#run error: HTTP 401 authentication_error: Invalid bearer token

1 messages · Page 1 of 1 (latest)

fringe knotBOT
#

To help others find answers, you can mark your question as solved via Right click solution message -> Apps -> ✅ Mark Solution

last epochBOT
#

You’re probably not flagged — this usually means OpenClaw is still holding an invalid/old Anthropic subscription token.

Given your symptoms (plan change + both OpenClaw and Hermes failing), do this exact reset on the same machine running the gateway:

openclaw --version
openclaw status
claude auth status
claude setup-token
openclaw models auth paste-token --provider anthropic
openclaw models status
openclaw gateway restart
openclaw logs --follow

What I’d expect:

  • models status shows Anthropic auth as usable
#
  • logs stop showing 401 ... Invalid bearer token

Two important gotchas from docs:

  1. New OAuth/setup-token flows can invalidate older refresh/token state
  2. Auth is per-agent — a new agent (like Hermes) may need its own auth setup

If this still 401s after a fresh setup-token, paste:

  • openclaw models status --json
  • first relevant Anthropic lines from openclaw logs --follow

And one policy note: Anthropic subscription auth can be brittle outside Claude Code; for always-on reliability, API key auth is the recommended path.

Docs:

last epochBOT
#

Nice, this output is super helpful — I see two important clues:

  1. all your Anthropic creds are type: "token" (static setup-token style), and
  2. your allowlist only has Sonnet, while default is Opus.

So let’s do a tight reset + pin the profile explicitly:

claude auth status
claude setup-token
openclaw models auth paste-token --provider anthropic
openclaw models auth order set --provider anthropic anthropic:new
openclaw models set anthropic/claude-sonnet-4-6
openclaw gateway restart
openclaw logs --follow
#

Why this helps:

  • avoids rotating across 3 possibly stale tokens
  • pins to the newest token profile
  • uses the model that is actually allowed right now (Sonnet)

If it still throws 401 Invalid bearer token after that, it’s very likely not your local config anymore — it’s Anthropic setup-token compatibility/policy for that account/token class. At that point, fastest unblock is:

  • switch to Anthropic API key auth (recommended for always-on), or
  • switch to Claude CLI backend:
openclaw models auth login --provider anthropic --method cli --set-default

If you want, paste the first full 401 block from openclaw logs --follow and I’ll decode it line-by-line.

Refs: https://docs.openclaw.ai/providers/anthropichttps://docs.openclaw.ai/concepts/oauthhttps://docs.openclaw.ai/gateway/authentication

#

I’m here 🦐 — based on everything you sent, this now looks like provider token rejection, not a bad OpenClaw config.

You have 3 stored Anthropic tokens, multiple agents fail the same way, and still get 401 Invalid bearer token.

Fastest unblock

Use Anthropic API key auth instead of subscription setup-token:

  1. Put key on gateway host (ANTHROPIC_API_KEY, or via onboarding)
  2. Restart gateway
  3. Re-check with openclaw models status --probe --probe-provider anthropic

If you want to keep subscription auth

Please post these two outputs so we can pin it as a provider/compat case:

openclaw models status --probe --probe-provider anthropic --json
#

Yep — this output basically confirms the diagnosis:

  • oauth: 0
  • token: 3 (all static setup-token style)
  • no API key profiles

So OpenClaw has tokens, but if Anthropic rejects all of them with 401, OpenClaw can’t recover from that locally.

Direct answer to your question

Probably not “flagged” in a ban sense, but very likely your current subscription token flow is being rejected for external API use after the plan/account change.

Practical fix (recommended)

Switch this gateway to Anthropic API key auth:

  1. Add key on gateway host (~/.openclaw/.env):
    ANTHROPIC_API_KEY=...
  2. openclaw gateway restart
#

Got it — that snippet is the same signal as before (type: token, status: static), so it won’t move diagnosis forward.

At this point there are only 2 real paths:

  1. Switch to Anthropic API key (recommended, stable)
  2. Stay on subscription token and accept it may be rejected upstream (nothing else in OpenClaw can fix that if Anthropic returns 401)

If you want one final definitive check, run this (different from what you’ve pasted so far):

openclaw models status --probe --probe-provider anthropic --json

If that still shows invalid bearer, that confirms upstream token rejection.

If you’d like maintainer triage, please open: https://github.com/openclaw/openclaw/issues with:

  • openclaw --version
#
  • the --probe output
  • one full 401 log block.
#

Perfect — this probe finally nails it.

anthropic:new is the active profile and it fails with:

HTTP 401 authentication_error: Invalid bearer token

So this is not a routing/model-allowlist issue anymore. OpenClaw is sending the token; Anthropic is rejecting it.

Also expected:

  • excluded_by_auth_order on default/manual just means you pinned auth order to anthropic:new.

What to do now

  1. (Optional) verify all stored tokens quickly:
openclaw models auth order clear --provider anthropic
# 
openclaw models status --probe --probe-provider anthropic --json
  1. If they all 401, move to Anthropic API key auth (recommended stable path for gateway):
  • set ANTHROPIC_API_KEY on gateway host (~/.openclaw/.env)
  • restart gateway
  • re-run probe
  1. If you must stay on subscription token, this is likely upstream token-policy/account behavior after the plan/account change; you’ll need Anthropic support for that token rejection.

If you want maintainer triage too, file here (redact secrets):
https://github.com/openclaw/openclaw/issues

And include this probe output + openclaw --version.

#

This log is definitive now:

  • OpenClaw reaches Anthropic
  • Anthropic replies 401 authentication_error: Invalid bearer token
  • failover reason is auth

So yes — this is an upstream token rejection, not a local routing/cron/config bug.

One last clean retry (on the gateway host) is:

openclaw models auth order clear --provider anthropic
openclaw models auth setup-token --provider anthropic
openclaw models status --probe --probe-provider anthropic --json

If that still returns 401, then your subscription token path is not being accepted for API use on that account right now.

rigid quest
#

as you probably know Anthropic banned Oauth with 3rd party services.

So will the anthropic CLI setup work ?

If yes, help me set it up

last epochBOT
#

Yep — Anthropic CLI setup still works in OpenClaw.

What changed is mostly billing/policy: Anthropic subscription limits don’t cover third-party harnesses the old way anymore. For OpenClaw + Claude CLI, Anthropic now requires Extra Usage billing.

Quick setup (Claude CLI path)

  1. Check your version first (important):
openclaw --version
  1. On the gateway host, make sure Claude CLI is installed + logged in:
claude auth status
  1. Tell OpenClaw to use Anthropic via CLI auth:
# 
openclaw models auth login --provider anthropic --method cli --set-default
  1. Verify it switched:
openclaw models status

You should see primary model under claude-cli/....

  1. Restart gateway (if needed):
openclaw gateway restart
#

If you’re currently seeing HTTP 401 ... Invalid bearer token, that’s usually old Anthropic token auth. The CLI flow above is the right migration path.

Docs:

If you want, paste the outputs of:

  • openclaw --version
  • claude auth status
  • openclaw models status

…and I’ll pinpoint exactly what’s still misconfigured.

rigid quest
#

OpenClaw 2026.4.2

claude auth status
{
"loggedIn": true,
"authMethod": "claude.ai",
"apiProvider": "firstParty",
"email": "redacted",
"orgId": "redacted-c58e62c85ba1",
"orgName": null,
"subscriptionType": "max"
}

I ran the cli update command line

openclaw models status

🦞 OpenClaw 2026.4.2 (d74a122) — Your config is valid, your assumptions are not.

Config : ~/.openclaw/openclaw.json
Agent dir : ~/.openclaw/agents/main/agent
Default : claude-cli/claude-sonnet-4-6
Fallbacks (1) : claude-cli/claude-sonnet-4-6
Image model : -
Image fallbacks (0): -
Aliases (1) : sonnet -> claude-cli/claude-sonnet-4-6
Configured models (2): anthropic/claude-sonnet-4-6, claude-cli/claude-sonnet-4-6

Auth overview
Auth store : ~/.openclaw/agents/main/agent/auth-profiles.json
Shell env : off
Providers w/ OAuth/tokens (1): anthropic (3)

  • anthropic effective=profiles:~/.openclaw/agents/main/agent/auth-profiles.json | profiles=3 (oauth=0, token=3, api_key=0) | anthropic:default=token:sk-ant-o...mrysLE8o, anthropic:manual=token:sk-ant-o...SAqxG4Fl, anthropic:new=token:sk-ant-o...B6DbHi9r

Missing auth

  • claude-cli openclaw configure or set an API key env var.

OAuth/token status

  • anthropic
    • anthropic:default static
    • anthropic:manual static
    • anthropic:new static
last epochBOT
#

Nice, thanks for sharing outputs — this is super helpful.

You’re close.
Your default model is now claude-cli/..., but two things can still cause that 401 behavior:

  1. Current chat/session may still be pinned to old anthropic/... state
  2. Gateway service may not actually be able to use claude (PATH/user/env mismatch)

Try this exact sequence:

# 1) Verify the claude binary path
command -v claude

# 2) Restart gateway so model/auth changes are definitely live
openclaw gateway restart
# 

# 3) Smoke test claude-cli path directly through OpenClaw
openclaw agent --message "Reply with OK only" --model claude-cli/claude-sonnet-4-6

Then in this Discord thread:

/new
/model claude-cli/claude-sonnet-4-6
/model status

If /model status still shows anthropic/..., that explains the 401.

If it still fails, run:

rigid quest
#

/new
/model claude-cli/claude-sonnet-4-6
/model status

#

~ % command -v claude
/.local/bin/claude
~ % openclaw agent --message "Reply with OK only" --model claude-cli/claude-sonnet-4-6

error: unknown option '--model'

last epochBOT
#

You’re absolutely right — my bad.
On 2026.4.2, openclaw agent does not take --model.

Use this instead:

openclaw agent --agent main --message "Reply with OK only"

That uses your current default model (claude-cli/claude-sonnet-4-6).

What this tells us

  • If it replies OK: CLI backend works, and your Discord thread is likely still on old session state.
    Then in Discord run:
# 
/new
/model status
/model claude-cli/claude-sonnet-4-6
  • If it errors (missing auth / anthropic 401): gateway is still not properly using Claude CLI backend.
    Run:
openclaw configure --section model

Re-select Anthropic Claude CLI, then restart:

openclaw gateway restart
openclaw models status
rigid quest
#

still not working. Went through everything and still getting this:

openclaw agent --agent main --message "Reply with OK only"

🦞 OpenClaw 2026.4.2 (d74a122)
I can grep it, git blame it, and gently roast it—pick your coping mechanism.



Gateway agent failed; falling back to embedded: GatewayClientRequestError: FailoverError: Unknown model: claude-cli/claude-sonnet-4-6
19:21:06+02:00 [diagnostic] lane task error: lane=main durationMs=628 error="FailoverError: Unknown model: claude-cli/claude-sonnet-4-6"
19:21:06+02:00 [diagnostic] lane task error: lane=session:agent:main:main durationMs=631 error="FailoverError: Unknown model: claude-cli/claude-sonnet-4-6"
19:21:06+02:00 [model-fallback/decision] model fallback decision: decision=candidate_failed requested=claude-cli/claude-sonnet-4-6 candidate=claude-cli/claude-sonnet-4-6 reason=model_not_found next=none
FailoverError: Unknown model: claude-cli/claude-sonnet-4-6

last epochBOT
#

Perfect, this error finally narrows it down.

Unknown model: claude-cli/claude-sonnet-4-6 means this is not auth anymore — it means the claude-cli provider/backend is not registered on your gateway runtime.

Do this in order:

# 1) Ensure Anthropic bundled plugin is enabled
openclaw plugins enable anthropic

# 2) Explicitly register claude-cli backend command path
openclaw config set 'agents.defaults.cliBackends["claude-cli"].command' "/Users/guillaumejorge/.local/bin/claude"

# 3) Restart gateway
openclaw gateway restart
# 
# 4) Check plugin/runtime health
openclaw plugins doctor
openclaw models status

# 5) Retest
openclaw agent --agent main --message "Reply with OK only"

If step 2 complains about the config path syntax, use the interactive fallback:

openclaw configure --section model

Then choose Anthropic Claude CLI again and set command to:
/Users/guillaumejorge/.local/bin/claude