docs/cli/devices.md b/docs/cli/devices.md index 9f548ff9d..31724f9b7 100644 --- a/docs/cli/devices.md +++ b/docs/cli/devices.md @@ -102,7 +102,10 @@ caller already has. openclaw devices rotate --device --role operator --scope operator.read --scope operator.write ``` -Returns the new token payload as JSON. +Returns rotation metadata as JSON. If the caller is rotating its own token while +authenticated with that device token, the response also includes the replacement +token so the client can persist it before reconnecting. Shared/admin rotations +do not echo the bearer token. ### `openclaw devices revoke --device --role ` diff --git a/docs/gateway/protocol.md b/docs/gateway/protocol.md index f0f694f11..803e7666b 100644 --- a/docs/gateway/protocol.md +++ b/docs/gateway/protocol.md @@ -553,6 +553,10 @@ rather than the pre-handshake defaults. reused when the client is reusing the stored per-device token. - Device tokens can be rotated/revoked via `device.token.rotate` and `device.token.revoke` (requires `operator.pairing` scope). +- `device.token.rotate` returns rotation metadata. It echoes the replacement + bearer token only for same-device calls that are already authenticated with + that device token, so token-only clients can persist their replacement before + reconnecting. Shared/admin rotations do not echo the bearer token. - Token issuance, rotation, and revocation stay bounded to the approved role set recorded in that device's pairing entry; token mutation cannot expand or target a device role that pairing approval never granted.