shamid202 22731fff60 Add complete OAuth token refresh and sync solution

- Setup wizard with auto-detection of OpenClaw paths and Claude CLI
- Token sync watcher (inotifywait) for real-time credential updates
- Auto-refresh trigger timer that runs Claude CLI every 30 min
- Supports Claude CLI in Docker container or on host
- Temporary ANTHROPIC_BASE_URL override for container environments
- Anthropic model configuration for OpenClaw
- Auth profile management (fixes key vs access field)
- Systemd services and timers for both sync and trigger
- Comprehensive documentation and troubleshooting guides
- Re-authentication notification system

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-27 01:51:18 +07:00

2.7 KiB

Raw Blame History

Credential Field Mapping Reference

Claude CLI format (`.credentials.json`)

Written by Claude Code CLI when it refreshes the token.

{
  "claudeAiOauth": {
    "accessToken": "sk-ant-oat01-...",
    "refreshToken": "sk-ant-ort01-...",
    "expiresAt": 1772120060006,
    "scopes": ["user:inference", "user:mcp_servers", "user:profile", "user:sessions:claude_code"],
    "subscriptionType": "max",
    "rateLimitTier": "default_claude_max_5x"
  }
}

OpenClaw format (`oauth.json`)

Read by the gateway's mergeOAuthFileIntoStore() on startup.

{
  "anthropic": {
    "access": "sk-ant-oat01-...",
    "refresh": "sk-ant-ort01-...",
    "expires": 1772120060006,
    "scopes": ["user:inference", "user:mcp_servers", "user:profile", "user:sessions:claude_code"],
    "subscriptionType": "max",
    "rateLimitTier": "default_claude_max_5x"
  }
}

Field name mapping

Claude CLI	OpenClaw	Notes
`accessToken`	`access`	The OAuth access token (`sk-ant-oat01-...`)
`refreshToken`	`refresh`	The refresh token (`sk-ant-ort01-...`)
`expiresAt`	`expires`	Unix timestamp in milliseconds
`scopes`	`scopes`	Same format (array of strings)
`subscriptionType`	`subscriptionType`	Same (`"max"`)
`rateLimitTier`	`rateLimitTier`	Same (`"default_claude_max_5x"`)

.env format

Single env var, only the access token (no refresh/expiry):

ANTHROPIC_OAUTH_TOKEN="sk-ant-oat01-..."

Auth profiles format (CORRECT)

{
  "profiles": {
    "anthropic:default": {
      "type": "oauth",
      "provider": "anthropic",
      "access": "sk-ant-oat01-..."
    }
  }
}

Auth profiles format (BROKEN)

{
  "profiles": {
    "anthropic:default": {
      "type": "oauth",
      "provider": "anthropic",
      "key": "sk-ant-oat01-..."
    }
  }
}

Why it's broken: isValidProfile() for type: "oauth" checks cred.access, not cred.key. The profile is silently skipped, and auth falls through to the ANTHROPIC_OAUTH_TOKEN env var. This works by accident but means the auth profile system isn't being used properly.

File locations

File	Host Path	Container Path
Claude CLI creds	`/root/.openclaw/workspaces/workspace-claude-proxy/config/.claude/.credentials.json`	`/root/.claude/.credentials.json` (claude-proxy)
OpenClaw oauth	`/root/.openclaw/credentials/oauth.json`	`/home/node/.openclaw/credentials/oauth.json` (gateway)
.env	`/root/openclaw/.env`	loaded as env vars at container creation
Auth profiles	`/root/.openclaw/agents/<agent>/agent/auth-profiles.json`	`/home/node/.openclaw/agents/<agent>/agent/auth-profiles.json` (gateway)

2.7 KiB Raw Blame History