


























@@ -0,0 +1,215 @@
1+---
2+summary: "Expose selected Gateway control-plane methods through the bundled, opt-in admin-http-rpc plugin"
3+read_when:
4+ - Building host tooling that cannot use the Gateway WebSocket RPC client
5+ - Exposing Gateway admin automation behind a private trusted ingress
6+ - Auditing the security model for HTTP access to Gateway methods
7+title: "Admin HTTP RPC plugin"
8+---
9+10+The bundled `admin-http-rpc` plugin exposes selected Gateway control-plane methods over HTTP for trusted host automation that cannot use the normal Gateway WebSocket RPC client.
11+12+The plugin is included with OpenClaw, but it is off by default. When disabled, the route is not registered. When enabled, it adds:
13+14+- `POST /api/v1/admin/rpc`
15+- same listener as the Gateway: `http://<gateway-host>:<port>/api/v1/admin/rpc`
16+17+Enable it only for private host tooling, tailnet automation, or a trusted internal ingress. Do not expose this route directly to the public internet.
18+19+## Before you enable it
20+21+Admin HTTP RPC is a full operator control-plane surface. Any caller that passes Gateway HTTP auth can invoke the allowlisted methods on this page.
22+23+Use it when all of these are true:
24+25+- The caller is trusted to operate the Gateway.
26+- The caller cannot use the WebSocket RPC client.
27+- The route is reachable only on loopback, a tailnet, or a private authenticated ingress.
28+- You have reviewed the allowed methods and they match the automation you plan to run.
29+30+Use the WebSocket RPC path for OpenClaw clients and interactive tools that can keep a Gateway WebSocket connection open.
31+32+## Enable
33+34+Enable the bundled plugin:
35+36+<Tabs>
37+<Tab title="CLI">
38+```bash
39+openclaw plugins enable admin-http-rpc
40+openclaw gateway restart
41+```
42+</Tab>
43+<Tab title="Config">
44+```json5
45+{
46+ plugins: {
47+ entries: {
48+ "admin-http-rpc": { enabled: true },
49+ },
50+ },
51+}
52+```
53+</Tab>
54+</Tabs>
55+56+The route is registered during plugin startup. Restart the Gateway after changing plugin config.
57+58+Disable it when you no longer need the HTTP surface:
59+60+```bash
61+openclaw plugins disable admin-http-rpc
62+openclaw gateway restart
63+```
64+65+## Verify the route
66+67+Use `health` as the smallest safe request:
68+69+```bash
70+curl -sS http://<gateway-host>:<port>/api/v1/admin/rpc \
71+ -H 'Authorization: Bearer <gateway-token>' \
72+ -H 'Content-Type: application/json' \
73+ -d '{"method":"health","params":{}}'
74+```
75+76+A successful response has `ok: true`:
77+78+```json
79+{
80+"id": "generated-request-id",
81+"ok": true,
82+"payload": {
83+"status": "ok"
84+ }
85+}
86+```
87+88+When the plugin is disabled, the route returns `404` because it is not registered.
89+90+## Authentication
91+92+The plugin route uses Gateway HTTP auth.
93+94+Common authentication paths:
95+96+- shared-secret auth (`gateway.auth.mode="token"` or `"password"`): `Authorization: Bearer <token-or-password>`
97+- trusted identity-bearing HTTP auth (`gateway.auth.mode="trusted-proxy"`): route through the configured identity-aware proxy and let it inject the required identity headers
98+- private-ingress open auth (`gateway.auth.mode="none"`): no auth header required
99+100+## Security model
101+102+Treat this plugin as a full Gateway operator surface.
103+104+- Enabling the plugin intentionally offers access to the allowlisted admin RPC methods at `/api/v1/admin/rpc`.
105+- The plugin declares the reserved `contracts.gatewayMethodDispatch: ["authenticated-request"]` manifest contract so its Gateway-authenticated HTTP route can dispatch control-plane methods in process.
106+- Shared-secret bearer auth proves possession of the gateway operator secret.
107+- For `token` and `password` auth, narrower `x-openclaw-scopes` headers are ignored and the normal full operator defaults are restored.
108+- Trusted identity-bearing HTTP modes honor `x-openclaw-scopes` when present.
109+- `gateway.auth.mode="none"` means this route is unauthenticated if the plugin is enabled. Use that only behind a private ingress you fully trust.
110+- Requests dispatch through the same Gateway method handlers and scope checks as WebSocket RPC after the plugin route auth passes.
111+- Keep this route on loopback, tailnet, or a private trusted ingress. Do not expose it directly to the public internet.
112+- Plugin manifest contracts are not a sandbox. They prevent accidental use of reserved SDK helpers; trusted plugins still run in the Gateway process.
113+114+Use separate gateways when callers cross trust boundaries.
115+116+## Request
117+118+```http
119+POST /api/v1/admin/rpc
120+Authorization: Bearer <gateway-token>
121+Content-Type: application/json
122+```
123+124+```json
125+{
126+"id": "optional-request-id",
127+"method": "health",
128+"params": {}
129+}
130+```
131+132+Fields:
133+134+- `id` (string, optional): copied into the response. A UUID is generated when omitted.
135+- `method` (string, required): allowed Gateway method name.
136+- `params` (any, optional): method-specific params.
137+138+The default max request body size is 1 MB.
139+140+## Response
141+142+Success responses use the Gateway RPC shape:
143+144+```json
145+{
146+"id": "optional-request-id",
147+"ok": true,
148+"payload": {}
149+}
150+```
151+152+Gateway method errors use:
153+154+```json
155+{
156+"id": "optional-request-id",
157+"ok": false,
158+"error": {
159+"code": "INVALID_REQUEST",
160+"message": "bad params"
161+ }
162+}
163+```
164+165+HTTP status follows the Gateway error when possible. For example, `INVALID_REQUEST` returns `400`, and `UNAVAILABLE` returns `503`.
166+167+## Allowed methods
168+169+- discovery: `commands.list`
170+ Returns the HTTP RPC method names allowed by this plugin.
171+- gateway: `health`, `status`, `logs.tail`, `usage.status`, `usage.cost`, `gateway.restart.request`
172+- config: `config.get`, `config.schema`, `config.schema.lookup`, `config.set`, `config.patch`, `config.apply`
173+- channels: `channels.status`, `channels.start`, `channels.stop`, `channels.logout`
174+- models: `models.list`, `models.authStatus`
175+- agents: `agents.list`, `agents.create`, `agents.update`, `agents.delete`
176+- approvals: `exec.approvals.get`, `exec.approvals.set`, `exec.approvals.node.get`, `exec.approvals.node.set`
177+- cron: `cron.status`, `cron.list`, `cron.get`, `cron.runs`, `cron.add`, `cron.update`, `cron.remove`, `cron.run`
178+- devices: `device.pair.list`, `device.pair.approve`, `device.pair.reject`, `device.pair.remove`
179+- nodes: `node.list`, `node.describe`, `node.pair.list`, `node.pair.approve`, `node.pair.reject`, `node.pair.remove`, `node.rename`
180+- tasks: `tasks.list`, `tasks.get`, `tasks.cancel`
181+- diagnostics: `doctor.memory.status`, `update.status`
182+183+Other Gateway methods are blocked until they are intentionally added.
184+185+## WebSocket comparison
186+187+The normal Gateway WebSocket RPC path remains the preferred control-plane API for OpenClaw clients. Use admin HTTP RPC only for host tooling that needs a request/response HTTP surface.
188+189+Shared-token WebSocket clients without a trusted device identity cannot self-declare admin scopes during connect. Admin HTTP RPC deliberately follows the existing trusted HTTP operator model: when the plugin is enabled, shared-secret bearer auth is treated as full operator access for this admin surface.
190+191+## Troubleshooting
192+193+`404 Not Found`
194+195+: The plugin is disabled, the Gateway has not restarted since enabling it, or the request is going to a different Gateway process.
196+197+`401 Unauthorized`
198+199+: The request did not satisfy Gateway HTTP auth. Check the bearer token or the trusted-proxy identity headers.
200+201+`400 INVALID_REQUEST`
202+203+: The request body is not valid JSON, the `method` field is missing, or the method is not in the plugin allowlist.
204+205+`503 UNAVAILABLE`
206+207+: The Gateway method handler is unavailable. Check Gateway logs and retry after the Gateway finishes startup.
208+209+## Related
210+211+- [Operator scopes](/gateway/operator-scopes)
212+- [Gateway security](/gateway/security)
213+- [Remote access](/gateway/remote)
214+- [Plugin manifest](/plugins/manifest#contracts)
215+- [SDK subpaths](/plugins/sdk-subpaths)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。