docs: clarify device token admin gate · openclaw/openclaw@c3b7e91
steipete
·
2026-05-28
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -719,7 +719,8 @@ rather than the pre-handshake defaults.
|
719 | 719 | caller-requested scope set remains authoritative; cached scopes are only |
720 | 720 | reused when the client is reusing the stored per-device token. |
721 | 721 | - Device tokens can be rotated/revoked via `device.token.rotate` and |
722 | | -`device.token.revoke` (requires `operator.pairing` scope). |
| 722 | +`device.token.revoke` (requires `operator.pairing` scope). Rotating or |
| 723 | + revoking a node or other non-operator role also requires `operator.admin`. |
723 | 724 | - `device.token.rotate` returns rotation metadata. It echoes the replacement |
724 | 725 | bearer token only for same-device calls that are already authenticated with |
725 | 726 | that device token, so token-only clients can persist their replacement before |
@@ -728,8 +729,9 @@ rather than the pre-handshake defaults.
|
728 | 729 | recorded in that device's pairing entry; token mutation cannot expand or |
729 | 730 | target a device role that pairing approval never granted. |
730 | 731 | - For paired-device token sessions, device management is self-scoped unless the |
731 | | - caller also has `operator.admin`: non-admin callers can remove/revoke/rotate |
732 | | - only their **own** device entry. |
| 732 | + caller also has `operator.admin`: non-admin callers can manage only the |
| 733 | + operator token for their **own** device entry. Node and other non-operator |
| 734 | + token management is admin-only, even for the caller's own device. |
733 | 735 | - `device.token.rotate` and `device.token.revoke` also check the target operator |
734 | 736 | token scope set against the caller's current session scopes. Non-admin callers |
735 | 737 | cannot rotate or revoke a broader operator token than they already hold. |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。