#Anthropic CLI OAuth token rejected by API — "Third-party apps now draw from extra usage"

15 messages · Page 1 of 1 (latest)

ebon jasper
#

Setup: OpenClaw 2026.4.5 on Ubuntu/WSL2, running 10 agents. Claude CLI is logged in with a Max 20x subscription (wassim@horizonbrandsgroup.com). claude auth status shows loggedIn: true, authMethod: claude.ai, subscriptionType: max.

What I did:

  1. Read the OAuth token from ~/.claude/.credentials.json (sk-ant-oat01-* access token + refresh token)
  2. Created an anthropic:cli-oauth auth profile with type: "oauth" in each agent's auth-profiles.json
  3. Set auth order to prefer cli-oauth first via openclaw models auth order set
  4. openclaw models status --probe showed the profile as ok and even displayed subscription quota: 5h 100% left · Week 100% left

What happened at runtime:
When the gateway actually tried to use the OAuth token for an API request, Anthropic returned a 400 error:

"Third-party apps now draw from your extra usage, not your plan limits. We've added a $200 credit to get you started. Claim it at claude.ai/settings/usage and keep going."

The gateway then failed over to the API key profile (which worked fine).

Question: Is there any way to use a Claude Max subscription with OpenClaw after the April 4 policy change? The docs say "Claude CLI reuse is sanctioned" but Anthropic's API is explicitly rejecting the OAuth token from third-party apps. Has anyone found a workaround, or is API key + prompt caching the only viable path now?

OpenClaw version: 2026.4.5 (3e72c03)

tidal oceanBOT
#

Short version, for direct anthropic/* API calls, no, not in the old “use Max plan limits” sense.

What you hit matches Anthropic’s current behavior:

  • Claude OAuth or setup-token creds used by a third-party app hit api.anthropic.com
  • those now draw from Extra Usage, not your Pro/Max quota
  • so a copied OAuth token in auth-profiles.json is not a real Max-plan workaround anymore

So the practical answer is:

  • anthropic/... + OAuth token: not viable if your goal is “bill against Max plan”
  • Extra Usage credit: may let it run, but that is separate paid usage, not subscription quota
  • Best stable path for 10 agents: Anthropic API key, plus prompt caching/fallbacks
  • Only subscription-style path left: use the local Claude CLI backend, meaning OpenClaw reuses Claude CLI and runs through claude -p, instead of sending the OAuth token directly to Anthropic’s API

One important gotcha, openclaw models status --probe can show the profile as healthy, but that does not prove real runtime Messages API calls will stay on subscription billing.

The docs are a bit fuzzy here. “Sanctioned” currently seems to mean “OpenClaw supports this integration path”, not “third-party API calls still consume Max plan limits”.

ebon jasper
#

Yes please outline the clean migration to the Claude CLI backend. I have 10 agents on OpenClaw 2026.4.5. Claude CLI is already installed and logged in with Max 20x. When I tried putting claude-cli config in agents.defaults.cliBackends, the gateway rejected it with "Unrecognized key: cliBackends" and openclaw doctor actively removes claude-cli/* model refs. What is the correct config structure for 2026.4.5?

tidal oceanBOT
#

Yep, you found the gotcha.

On 2026.4.5, the correct Claude CLI backend config is: none.
That release had the bundled claude-cli backend removed, so:

  • agents.defaults.cliBackends is not a valid schema key there
  • claude-cli/* model refs get treated as stale
  • openclaw doctor intentionally rewrites them back to anthropic/* or removes them

So you are not misconfiguring it, you’re fighting a version gap.

Clean migration path

If you want Claude CLI backend

You need to upgrade to at least 2026.4.7 (or newer). That is where the Claude CLI backend/config came back.

Then do this:

#
  1. Upgrade OpenClaw
  2. Re-run onboarding/configure
    • choose Anthropic Claude CLI
  3. Let OpenClaw switch the default model to the local claude-cli/... backend
  4. Keep your Anthropic API key profile around as fallback if you want predictable failover

After upgrading, the config shape is

{
  agents: {
    defaults: {
      cliBackends: {
        "claude-cli": {
          command: "/full/path/to/claude"
        }
# 
      },
      model: {
        primary: "claude-cli/..."
      },
      models: {
        "claude-cli/...": {}
      }
    }
  }
}

A couple of notes:

  • If the gateway service can already find claude on PATH, the command line may not be needed.
  • On daemonized setups, a full path is usually safer.
#
  • Do not keep manually copying Claude OAuth tokens into auth-profiles.json for this path. Claude CLI backend is the native route, not direct Anthropic API OAuth replay.

My recommendation for your 10-agent setup

  • Fleet-wide stable option: Anthropic API key
  • If you want to test Max reuse: upgrade, then move one agent first to Claude CLI backend
  • Once that works, expand to the rest

Docs:

If you want, I can give you a before/after config example for upgrading one of your 10 agents without breaking the others.

ebon jasper
#

Yes please give me a before/after config example for upgrading one agent to the Claude CLI backend. Also — I am currently on OpenClaw 2026.4.5 which rejects agents.defaults.cliBackends as an unrecognized key. The latest available is 2026.4.14. Would upgrading to 2026.4.14 fix the cliBackends validation error, or was that config key removed intentionally in the 2026.4.x series?

tidal oceanBOT
#

Yes, upgrading to 2026.4.14 should fix the cliBackends validation error.

What happened in this series was:

  • 2026.4.5: claude-cli backend was intentionally removed, so agents.defaults.cliBackends was invalid there
  • 2026.4.7+: it was restored
  • 2026.4.14: the key exists again, so this is the version I’d use for your migration

So the short answer is: 2026.4.5 rejects it on purpose, 2026.4.14 should accept it again.

Before, all agents on API-backed Anthropic

{
  agents: {
    defaults: {
# 
      model: {
        primary: "anthropic/claude-sonnet-4-6",
        fallbacks: ["anthropic/claude-opus-4-6", "openai/gpt-5.4"],
      },
      models: {
        "anthropic/claude-sonnet-4-6": { alias: "Sonnet" },
        "anthropic/claude-opus-4-6": { alias: "Opus" },
        "openai/gpt-5.4": {},
      },
    },
    list: [
      { id: "main", default: true },
      { id: "research" },
      { id: "ops" },
    ],
# 
  },
}

After, migrate just one agent to Claude CLI backend

{
  agents: {
    defaults: {
      cliBackends: {
        "claude-cli": {
          command: "/full/path/to/claude",
        },
      },
# 

      model: {
        primary: "anthropic/claude-sonnet-4-6",
        fallbacks: ["anthropic/claude-opus-4-6", "openai/gpt-5.4"],
      },

      models: {
        "anthropic/claude-sonnet-4-6": { alias: "Sonnet" },
        "anthropic/claude-opus-4-6": { alias: "Opus" },

        "claude-cli/claude-sonnet-4-6": {},
        "claude-cli/claude-opus-4-6": {},

        "openai/gpt-5.4": {},
      },
# 
    },

    list: [
      { id: "main", default: true },

      // only this agent switches to Claude CLI
      {
        id: "research",
        model: "claude-cli/claude-sonnet-4-6",
      },

      { id: "ops" },
    ],
  },
}
#

Why this works

  • agents.defaults.cliBackends registers the backend
  • agents.defaults.models must include the claude-cli/... refs if you use a model allowlist
  • agents.list[].model lets you move one agent without changing the other 9
  • because research.model is a string, it only overrides the primary model and still inherits your default fallbacks

A few practical notes

  • On daemonized setups, use the full path to claude, not just claude
  • You do not need to copy Claude OAuth tokens into auth-profiles.json for this path
  • I’d keep your Anthropic API key setup in place as rollback/fallback while testing one agent

Docs: