Why does OpenClaw show origin not allowed even when the port is open?

Open port reachability and browser-origin validation are different checks. OpenClaw blocks UI origins not explicitly allowed by gateway.controlUi.allowedOrigins.

Should I set allowedOrigins to * in production?

No. Use explicit origins only. Wildcards increase attack surface and can undermine Control UI access controls.

What is the fastest reliable path if I keep hitting origin errors?

Standardize a single canonical domain, add it to allowedOrigins exactly, verify proxy Host/X-Forwarded headers, then retest from an incognito browser session.

Blog

OpenClaw “origin not allowed” fix

Problem statement: Control UI loads, but instead of chat you see origin not allowed (open the Control UI from the gateway host or allow it in gateway.controlUi.allowedOrigins) This usually appears when deploying through FRP/Nginx/Caddy or public IP forwarding.

Recent reports

GitHub issue #29809 created 2026-02-28, updated 2026-03-01 with reproducible cloud + FRP setup.
Multiple teams reporting "page reachable but Control UI blocked" pattern after moving from local to public deployment.

Actionable fix sequence

Choose one canonical UI URL (for example: https://agent.example.com).

Add exact origin allowlist in ~/.openclaw/openclaw.json:

{
  "gateway": {
    "controlUi": {
      "allowedOrigins": ["https://agent.example.com"]
    }
  }
}

Restart gateway: openclaw gateway restart.
Proxy hygiene: make sure your reverse proxy forwards Host and X-Forwarded-Proto consistently.
Retest in incognito to avoid stale browser cache/token state.

What usually causes repeated failures

Mixing IP and domain access (e.g., open by IP once, domain next).
Allowing the wrong scheme (http vs https mismatch).
Changing forwarded host in FRP/Nginx while keeping old origin list.
Using wildcard origins in one layer while another layer enforces strict host checks.

Fix once. Stop recurring origin-policy failures.

If this keeps coming back, you can move your existing setup to managed OpenClaw cloud hosting instead of rebuilding the same stack. Import your current instance, keep your context, and move onto a runtime with lower ops overhead.

Import flow in ~1 minute
Keep your current instance context
Run with managed security and reliability defaults

If you would rather compare options first, review OpenClaw cloud hosting or see the best OpenClaw hosting options before deciding.

Import your current OpenClaw instance in 1 click Keep self-hosted: apply fix checklist

OpenClaw import first screen in OpenClaw Setup dashboard (light theme) — 1) Paste import payload

OpenClaw import first screen in OpenClaw Setup dashboard (dark theme) — 1) Paste import payload

OpenClaw import completed screen in OpenClaw Setup dashboard (light theme) — 2) Review and launch

OpenClaw import completed screen in OpenClaw Setup dashboard (dark theme) — 2) Review and launch

When this issue keeps returning, switch to a more stable setup

If you're already updating gateway and browser config, this is a good time to move to managed hosting: keep your instance updated and use Chrome Extension relay for real local browser tab control.

See OpenClaw cloud hosting See Chrome Extension feature

For a broader decision view, compare managed hosting vs self-hosted VPS or review the best OpenClaw hosting options.

FAQ

Can I keep both IP and domain allowed?

Yes, but only if both are intentional. Keep the list explicit and minimal.

Why did it work locally but fail in cloud?

Cloud and proxy setups introduce browser-origin differences that local loopback deployments don’t have.