openclaw/docs/gateway/authentication.md

---
summary: "Model authentication: OAuth, API keys, and Claude Code token reuse"
read_when:
  - Debugging model auth or OAuth expiry
  - Documenting authentication or credential storage
---
# Authentication

Clawdbot supports OAuth and API keys for model providers. For Anthropic
subscription accounts, the most stable path is to **reuse Claude Code OAuth
credentials**, including the 1‑year token created by `claude setup-token`.

See [/concepts/oauth](/concepts/oauth) for the full OAuth flow and storage
layout.

## Recommended: long‑lived Claude Code token

Run this on the **gateway host** (the machine running the Gateway):

```bash
claude setup-token
```

This issues a long‑lived **OAuth token** (not an API key) and stores it for
Claude Code. Then sync and verify:

```bash
clawdbot models status
clawdbot doctor
```

Automation-friendly check (exit `1` when expired/missing, `2` when expiring):

```bash
clawdbot models status --check
```

Optional ops scripts (systemd/Termux) are documented here:
[/automation/auth-monitoring](/automation/auth-monitoring)

`clawdbot models status` loads Claude Code credentials into Clawdbot’s
`auth-profiles.json` and shows expiry (warns within 24h by default).
`clawdbot doctor` also performs the sync when it runs.

> `claude setup-token` requires an interactive TTY.

## Checking model auth status

```bash
clawdbot models status
clawdbot doctor
```

## How sync works

1. **Claude Code** stores credentials in `~/.claude/.credentials.json` (or
   Keychain on macOS).
2. **Clawdbot** syncs those into
   `~/.clawdbot/agents/<agentId>/agent/auth-profiles.json` when the auth store is
   loaded.
3. OAuth refresh happens automatically on use if a token is expired.

## Troubleshooting

### “No credentials found”

If the Anthropic OAuth profile is missing, run `claude setup-token` on the
**gateway host**, then re-check:

```bash
clawdbot models status
```

### Token expiring/expired

Run `clawdbot models status` to confirm which profile is expiring. If the profile
is `anthropic:claude-cli`, rerun `claude setup-token`.

## Requirements

- Claude Max or Pro subscription (for `claude setup-token`)
- Claude Code CLI installed (`claude` command available)
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								---
 								summary: "Model authentication: OAuth, API keys, and Claude Code token reuse"
 								read_when:
 								  - Debugging model auth or OAuth expiry
 								  - Documenting authentication or credential storage
 								---
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
+								# Authentication
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								Clawdbot supports OAuth and API keys for model providers. For Anthropic
 								subscription accounts, the most stable path is to **reuse Claude Code OAuth
 								credentials**, including the 1‑year token created by `claude setup-token`.
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								See [/concepts/oauth](/concepts/oauth) for the full OAuth flow and storage
 								layout.
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								## Recommended: long‑lived Claude Code token
 								Run this on the **gateway host** (the machine running the Gateway):
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
 								```bash
 								claude setup-token
 								```
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								This issues a long‑lived **OAuth token** (not an API key) and stores it for
 								Claude Code. Then sync and verify:
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
 								```bash
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								clawdbot models status
 								clawdbot doctor
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
+								```
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								Automation-friendly check (exit `1` when expired/missing, `2` when expiring):
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
 								```bash
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								clawdbot models status --check
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
+								```
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								Optional ops scripts (systemd/Termux) are documented here:
 								[/automation/auth-monitoring](/automation/auth-monitoring)
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								`clawdbot models status` loads Claude Code credentials into Clawdbot’s
 								`auth-profiles.json` and shows expiry (warns within 24h by default).
 								`clawdbot doctor` also performs the sync when it runs.
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								> `claude setup-token` requires an interactive TTY.
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								## Checking model auth status
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
 								```bash
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								clawdbot models status
 								clawdbot doctor
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
+								```
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								## How sync works
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+. **Claude Code** stores credentials in `~/.claude/.credentials.json` (or
 								   Keychain on macOS).
 . **Clawdbot** syncs those into
 								   `~/.clawdbot/agents/<agentId>/agent/auth-profiles.json` when the auth store is
 								   loaded.
 . OAuth refresh happens automatically on use if a token is expired.
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								## Troubleshooting
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								### “No credentials found”
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								If the Anthropic OAuth profile is missing, run `claude setup-token` on the
 								**gateway host**, then re-check:
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
 								```bash
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								clawdbot models status
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
+								```
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								### Token expiring/expired
 								Run `clawdbot models status` to confirm which profile is expiring. If the profile
 								is `anthropic:claude-cli`, rerun `claude setup-token`.
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
+								## Requirements
-												feat(models): add oauth auth health

											
										
										
											2026-01-09 00:32:48 +00:00
+								- Claude Max or Pro subscription (for `claude setup-token`)
-												docs: add authentication guide with 1-year token setup

											
										
										
											2026-01-09 09:42:05 +10:30
+								- Claude Code CLI installed (`claude` command available)