Add complete OAuth token refresh and sync solution

- Setup wizard with auto-detection of OpenClaw paths and Claude CLI - Token sync watcher (inotifywait) for real-time credential updates - Auto-refresh trigger timer that runs Claude CLI every 30 min - Supports Claude CLI in Docker container or on host - Temporary ANTHROPIC_BASE_URL override for container environments - Anthropic model configuration for OpenClaw - Auth profile management (fixes key vs access field) - Systemd services and timers for both sync and trigger - Comprehensive documentation and troubleshooting guides - Re-authentication notification system Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 01:51:18 +07:00
parent 3ae5d5274a
commit 22731fff60
24 changed files with 2846 additions and 6 deletions
--- a/docs/FIELD-MAPPING.md
+++ b/docs/FIELD-MAPPING.md
@@ -0,0 +1,93 @@
+# Credential Field Mapping Reference
+
+## Claude CLI format (`.credentials.json`)
+
+Written by Claude Code CLI when it refreshes the token.
+
+```json
+{
+  "claudeAiOauth": {
+    "accessToken": "sk-ant-oat01-...",
+    "refreshToken": "sk-ant-ort01-...",
+    "expiresAt": 1772120060006,
+    "scopes": ["user:inference", "user:mcp_servers", "user:profile", "user:sessions:claude_code"],
+    "subscriptionType": "max",
+    "rateLimitTier": "default_claude_max_5x"
+  }
+}
+```
+
+## OpenClaw format (`oauth.json`)
+
+Read by the gateway's `mergeOAuthFileIntoStore()` on startup.
+
+```json
+{
+  "anthropic": {
+    "access": "sk-ant-oat01-...",
+    "refresh": "sk-ant-ort01-...",
+    "expires": 1772120060006,
+    "scopes": ["user:inference", "user:mcp_servers", "user:profile", "user:sessions:claude_code"],
+    "subscriptionType": "max",
+    "rateLimitTier": "default_claude_max_5x"
+  }
+}
+```
+
+## Field name mapping
+
+| Claude CLI | OpenClaw | Notes |
+|------------|----------|-------|
+| `accessToken` | `access` | The OAuth access token (`sk-ant-oat01-...`) |
+| `refreshToken` | `refresh` | The refresh token (`sk-ant-ort01-...`) |
+| `expiresAt` | `expires` | Unix timestamp in milliseconds |
+| `scopes` | `scopes` | Same format (array of strings) |
+| `subscriptionType` | `subscriptionType` | Same (`"max"`) |
+| `rateLimitTier` | `rateLimitTier` | Same (`"default_claude_max_5x"`) |
+
+## .env format
+
+Single env var, only the access token (no refresh/expiry):
+
+```
+ANTHROPIC_OAUTH_TOKEN="sk-ant-oat01-..."
+```
+
+## Auth profiles format (CORRECT)
+
+```json
+{
+  "profiles": {
+    "anthropic:default": {
+      "type": "oauth",
+      "provider": "anthropic",
+      "access": "sk-ant-oat01-..."
+    }
+  }
+}
+```
+
+## Auth profiles format (BROKEN)
+
+```json
+{
+  "profiles": {
+    "anthropic:default": {
+      "type": "oauth",
+      "provider": "anthropic",
+      "key": "sk-ant-oat01-..."
+    }
+  }
+}
+```
+
+**Why it's broken:** `isValidProfile()` for `type: "oauth"` checks `cred.access`, not `cred.key`. The profile is silently skipped, and auth falls through to the `ANTHROPIC_OAUTH_TOKEN` env var. This works by accident but means the auth profile system isn't being used properly.
+
+## File locations
+
+| File | Host Path | Container Path |
+|------|-----------|---------------|
+| Claude CLI creds | `/root/.openclaw/workspaces/workspace-claude-proxy/config/.claude/.credentials.json` | `/root/.claude/.credentials.json` (claude-proxy) |
+| OpenClaw oauth | `/root/.openclaw/credentials/oauth.json` | `/home/node/.openclaw/credentials/oauth.json` (gateway) |
+| .env | `/root/openclaw/.env` | loaded as env vars at container creation |
+| Auth profiles | `/root/.openclaw/agents/<agent>/agent/auth-profiles.json` | `/home/node/.openclaw/agents/<agent>/agent/auth-profiles.json` (gateway) |