fix: align claude oauth request shape#11
Conversation
|
Why this is a better long-term fix than PR #10 alone PR #10 fixes tool call naming by prefixing oc_ and de-prefixing in the stream. That helps tool routing after a request is accepted, but it doesn’t address the OAuth rejection happening before any tool calls are processed. The 400 error (credential only authorized for use with Claude Code…) is returned directly from /v1/messages. This PR fixes the actual request-signature mismatch that Anthropic is enforcing for Claude Code OAuth tokens:
So it targets the auth acceptance criteria, not just tool call formatting. We keep the tool prefix change because it’s still useful, but without the request-shape alignment, OAuth tokens are rejected before tools are even considered. This makes the fix more robust and future-proof against further Claude Code OAuth enforcement. If desired, we can still iterate on tool naming (e.g., {name}_tool / PascalCase) in a follow-up, but this request-shape alignment is the prerequisite for OAuth access to work at all. |
|
Why is claude-code-20250219 conditional on incoming headers rather than always included? |
|
I'm still trying to wrap my head around this issue. I just got into opencode a few days ago because of Oh My Opencode. Could someone please help me understand what the issue is and how #10 and #11 fix things? All I think I know is that Anthropic is trying to restrict tools like opencode from pretending to be claude code, and these PRs somehow help obfuscate the api requests that get sent to them somehow?? Anyone know how to get unblocked on this issue: 
Edit: ok I think I'm starting to understand after @harshav167 's latest comment. Thanks! |
|
@JimiHFord Anthropic are claiming that third party CLI tools violate their TOS (I couldn't actually find any violations reading it as its still user-based interaction), and they want to control usage within Claude code as their Max products lose money, Claude code is closed-source so nobody can contribute/improve it and its a sub-par tool. |
|
@rekram1-node I made claude-code-20250219 conditional because in captures Claude Code sometimes sends only oauth-2025-04-20 + interleaved-thinking. The goal was to keep the request signature as close as possible to what the caller already requested. OpenCode currently includes claude-code-20250219, so behavior is unchanged in practice. |
|
incredible - thanks so much!! attempting right now. I'm assuming I'll have to uninstall opencode and install from source so I can follow this comment? |
|
Note on testing: you can override the plugin via config now (no core source edits needed): // ~/.config/opencode/opencode.jsonc
"plugin": [
"file:///path/to/opencode-anthropic-auth/index.mjs"
]This loads the local plugin without touching opencode core. |
|
@rekram1-node from what I can see the claude-code-20250219 is only included on sonnet and opus model calls, not haiku |
|
ah! ok I think I'm following now, thanks @harshav167 ! |
|
Update on testing config override: built-in plugins are appended after config plugins, so a config entry alone won’t override the built-in anthropic plugin. To use a local plugin without editing opencode source, set Also: once this PR is merged and the plugin is published, official OpenCode installs will pull the updated |
|
Tested this locally and it works great! Setup:
Thanks for the fix! 🙏 |
youre in the wrong branch in the picture broski |
|
Can we not keep the renaming? #10 (comment) One could easily just check for |
@harshav167 which one is the right branch? 😅 |
@Sewer56 that was my first thought too |
✅ Confirmed Working!Just applied this fix on Ubuntu VPS and authentication is working perfectly now. Thanks for the quick fix and merge! Setup Details:
Result: OAuth authentication now works without errors! 🎉 The fix properly aligns the request signature with Claude Code by adding the Thanks @harshav167 for creating this fix and @rekram1-node for the quick merge! |
|
@Sewer56 @JimiHFord short answer: we can match CC tool names, but it’s not required to fix the OAuth rejection. The 400 is returned before any tool calls are processed; this PR fixes the request signature so tokens are accepted. I kept |
|
Bumped version to 0.0.7 and installed. Back in business! Thanks for the quick work! |
|
@harshav167 I am aware, however. If we keep the |
|
^^ this is a good point and should be fixed before people use it |
|
@Sewer56 @rekram1-node fair point. The oc_ prefix is easy to fingerprint. PR #10 already merged that behavior, but I agree we should replace it with a less obvious mapping. Proposal for follow‑up: map tool names to Claude Code conventions ({name}_tool / PascalCase) and strip any OpenCode‑specific prefixes entirely. That keeps tool calls working without advertising “OpenCode” in the payload. I kept oc_ in this PR only because it was already merged and this change is focused on unblocking OAuth at the request‑acceptance layer. |
|
You have to map to Claude Code conventions. Random strings won't cut it either as there is length, algorithm, etc., already encoded in these "random strings". |
youre more than welcome to do it bro 😊 |
|
Thanks @harshav167 , I thought I was going to have to use my human tokens |
Fixes Claude Code OAuth token authentication issues by aligning the request shape with what Anthropic's API expects for OAuth tokens. Changes: - Update User-Agent to match Claude CLI format: "claude-cli/VERSION (external, cli)" - Remove fine-grained-tool-streaming beta header (incompatible with OAuth) - Add tool name prefixing with "oc_" prefix to bypass tool validation - Strip prefix from tool names in responses for internal consistency - Prefix tool names in conversation history to match tool definitions The tool name prefixing is necessary because Anthropic's API validates tool names against a known list when using OAuth tokens. By prefixing with "oc_" we can use custom tool names while maintaining compatibility. Inspired by fixes from: - anomalyco/opencode-anthropic-auth#10 - anomalyco/opencode-anthropic-auth#11 Thanks to @anomalyco for the original research and implementation.
|
you're a godsend @harshav167 . made my day 🙏 |
|
is it possiable that we can use anthropic agent sdk to use the claude code subs? |
|
Sadly, it's back again |
|
Back for me too. Used to work for a few hours in between. |
Fixes Claude Code OAuth token authentication issues by aligning the request shape with what Anthropic's API expects for OAuth tokens. Changes: - Update User-Agent to match Claude CLI format: "claude-cli/VERSION (external, cli)" - Remove fine-grained-tool-streaming beta header (incompatible with OAuth) - Add tool name prefixing with "oc_" prefix to bypass tool validation - Strip prefix from tool names in responses for internal consistency - Prefix tool names in conversation history to match tool definitions The tool name prefixing is necessary because Anthropic's API validates tool names against a known list when using OAuth tokens. By prefixing with "oc_" we can use custom tool names while maintaining compatibility. Inspired by fixes from: - anomalyco/opencode-anthropic-auth#10 - anomalyco/opencode-anthropic-auth#11 Thanks to @anomalyco for the original research and implementation.
|
opencode itself seems to point to this PR as the one that kills the context-1m-2025-08-07 beta header that I add in my config when accessing /messages once again. I'm not sure I follow everything in the discussion here around that, but could that be fixed? I like my 1m context window and I presume claude code sends that header to get that context window too? :-/ |
16 participants
Summary
Why this over PR #10
PR #10 prefixes tool names, which helps tool-call routing, but the OAuth rejection happens before tool calls are processed. The 400 error is returned from /v1/messages itself. This change fixes the request signature mismatch (endpoint query + user-agent + beta list) so Claude Code OAuth tokens are accepted.
Notes
Test plan