Skip to content

feat(auth): sync OAuth credentials from Claude CLI and Codex CLI#374

Closed
pepicrft wants to merge 1 commit intoopenclaw:mainfrom
pepicrft:feat/sync-oauth-from-cli-locations
Closed

feat(auth): sync OAuth credentials from Claude CLI and Codex CLI#374
pepicrft wants to merge 1 commit intoopenclaw:mainfrom
pepicrft:feat/sync-oauth-from-cli-locations

Conversation

@pepicrft
Copy link
Copy Markdown
Contributor

@pepicrft pepicrft commented Jan 7, 2026

Summary

  • Automatically read OAuth tokens from Claude CLI (~/.claude/.credentials.json) and Codex CLI (~/.codex/auth.json)
  • Sync fresher tokens into clawdbot's auth store on every load
  • Eliminates "refresh_token_reused" errors when multiple CLI tools share OAuth credentials

Problem

OAuth refresh tokens are single-use. When Claude CLI, Codex CLI, and Clawdbot all share the same OAuth credentials but store them separately, the first tool to refresh invalidates the others' stored refresh tokens. This causes persistent "OAuth token refresh failed" errors.

Solution

Instead of maintaining separate credential copies, clawdbot now reads directly from CLI credential files:

  • ~/.claude/.credentials.json for Anthropic OAuth
  • ~/.codex/auth.json for OpenAI Codex OAuth

On every auth store load, clawdbot checks if CLI tools have fresher tokens and syncs them automatically.

Test plan

  • Added 3 new tests covering Claude CLI sync, Codex CLI sync, and no-overwrite scenarios
  • All existing tests pass
  • Lint passes

Fixes #323

🤖 Generated with Claude Code

@pepicrft
feat(auth): sync OAuth credentials from Claude CLI and Codex CLI
e3c6f1a 
Automatically read OAuth tokens from Claude CLI (~/.claude/.credentials.json)
and Codex CLI (~/.codex/auth.json) and sync them into clawdbot's auth store.

This solves the 'refresh_token_reused' issue when multiple tools share the same
OAuth credentials - since refresh tokens are single-use, when Claude CLI or
Codex CLI refreshes the token, clawdbot's stored refresh token becomes invalid.

Now clawdbot will automatically pick up fresh tokens from CLI tools on every
auth store load, eliminating the need for manual syncing or re-authentication.

Fixes openclaw#323
@steipete
Copy link
Copy Markdown
Contributor

steipete commented Jan 7, 2026

ohh we can just do that!? dayyymn. Need to think how this fits into multi-oauth, but all possible!

@steipete
Copy link
Copy Markdown
Contributor

steipete commented Jan 7, 2026

Landed on main as 7a91760.\n\n- Reworked to use source-labeled profiles: anthropic:claude-cli + openai-codex:codex-cli (no clobbering :default / API keys).\n- Surfaced these as auto-detected auth choices in onboarding/configure/agents.\n- Added/expanded tests + changelog entry.\n\nThanks @pepicrft!

@steipete steipete closed this Jan 7, 2026
@buddyh buddyh mentioned this pull request Jan 8, 2026
Closed
dgarson added a commit to dgarson/clawdbot that referenced this pull request Feb 9, 2026
@dgarson
Web: guard generic channel icons (openclaw#374)
c300736
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: OAuth token refresh failed for anthropic

2 participants

@pepicrft @steipete