feat(models): add oauth auth health

This commit is contained in:
Peter Steinberger
2026-01-09 00:32:48 +00:00
parent bcec534e5e
commit 948ce5eb5f
19 changed files with 862 additions and 179 deletions

View File

@@ -1,79 +1,82 @@
---
summary: "Model authentication: OAuth, API keys, and Claude Code token reuse"
read_when:
- Debugging model auth or OAuth expiry
- Documenting authentication or credential storage
---
# Authentication
Clawdbot uses Claude Code's authentication system for API access. By default, OAuth tokens expire every ~24 hours, requiring frequent re-authentication. For a better experience, you can set up a long-lived token that lasts **1 year**.
Clawdbot supports OAuth and API keys for model providers. For Anthropic
subscription accounts, the most stable path is to **reuse Claude Code OAuth
credentials**, including the 1year token created by `claude setup-token`.
## Long-Lived Token Setup (Recommended)
See [/concepts/oauth](/concepts/oauth) for the full OAuth flow and storage
layout.
Instead of daily re-auth, set up a 1-year token:
## Recommended: longlived Claude Code token
Run this on the **gateway host** (the machine running the Gateway):
```bash
claude setup-token
```
This command will:
1. Prompt you to visit the Anthropic console
2. Create or copy an API key
3. Store it for Claude Code (and Clawdbot)
After running `setup-token`, sync the credentials to Clawdbot:
This issues a longlived **OAuth token** (not an API key) and stores it for
Claude Code. Then sync and verify:
```bash
clawdbot doctor --yes
clawdbot models status
clawdbot doctor
```
## Checking Auth Status
To check your current authentication status:
Automation-friendly check (exit `1` when expired/missing, `2` when expiring):
```bash
# If you have the auth scripts installed
~/clawdbot/scripts/claude-auth-status.sh
# Or check manually
cat ~/.claude/.credentials.json | jq '.claudeAiOauth.expiresAt'
clawdbot models status --check
```
## How It Works
Optional ops scripts (systemd/Termux) are documented here:
[/automation/auth-monitoring](/automation/auth-monitoring)
1. **Claude Code** stores credentials in `~/.claude/.credentials.json`
2. **Clawdbot** syncs from Claude Code to `~/.clawdbot/agents/main/agent/auth-profiles.json`
3. The `clawdbot doctor --yes` command triggers this sync automatically
`clawdbot models status` loads Claude Code credentials into Clawdbots
`auth-profiles.json` and shows expiry (warns within 24h by default).
`clawdbot doctor` also performs the sync when it runs.
## Token Types
> `claude setup-token` requires an interactive TTY.
| Type | Duration | Setup |
|------|----------|-------|
| OAuth (default) | ~24 hours | Automatic on first run |
| Long-lived token | 1 year | `claude setup-token` |
## Checking model auth status
```bash
clawdbot models status
clawdbot doctor
```
## How sync works
1. **Claude Code** stores credentials in `~/.claude/.credentials.json` (or
Keychain on macOS).
2. **Clawdbot** syncs those into
`~/.clawdbot/agents/<agentId>/agent/auth-profiles.json` when the auth store is
loaded.
3. OAuth refresh happens automatically on use if a token is expired.
## Troubleshooting
### "No credentials found" error
### No credentials found
Run the doctor to sync credentials:
If the Anthropic OAuth profile is missing, run `claude setup-token` on the
**gateway host**, then re-check:
```bash
clawdbot doctor --yes
clawdbot models status
```
Then restart the service:
### Token expiring/expired
```bash
systemctl --user restart clawdbot
```
### Token expired
If your token has expired, run `claude setup-token` again in a terminal (not from within Claude Code, as it requires an interactive TTY).
### Checking token expiry
```bash
# Check both Claude Code and Clawdbot auth
cat ~/.claude/.credentials.json | jq '.claudeAiOauth.expiresAt' | xargs -I{} date -d @$(({}/1000))
```
Run `clawdbot models status` to confirm which profile is expiring. If the profile
is `anthropic:claude-cli`, rerun `claude setup-token`.
## Requirements
- Claude Max or Pro subscription (for `setup-token`)
- Claude Max or Pro subscription (for `claude setup-token`)
- Claude Code CLI installed (`claude` command available)