Skip to content

Usage tracking broken for setup-token auth (missing user:profile scope) #4614

New issue
New issue
Open
Open
Usage tracking broken for setup-token auth (missing user:profile scope)#4614
Labels
bugSomething isn't workingstaleMarked as stale due to inactivity
@GodsBoy

Description

@GodsBoy
GodsBoy
opened on Jan 30, 2026

Problem

OpenClaw's onboard wizard uses claude setup-token to authenticate with Anthropic. However, setup-token only requests the user:inference scope. Usage tracking (showing plan usage in /status) requires the user:profile scope, which is only granted by the full claude login browser OAuth flow.

This means all Claude Max/Pro users who onboard via setup-token lose usage visibility in /status. The OAuth usage endpoint returns:

HTTP 403: OAuth token does not meet scope requirement user:profile

Impact

  • All users onboarded via setup-token (the default Anthropic auth path) cannot see usage tracking
  • The error message is not actionable — users don't know how to fix it
  • The existing fallback to claude.ai web session key requires a separate env var most users won't have

Root Cause

This is an upstream limitation in Claude Code CLI:

  • claude setup-token only requests user:inference scope
  • claude login (full browser OAuth) requests all scopes including user:profile
  • The Anthropic OAuth usage endpoint (/api/oauth/usage) requires user:profile

Related Claude Code issues:

Proposed Fix

  1. Actionable error message: When usage tracking fails with the scope error and no web fallback is available, show a clear message: "setup-token missing user:profile scope — run \claude login` (full OAuth) to enable usage tracking"instead of the genericHTTP 403` error.

  2. Post-onboard warning: After setup-token onboarding completes, display a note informing users that usage tracking requires the full OAuth flow and how to upgrade.

Workaround

Users can work around this by:

  1. Running claude login on a machine with a browser (full OAuth flow)
  2. Using openclaw models auth paste-token to import the resulting token
  3. Or setting CLAUDE_AI_SESSION_KEY env var with a claude.ai browser session key

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingstaleMarked as stale due to inactivity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions