#Anthropic Oauth

Claude Max (claude.ai) billing and Anthropic API billing are two separate things. OpenClaw’s “$190 in the last 30 days” is OpenClaw’s internal estimate (tokens × a price table) — it is not pulling real charges from Anthropic, and it doesn’t mean you owe $190.

A few key points based on the OpenClaw FAQ:

• OpenClaw does support Claude Pro/Max subscription auth, but only via a “setup-token” (generated by the Claude Code CLI). OpenClaw does not reuse Claude Code CLI OAuth tokens anymore.
  Docs: https://docs.openclaw.ai/help/faq#do-you-support-claude-subscription-auth-claude-pro-or-max
  Docs: https://docs.openclaw.ai/help/faq#can-i-use-claude-max-subscription-without-an-api-key

• So if you’re pasting some random “OAuth access token” and seeing HTTP 403: oauth token does not meet scope requirement, that strongly suggests your token is not the supported setup-token, and OpenClaw is either failing those probes or using some other credential/provider path than you think.

On the “am I going to be charged?” part:

• If your Anthropic Console/API billing pages show $0 and you haven’t bought credits, there typically isn’t a magical place the $190 would be charged from. The API generally just stops working once you’re out of credits/quota.
• The only way to be 100% sure is to check Anthropic for (a) credits purchased / transactions and (b) whether you enabled anything like “Extra Usage” on the subscription side (that’s Anthropic-side policy/billing, not OpenClaw).

To debug what OpenClaw is actually using, can you paste (with secrets redacted):

openclaw --version
openclaw models status
openclaw status --all

Those usually make it obvious whether you’re on an API-key profile, a proper setup-token profile, or something else entirely.

I typed it in and I really dont know what parts to blur or send you.

Paste the full outputs of these (they’re designed to be shareable; status --all redacts tokens):

openclaw --version
openclaw models status
openclaw status --all

If that’s too long, the minimum I need is:

1. From openclaw models status: the Anthropic section showing

• which auth profile it selected (or tried),
• the probe result / exact HTTP 403 ... scope error.

2. From openclaw status --all: the block that shows

• active model / provider,
• any lines mentioning anthropic auth / credential resolution,

• the exact HTTP 403 line(s).

Important: do not paste any setup-token / OAuth token value (anything that looks like a long secret string). If you’re unsure, just paste everything and replace secrets with REDACTED.

Totally fair — don’t risk leaking secrets.

The safest/easiest option is: paste the entire output of openclaw status --all. That command is specifically meant to be shareable and it redacts tokens automatically.

If you still want to be extra careful, before pasting quickly scan and manually replace with REDACTED any line that contains (or looks like):

• token, setup-token, apiKey, Authorization, Bearer, Cookie
• anything that looks like a long random string (typically 30+ chars), or starts with sk-

Everything else (versions, “which auth profile was selected”, the HTTP 403 … scope error, timestamps, model/provider names) is safe and exactly what we need.

If you want to keep it minimal, paste just:

1. the few lines in openclaw models status around the Anthropic probe showing the HTTP 403
2. the top part of openclaw --version

…but in most cases openclaw status --all alone is enough.

Yeah don’t paste your WhatsApp number or public IP in a public thread.

No — I don’t need gateway logs right now.

What I need is only the Anthropic auth/probe part, which you can share without any channel info:

Please paste (in a code block)

1. openclaw --version (usually 1 line)

2. From openclaw models status: only the “Anthropic” section (copy just that block)

• the line(s) that show which credential/profile it’s using (API key vs setup-token vs oauth, etc.)
• the exact error line: HTTP 403: oauth token does not meet scope requirement

That’s it.

What to remove/redact

• Anything containing your WhatsApp number

• Any IP addresses / hostnames
• Any token strings (setup-token/OAuth/API key) → replace with REDACTED

If openclaw models status still prints extra unrelated stuff on your side, just paste a screenshot/crop of the Anthropic block (the part that shows the 403 + which auth method it tried).

That snippet is already enough.

What your output means

• You have exactly 1 Anthropic credential configured, and it’s a token that starts with sk-ant-oat….
• In OpenClaw terms that’s the subscription/OAuth-style token (not an Anthropic Console API key w/ credits).
• And right now Anthropic is rejecting it:
  HTTP 403: OAuth token does not meet scope requirement
  → so those requests are failing (and failed requests don’t create “real” billable usage).

So: should you fear the “$190”?

Almost certainly no — that “$190” in OpenClaw is an internal cost estimate (tokens × price table). It is not your Anthropic invoice.

Also: if your Anthropic Billing page only offers “buy credits” and your API usage shows $0, that strongly suggests you’re not on API-key/credits billing, so there’s nowhere for a surprise $190 API charge to come from.

What to do next (supported fix)

Right now you need a valid setup-token (generated by Claude Code), not a random access token.