diff --git a/CHANGELOG.md b/CHANGELOG.md
index 17bb4477c..ca108fab3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -79,6 +79,7 @@ Status: unreleased.
 - Gateway: default auth now fail-closed (token/password required; Tailscale Serve identity remains allowed).
 - Gateway: treat loopback + non-local Host connections as remote unless trusted proxy headers are present.
 - Onboarding: remove unsupported gateway auth "off" choice from onboarding/configure flows and CLI flags.
+- Gateway: improve auth error message for native apps (macOS/iOS/Android) to clarify gateway.remote.token setup. (#2268)
 
 ## 2026.1.24-3
 
diff --git a/src/gateway/server/ws-connection/message-handler.ts b/src/gateway/server/ws-connection/message-handler.ts
index d1f6ae511..ac97d322d 100644
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@@ -83,17 +83,25 @@ function formatGatewayAuthFailureMessage(params: {
   const isCli = isGatewayCliClient(client);
   const isControlUi = client?.id === GATEWAY_CLIENT_IDS.CONTROL_UI;
   const isWebchat = isWebchatClient(client);
+  const isMacOsApp = client?.id === GATEWAY_CLIENT_IDS.MACOS_APP;
+  const isIosApp = client?.id === GATEWAY_CLIENT_IDS.IOS_APP;
+  const isAndroidApp = client?.id === GATEWAY_CLIENT_IDS.ANDROID_APP;
+  const isNativeApp = isMacOsApp || isIosApp || isAndroidApp;
   const uiHint = "open a tokenized dashboard URL or paste token in Control UI settings";
   const tokenHint = isCli
     ? "set gateway.remote.token to match gateway.auth.token"
-    : isControlUi || isWebchat
-      ? uiHint
-      : "provide gateway auth token";
+    : isNativeApp
+      ? "set gateway.remote.token in ~/.clawdbot/clawdbot.json to match gateway.auth.token on the server"
+      : isControlUi || isWebchat
+        ? uiHint
+        : "provide gateway auth token";
   const passwordHint = isCli
     ? "set gateway.remote.password to match gateway.auth.password"
-    : isControlUi || isWebchat
-      ? "enter the password in Control UI settings"
-      : "provide gateway auth password";
+    : isNativeApp
+      ? "set gateway.remote.password in ~/.clawdbot/clawdbot.json to match gateway.auth.password on the server"
+      : isControlUi || isWebchat
+        ? "enter the password in Control UI settings"
+        : "provide gateway auth password";
   switch (reason) {
     case "token_missing":
       return `unauthorized: gateway token missing (${tokenHint})`;