[BUG] Claude Code Max OAuth credentials rejected - missing identifying headers

[shekohex]

Bug Report

Claude Code Max OAuth authentication fails with error: "This credential is only authorized for use with Claude Code and cannot be used for other API requests."

Environment

• claude-code-mux version: latest (commit f3f5fd7)
• Provider: Anthropic (OAuth - Claude Code Max)
• OAuth token: Successfully loaded and valid

Reproduction

1. Authenticate via OAuth using Claude Code Max subscription
2. Configure provider with auth_type = "oauth" and oauth_provider = "anthropic-max"
3. Make API request to Claude model
4. Observe error from Anthropic API

Logs

2025-11-19T22:45:39.235367Z  INFO ccm::server: Loaded 1 OAuth tokens from storage
2025-11-19T22:45:52.898872Z  INFO ccm::server: Found 2 provider mappings for model: claude-sonnet-4.5
2025-11-19T22:45:52.898876Z  INFO ccm::server: Trying mapping 1/2: provider=claude-max-main, actual_model=claude-sonnet-4-5-20250929
2025-11-19T22:45:53.304162Z  INFO ccm::server: Provider claude-max-main failed: Provider API error: 400 - claude-max-main API error: {"type":"error","error":{"type":"invalid_request_error","message":"This credential is only authorized for use with Claude Code and cannot be used for other API requests."},"request_id":"req_011CVJ4RtkjqxsfEdexwMoZR"}, trying next fallback

Current Implementation

File: src/providers/anthropic_compatible.rs (lines 215-219)

OAuth requests currently send:

• Authorization: Bearer {access_token}
• anthropic-version: 2023-06-01
• anthropic-beta: oauth-2025-04-20,claude-code-20250219,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14
• Content-Type: application/json

According to analysis of the official opencode-anthropic-auth package, these headers are correct and match the official implementation.

Possible Causes

Since headers are correct, the issue must be:

1. Request body format - CCM might be sending incorrect request body structure
2. Endpoint URL - Verify endpoint is exactly https://api.anthropic.com/v1/messages
3. OAuth token issues - Token might not have correct scopes or might be acquired differently
4. Request transformation - Something in the Anthropic→Claude translation might be incompatible

Alternative Solution: create_api_key Flow

The codebase includes a create_api_key method (src/auth/oauth.rs line 533) that creates an API key from the OAuth token:

pub async fn create_api_key(&self, provider_id: &str) -> Result<String> {
    let access_token = self.get_valid_token(provider_id).await?;
    
    let response = self.http_client
        .post("https://api.anthropic.com/api/oauth/claude_cli/create_api_key")
        .header("Content-Type", "application/json")
        .header("Authorization", format!("Bearer {}", access_token))
        // ...
}

This method exists but is never called. The official OpenCode implementation offers this as an alternative authentication method labeled "Create an API Key".

Possible workaround:

1. On OAuth token acquisition, call create_api_key() to get an API key
2. Store the API key alongside the OAuth token
3. Use the API key for API requests instead of the OAuth token
4. Refresh API key when OAuth token is refreshed

Additional Context

README claims Claude Code Max is supported:

Yes! Claude Code Mux supports OAuth 2.0 authentication for all three providers:

• Claude Pro/Max: Providers tab → Add Provider → Select "Anthropic" → Choose "OAuth (Claude Pro/Max)"

The OAuth scopes include org:create_api_key, which suggests the create_api_key flow might be the intended approach.

References

• Official OAuth implementation: https://www.npmjs.com/package/opencode-anthropic-auth
• OpenCode Anthropic Auth source: https://github.com/sst/opencode-anthropic-auth

[shekohex]

Update: Analysis of Official Claude Code OAuth Implementation

Downloaded and analyzed the official opencode-anthropic-auth package (https://www.npmjs.com/package/opencode-anthropic-auth) used by Claude Code.

Key Findings

Headers sent by official implementation:

const headers = {
  ...init.headers,
  authorization: `Bearer ${auth.access}`,
  "anthropic-beta": "oauth-2025-04-20,claude-code-20250219,interleaved-thinking-2025-05-14,fine-grained-tool-streaming-2025-05-14",
};
delete headers["x-api-key"];

This is identical to what CCM is already sending! No User-Agent, no Origin, no Referer - just:

• Authorization: Bearer {token}
• anthropic-beta: oauth-2025-04-20,claude-code-20250219,...

OAuth Configuration

Official implementation uses same OAuth config:

• Client ID: 9d1c250a-e61b-44d9-88ed-5944d1962f5e (same as CCM)
• Token URL: https://console.anthropic.com/v1/oauth/token (same as CCM)
• Scopes: org:create_api_key user:profile user:inference (same as CCM)

Two Authentication Flows

OpenCode provides two options:

1. "Claude Pro/Max" (Direct OAuth)

async fetch(input, init) {
  // Refresh token if needed
  if (!auth.access || auth.expires < Date.now()) {
    // ... refresh logic
  }
  
  const headers = {
    ...init.headers,
    authorization: `Bearer ${auth.access}`,
    "anthropic-beta": "oauth-2025-04-20,claude-code-20250219,...",
  };
  delete headers["x-api-key"];
  return fetch(input, { ...init, headers });
}

2. "Create an API Key" (OAuth → API Key)

const result = await fetch(
  `https://api.anthropic.com/api/oauth/claude_cli/create_api_key`,
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      authorization: `Bearer ${credentials.access}`,
    },
  },
).then((r) => r.json());
return { type: "success", key: result.raw_key };

This matches CCM's create_api_key method that's currently unused.

Implications

Since CCM is sending the exact same headers as the official implementation, the issue must be elsewhere:

1. Request body format - Need to verify CCM's request body matches Anthropic's expected format
2. Endpoint URL - Need to verify endpoint is exactly https://api.anthropic.com/v1/messages
3. OAuth token differences - Perhaps the token acquisition flow differs somehow
4. Token scopes - Need to verify the acquired token has the correct scopes

Next Steps

1. Compare CCM's actual API request (full request dump) with what OpenCode sends
2. Verify the OAuth token being used has the correct scopes
3. Check if there are differences in how the request body is constructed
4. Consider implementing Flow Request: Gemini API support #2 (create_api_key) as a workaround, since that endpoint exists in CCM but is unused

Reference

Full source: https://www.npmjs.com/package/opencode-anthropic-auth (see index.mjs)

[9j]

It seems to be working correctly on my local setup.
If possible, could you run it with RUST_LOG=debug cargo run and share the debug logs here? That should help with troubleshooting.

[shekohex]

I tried it again, but this time after creating a new terminal, it worked when I used it with Claude code. However, it did not work when I tried to use curl, exactly like how you show it in the README. All other models work without issues when using curl, except for claude ones, maybe because using it with curl does not send the custom headers by default?

[luke3butler]

When using a subscription oauth token, the anthropic API looks for a specific string in the system prompt.

charmbracelet/crush#457 (comment)

[sebyx07]

look at how they extract the api key: https://github.com/taciturnaxolotl/anthropic-api-key/