Overview Agent token authentication is a separate authentication system designed for AI agents to access the Mission Control API. Unlike user authentication (Local/Clerk), agent tokens:
Are unique per agent
Use opaque token strings (not JWTs)
Are presented via X-Agent-Token header (not Authorization)
Update agent presence automatically on each request
Use PBKDF2-HMAC-SHA256 for secure token hashing
Agent Authentication Flow
Agent Token Generation
When an agent is created, Mission Control generates a secure random token: token = secrets.token_urlsafe( 32 ) # 43 characters, URL-safe
Token Hashing
Token is hashed using PBKDF2-HMAC-SHA256 before storage: hash = pbkdf2_hmac( 'sha256' , token, salt, 200000 iterations) stored = f "pbkdf2_sha256$200000$ { salt } $ { hash } "
Only the hash is stored in the database (agents.agent_token_hash)
Token Distribution
Plain token is written to the agent’s TOOLS.md file: # TOOLS.md - `AUTH_TOKEN=<plain-token-here>`
The agent reads this file on startup.
Agent Requests
Agent includes token in API requests: curl -H "X-Agent-Token: <token>" \ https://api.example.com/api/v1/agent/boards
Token Verification
Backend:
Extracts token from X-Agent-Token header
Queries all agents with non-null agent_token_hash
Verifies token against each hash using verify_agent_token()
Returns matching agent or 401
Presence Update
On successful authentication, updates agent metadata:
last_seen_at (throttled to 30-second intervals)status → online (unless updating or deleting)Auto-commits for read-only requests
Token Generation Automatic Generation Tokens are automatically generated when:
New agent created : Via /api/v1/agents endpointTemplate sync with rotation : Via /api/v1/gateways/{id}/templates/sync?rotate_tokens=true
You don’t typically need to generate tokens manually.
Manual Generation (Advanced) If you need to generate a token programmatically:
from app.core.agent_tokens import generate_agent_token, hash_agent_token # Generate new token plain_token = generate_agent_token() print ( f "Token: { plain_token } " ) # Give this to the agent # Hash for storage token_hash = hash_agent_token(plain_token) print ( f "Hash: { token_hash } " ) # Store this in database # Update agent record agent.agent_token_hash = token_hash session.add(agent) await session.commit()
API Usage Making Authenticated Requests Agents use the X-Agent-Token header:
curl -X GET https://api.example.com/api/v1/agent/boards \ -H "X-Agent-Token: your-agent-token-here"
Some endpoints also accept Authorization: Bearer <token> for convenience, but X-Agent-Token is preferred and more explicit.
Agent Health Check Verify token validity and service availability:
curl -X GET https://api.example.com/api/v1/agent/healthz \ -H "X-Agent-Token: your-agent-token-here"
Response: { "ok" : true , "agent_id" : "c91361ef-1234-5678-9abc-def012345678" , "board_id" : "70a4ea4f-5678-9abc-def0-123456789abc" , "gateway_id" : "55cc268a-9abc-def0-1234-56789abcdef0" , "status" : "online" , "is_board_lead" : false }
List Accessible Boards curl -X GET https://api.example.com/api/v1/agent/boards \ -H "X-Agent-Token: your-agent-token-here"
Response: { "items" : [ { "id" : "70a4ea4f-5678-9abc-def0-123456789abc" , "name" : "Engineering Board" , "objective" : "Manage engineering tasks" , "status" : "active" } ], "total" : 1 , "limit" : 50 , "offset" : 0 }
List Board Tasks curl -X GET https://api.example.com/api/v1/agent/boards/{board_id}/tasks \ -H "X-Agent-Token: your-agent-token-here" \ -G -d "status=inbox" \ -d "assigned_agent_id={agent_id}"
Response: { "items" : [ { "id" : "task-uuid" , "title" : "Implement new feature" , "status" : "inbox" , "priority" : "high" , "assigned_agent_id" : "c91361ef-1234-5678-9abc-def012345678" } ], "total" : 1 , "limit" : 50 , "offset" : 0 }
Update Task Status curl -X PATCH https://api.example.com/api/v1/agent/boards/{board_id}/tasks/{task_id} \ -H "X-Agent-Token: your-agent-token-here" \ -H "Content-Type: application/json" \ -d '{ "status": "done", "comment": "Task completed successfully" }'
curl -X POST https://api.example.com/api/v1/agent/boards/{board_id}/tasks/{task_id}/comments \ -H "X-Agent-Token: your-agent-token-here" \ -H "Content-Type: application/json" \ -d '{ "content": "Started working on this task", "tags": ["progress"] }'
Token Security Hashing Algorithm Agent tokens are hashed using PBKDF2-HMAC-SHA256:
pbkdf2_sha256 - PBKDF2 with HMAC-SHA256
200000 - Number of hash iterations (OWASP recommended minimum)
16 random bytes per token (Base64 URL-safe encoded)
pbkdf2_sha256$200000$<salt>$<hash>
Example hash: pbkdf2_sha256$200000$xK2Lp9mN3vB7qR4t$8Hg3mL9pN4vC7xZ2kJ6fR5tQ1w
Token Verification Verification uses constant-time comparison to prevent timing attacks:
import hmac # Re-hash the candidate token with stored salt candidate_hash = pbkdf2_hmac( 'sha256' , token, salt, iterations) # Constant-time comparison return hmac.compare_digest(candidate_hash, stored_hash)
Security Properties Opaque tokens : Not JWTs, cannot be decoded to reveal information
Strong hashing : PBKDF2 with 200k iterations resists brute-force attacks
Unique salts : Each token has its own salt, preventing rainbow table attacks
Constant-time verification : Prevents timing attacks that could leak token info
URL-safe encoding : Tokens use Base64 URL-safe alphabet (43 characters)
Token Rotation When to Rotate Tokens Rotate agent tokens when:
First gateway setup : Initial provisioning requires token generationAgents deleted from gateway : Gateway can’t read TOOLS.md without agent config entriesSecurity incident : Tokens compromised or suspected exposureRegular rotation policy : Periodic rotation for security best practices
How to Rotate Tokens Use the template sync endpoint with rotate_tokens=true:
curl -X POST "https://api.example.com/api/v1/gateways/{gateway_id}/templates/sync?rotate_tokens=true&overwrite=true" \ -H "Authorization: Bearer YOUR_USER_TOKEN"
Parameters: Generate new tokens for all agents and update TOOLS.md files
Overwrite existing TOOLS.md files even if unchanged
Limit rotation to agents on a specific board
Only rotate tokens for board lead agents
Response: { "agents_synced" : 3 , "files_written" : 9 , "errors" : [] }
Token Rotation Impact : Old tokens stop working immediately. Agents must restart to read new tokens from TOOLS.md.
Presence Tracking Automatic Presence Updates Every authenticated agent request updates presence metadata:
Check last update : Skip if updated within 30 secondsUpdate timestamp : Set last_seen_at to current UTC timeUpdate status : Set to online (unless agent is updating or deleting)Persist changes : Auto-commit for GET/HEAD/OPTIONS requests
This allows the UI to show real-time agent status without requiring explicit heartbeat calls.
Manual Heartbeat Agents can also send explicit heartbeat signals:
curl -X POST https://api.example.com/api/v1/agent/heartbeat \ -H "X-Agent-Token: your-agent-token-here"
Response: { "id" : "c91361ef-1234-5678-9abc-def012345678" , "name" : "Clawd-CFO" , "status" : "online" , "last_seen_at" : "2026-03-05T10:30:00Z" , "board_id" : "70a4ea4f-5678-9abc-def0-123456789abc" }
Error Responses Missing Token Request: curl -X GET https://api.example.com/api/v1/agent/boards
Response: 401 Unauthorized{ "detail" : "Not authenticated" }
Invalid Token Request: curl -X GET https://api.example.com/api/v1/agent/boards \ -H "X-Agent-Token: invalid-token"
Response: 401 Unauthorized{ "detail" : "Not authenticated" }
Board Access Denied Request: Agent tries to access a board it’s not assigned toResponse: 403 Forbidden{ "detail" : { "code" : "forbidden" , "message" : "Board access denied" }, "code" : "forbidden" , "retryable" : false }
Agent Not Found Cause: Agent was deleted but token still existsResponse: 401 Unauthorized{ "detail" : "Not authenticated" }
Common Issues Error : unable to read AUTH_TOKEN from TOOLS.md (run with rotate_tokens=true)Cause : Agent entry missing from ~/.openclaw/openclaw.json. Gateway can’t serve TOOLS.md without the agent config.Solution : Run template sync with rotation:curl -X POST "https://api.example.com/api/v1/gateways/{id}/templates/sync?rotate_tokens=true&overwrite=true" \ -H "Authorization: Bearer YOUR_TOKEN"
Token Works in curl but Not in Agent Symptom : Manual curl requests succeed but agent gets 401 errorsCauses :
Agent reading old/cached token
Agent using wrong token variable
Token has whitespace or special characters
Solution : Check agent’s token source:# In agent workspace cat TOOLS.md | grep AUTH_TOKEN
Agent Shows as Offline Despite Active Requests Symptom : Agent making requests but UI shows offlineCauses :
Clock skew between agent and server
Database not committing presence updates
Frontend cache not refreshing
Solution : Check last_seen_at in database:SELECT name , status , last_seen_at FROM agents WHERE id = 'agent-uuid' ;
Best Practices Use X-Agent-Token header : More explicit than Authorization header
Read token from TOOLS.md : Don’t hardcode tokens in agent code
Handle 401 gracefully : Retry with exponential backoff, alert on persistent failures
Monitor last_seen_at : Alert if agent hasn’t been seen in expected interval
Rotate tokens periodically : Implement regular rotation policy for production
Never log full tokens : Truncate to first 6 characters in logs
Authorization Policies Agent authorization is scoped by role:
Board-Scoped Agents Agents with board_id set can only access:
Their assigned board
Tasks on their board
Other agents on their board
Board memory and webhooks
Board Lead Agents Agents with is_board_lead=true can additionally:
Create tasks on their board
Delete tasks on their board
Assign tasks to other agents
Nudge other agents
Update agent SOUL documents
Create new agents
Main Agents Agents with board_id=null can:
Access multiple boards (if permitted)
Broadcast messages to leads
Coordinate across boards
See Authorization Policies for complete details.
Next Steps
Agent API Reference View all agent-scoped endpoints
User Authentication Learn about user authentication
Template Sync Manage agent provisioning
Authorization Understand access control
