Handle single-key wrapped OpenClaw auth headers

server/src/__tests__/invite-accept-openclaw-defaults.test.ts

@@ -142,6 +142,26 @@ describe("buildJoinDefaultsPayloadForAccept", () => {
     });
   });
 
+  it("accepts auth headers wrapped in a single unknown key", () => {
+    const result = buildJoinDefaultsPayloadForAccept({
+      adapterType: "openclaw",
+      defaultsPayload: {
+        headers: {
+          "x-openclaw-auth": {
+            gatewayToken: "gateway-token",
+          },
+        },
+      },
+    }) as Record<string, unknown>;
+
+    expect(result).toMatchObject({
+      headers: {
+        "x-openclaw-auth": "gateway-token",
+      },
+      webhookAuthHeader: "Bearer gateway-token",
+    });
+  });
+
   it("leaves non-openclaw payloads unchanged", () => {
     const defaultsPayload = { command: "echo hello" };
     const result = buildJoinDefaultsPayloadForAccept({

server/src/routes/access.ts

@@ -159,6 +159,22 @@ function normalizeHeaderValue(
     const normalized = normalizeHeaderValue((value as Record<string, unknown>)[key], depth + 1);
     if (normalized) return normalized;
   }
+
+  const entries = Object.entries(value as Record<string, unknown>);
+  if (entries.length === 1) {
+    const [singleKey, singleValue] = entries[0];
+    const normalizedKey = singleKey.trim().toLowerCase();
+    if (
+      normalizedKey !== "type" &&
+      normalizedKey !== "version" &&
+      normalizedKey !== "secretid" &&
+      normalizedKey !== "secret_id"
+    ) {
+      const normalized = normalizeHeaderValue(singleValue, depth + 1);
+      if (normalized) return normalized;
+    }
+  }
+
   return null;
 }