1. Symptoms
The clw-sandbox-denied error manifests when OpenClaw attempts to provision or access a sandbox environment but encounters an access control rejection. Users typically encounter this error during operations such as initializing new sandbox instances, running workloads in isolated environments, or executing commands that require sandbox permissions.
When the error occurs, the OpenClaw CLI outputs a message similar to the following:
[ERROR] clw-sandbox-denied: Sandbox access request denied.
Reason: Insufficient permissions to create or access sandbox resources.
Action required: Contact your administrator or update your sandbox access policy.
Request ID: sbx-7f3a9c2e-4b1d
Timestamp: 2025-01-15T10:32:45Z
Additional observable symptoms include the inability to list sandbox resources when running clw sandbox list, failed attempts to attach to running sandbox sessions, and HTTP 403 responses from the OpenClaw control plane API. In interactive terminal sessions, users may notice that commands that previously executed successfully begin failing with this error after organizational policy changes or role modifications. The error may also appear when attempting to allocate new sandbox resources beyond the user’s assigned quota tier.
2. Root Cause
The clw-sandbox-denied error originates from the OpenClaw authorization layer rejecting a sandbox operation request. This rejection occurs when the authenticated user’s security context does not satisfy the requirements for sandbox access as defined by the organization’s access control policies.
Several underlying conditions can trigger this error. First, role-based access control (RBAC) misconfiguration may assign users to roles lacking sandbox permissions. Organizations typically define granular permission scopes for sandbox operations—create, read, modify, and delete—and users must possess the appropriate role to perform specific actions. If a user was recently reassigned roles or transferred between teams, the new role configuration may not include the necessary sandbox permissions.
Second, sandbox access policies may restrict operations based on IP address ranges, geographic locations, or device compliance status. Corporate environments with strict security postures often implement conditional access policies that evaluate additional signals beyond authentication. A user attempting to access sandbox resources from an unregistered network or a non-compliant endpoint will receive this denial regardless of their assigned role.
Third, sandbox resource quotas impose operational limits per user or team. When resource consumption reaches configured thresholds, subsequent creation requests are denied with this error code. The denial preserves system stability by preventing resource exhaustion scenarios. Quota exhaustion can occur gradually as users accumulate sandbox instances or suddenly when batch operations spawn numerous instances in parallel.
Fourth, sandbox capability tiers restrict available features based on subscription levels. Enterprise-tier features may be unavailable to users operating under basic or standard tier accounts, causing permission denials when attempting advanced sandbox operations.
3. Step-by-Step Fix
Resolving the clw-sandbox-denied error requires identifying the specific cause within your environment. Follow these steps systematically to restore sandbox access.
Step 1: Verify Current Authentication Status
clw auth status
Examine the output to confirm your session is authenticated and the identity claim is correctly resolved. If authentication appears stale, re-authenticate using your organization’s preferred method:
clw auth login --sso
Before:
User: [email protected]
Status: Authenticated
Token: Valid (expires in 2h)
Sandbox permissions: NOT LISTED
After:
User: [email protected]
Status: Authenticated
Token: Valid (expires in 8h)
Sandbox permissions: create, read, modify, delete
Step 2: Review Assigned Role Permissions
Query your current role and associated permissions using the OpenClaw CLI:
clw iam roles list --user $(clw auth whoami --format json | jq -r .email)
Review the output to identify whether your role includes sandbox permissions. If sandbox permissions are absent, contact your identity and access management team to request role assignment containing the required permissions.
Step 3: Check Resource Quota Status
Examine your current sandbox resource utilization against assigned quotas:
clw quota show --namespace $(clw context current-namespace)
If utilization approaches or exceeds limits, terminate unused sandbox instances before attempting new operations:
clw sandbox list --filter "status=running" --format table
clw sandbox delete <sandbox-id>
Step 4: Verify Network and Endpoint Compliance
If operating from a corporate network, confirm your device meets security compliance requirements. For users operating remotely, ensure you are connected through an approved VPN that routes traffic through inspected network paths.
Step 5: Check Subscription Tier Capabilities
clw account info
Review your account’s subscription tier and verify that intended sandbox features are supported. Upgrade your subscription if necessary:
clw account upgrade --tier enterprise
Step 6: Request Administrative Override (if applicable)
If immediate access is required for critical operations, request temporary elevated permissions from your OpenClaw administrator:
clw iam roles request-elevation --role sandbox-admin --duration 4h --reason "Emergency workload deployment"
4. Verification
After implementing the fix, verify that sandbox operations function correctly by executing the following validation sequence.
First, confirm your permission state reflects the applied changes:
clw auth status | grep -i sandbox
Expected output should display sandbox permissions matching your requirements.
Second, attempt a controlled sandbox operation to confirm access is restored:
clw sandbox create --name "verification-test-$(date +%s)" --duration 30m --template default
A successful creation output confirms the fix is effective:
Sandbox created successfully: sbx-verification-abc123
Endpoint: https://sandbox.us-east-1.openclaw.io/sbx-verification-abc123
Expires: 2025-01-15T11:02:45Z
Third, verify the ability to list and manage existing sandbox resources:
clw sandbox list --format table | head -20
Confirm your sandbox instances appear in the listing with appropriate status indicators.
Fourth, test the complete lifecycle operations by attaching to and then terminating the test sandbox:
clw sandbox attach sbx-verification-abc123 --command "echo 'Sandbox access confirmed'"
clw sandbox delete sbx-verification-abc123
Successful execution of these commands confirms full sandbox access restoration.
5. Common Pitfalls
Several frequent mistakes can prolong or exacerbate the clw-sandbox-denied error. Avoid these common pitfalls to ensure efficient resolution.
Ignoring Token Expiration: OpenClaw sessions use time-limited tokens that must be refreshed periodically. Even if your role permissions are correctly configured, expired tokens cause authorization failures. Implement token refresh procedures or use long-lived authentication methods when available.
Assuming Quota is Unlimited: Sandboxes consume actual compute resources that organizations must budget for. Always check quota status before creating new instances, especially when running automated scripts or CI/CD pipelines that may spawn numerous instances simultaneously.
Bypassing Conditional Access Controls: Attempting to circumvent network restrictions or compliance requirements to gain access introduces security risks and typically fails due to additional integrity checks on the OpenClaw control plane.
Neglecting Subscription Tier Limitations: The base subscription tier includes minimal sandbox capabilities. Users requiring advanced features such as persistent storage, custom networking, or extended runtime must upgrade their subscription before accessing these capabilities.
Failing to Clear Cached Credentials: The OpenClaw CLI caches authorization decisions to reduce API calls. After role changes, clear the local cache using clw auth flush-cache to ensure fresh permission resolution reflects current role assignments.
6. Related Errors
clw-auth-failed: Authentication failures prevent the OpenClaw CLI from establishing a security context with the control plane. Without successful authentication, every subsequent request—including sandbox operations—fails with permission errors. Unlike the sandbox-specific denial, authentication failures occur before permission evaluation, indicating invalid credentials, expired sessions, or identity provider issues.
clw-quota-exceeded: This error specifically addresses resource consumption limits, indicating that available quota has been exhausted. While both clw-sandbox-denied and clw-quota-exceeded may appear similar in denial messaging, the quota error provides explicit consumption metrics and remaining allocations, making diagnosis more direct.
clw-sandbox-timeout: Sandbox operations that exceed configured time limits trigger this error. Timeout failures may occur after successful initial authorization, indicating that the denial occurred during operation execution rather than at access evaluation time. Network latency, resource contention, or template provisioning delays commonly cause timeout scenarios.
error_code: clw-sandbox-denied
language: openclaw
severity: medium
resolution_steps: 5
related_codes:
- clw-auth-failed
- clw-quota-exceeded
- clw-sandbox-timeout
Last updated: 2025-01-15 | ErrorVault Technical Documentation