ROOH/openclaw_oauth_sync
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5382ba4999
openclaw_oauth_sync/docs/FIELD-MAPPING.md
sol 0b94cb8fd5 policies: add standard policy files, formatting, and secret scanning 
- Add .editorconfig, .prettierrc, .prettierignore, .gitignore
- Add Makefile with fmt, fmt-check, secret-scan, test (skip) targets
- Add package.json with prettier
- Add tools/secret-scan.sh
- Add .secret-scan-allowlist for documentation token format references
- Sanitize documentation to use generic placeholders
- Auto-format with prettier
- make check passes clean
2026-03-01 07:28:54 +00:00

3.5 KiB
Raw Blame History

Credential Field Mapping Reference

Claude CLI format (.credentials.json)

Written by Claude Code CLI when it refreshes the token.

{
  "claudeAiOauth": {
    "accessToken": "<access-token-value>",
    "refreshToken": "<refresh-token-value>",
    "expiresAt": 1772120060006,
    "scopes": ["user:inference", "user:mcp_servers", "user:profile", "user:sessions:claude_code"],
    "subscriptionType": "max",
    "rateLimitTier": "default_claude_max_5x"
  }
}

OpenClaw format (oauth.json)

Read by the gateway's mergeOAuthFileIntoStore() on startup.

{
  "anthropic": {
    "access": "<access-token-value>",
    "refresh": "<refresh-token-value>",
    "expires": 1772120060006,
    "scopes": ["user:inference", "user:mcp_servers", "user:profile", "user:sessions:claude_code"],
    "subscriptionType": "max",
    "rateLimitTier": "default_claude_max_5x"
  }
}

Field name mapping

Claude CLI OpenClaw Notes
accessToken access The OAuth access token (<access-token-value>)
refreshToken refresh The refresh token (<refresh-token-value>)
expiresAt expires Unix timestamp in milliseconds
scopes scopes Same format (array of strings)
subscriptionType subscriptionType Same ("max")
rateLimitTier rateLimitTier Same ("default_claude_max_5x")

.env format

Single env var, only the access token (no refresh/expiry):

ANTHROPIC_OAUTH_TOKEN="<access-token-value>"

Auth profiles format (CORRECT)

{
  "profiles": {
    "anthropic:default": {
      "type": "oauth",
      "provider": "anthropic",
      "access": "<access-token-value>"
    }
  }
}

Auth profiles format (BROKEN)

{
  "profiles": {
    "anthropic:default": {
      "type": "oauth",
      "provider": "anthropic",
      "key": "<access-token-value>"
    }
  }
}

Why it's broken: isValidProfile() for type: "oauth" checks cred.access, not cred.key. The profile is silently skipped, and auth falls through to the ANTHROPIC_OAUTH_TOKEN env var. This works by accident but means the auth profile system isn't being used properly.

File locations

File Host Path Container Path
Claude CLI creds /root/.openclaw/workspaces/workspace-claude-proxy/config/.claude/.credentials.json /root/.claude/.credentials.json (claude-proxy)
OpenClaw oauth /root/.openclaw/credentials/oauth.json /home/node/.openclaw/credentials/oauth.json (gateway)
.env /root/openclaw/.env loaded as env vars at container creation
Auth profiles /root/.openclaw/agents/<agent>/agent/auth-profiles.json /home/node/.openclaw/agents/<agent>/agent/auth-profiles.json (gateway)