vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-12 09:41:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: restore claude cli guidance and doctor behavior

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-06 14:20:51 +01:00
parent 445133b865
commit d378a504ac
23 changed files with 108 additions and 446 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/cli/index.md
View File

@@ -1478,20 +1478,14 @@ Tip: the owner-only `gateway` runtime tool still refuses to rewrite `tools.exec.
See [/concepts/models](/concepts/models) for fallback behavior and scanning strategy.
Billing note: for Anthropic in OpenClaw, the practical split is **API key** or
**Claude subscription with Extra Usage**. Anthropic notified OpenClaw users on
**April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that the **OpenClaw**
Claude-login path counts as third-party harness usage and requires
**Extra Usage** billed separately from the subscription. Our local repros also
show the OpenClaw-identifying prompt string does not reproduce on the
Anthropic SDK + API-key path. For production, prefer an Anthropic API key or
another supported subscription-style provider such as OpenAI Codex, Alibaba
Cloud Model Studio Coding Plan, MiniMax Coding Plan, or Z.AI / GLM Coding
Plan.
Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is
allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as
sanctioned for this integration unless Anthropic publishes a new policy. For
production, prefer an Anthropic API key or another supported
subscription-style provider such as OpenAI Codex, Alibaba Cloud Model Studio
Coding Plan, MiniMax Coding Plan, or Z.AI / GLM Coding Plan.
Anthropic setup-token is available again as a legacy/manual auth path.
Use it only with the expectation that Anthropic told OpenClaw users the
OpenClaw-managed Anthropic subscription path requires **Extra Usage**.
### `models` (root)
@@ -1601,7 +1595,7 @@ Notes:
- `setup-token` and `paste-token` are generic token commands for providers that expose token auth methods.
- `setup-token` requires an interactive TTY and runs the provider's token-auth method.
- `paste-token` prompts for the token value and defaults to auth profile id `<provider>:manual` when `--profile-id` is omitted.
- Anthropic `setup-token` / `paste-token` are available again as a legacy/manual OpenClaw path. Anthropic told OpenClaw users this path requires **Extra Usage** on the Claude account.
- Anthropic `setup-token` / `paste-token` are available again as a legacy/manual OpenClaw path.
### `models auth order get|set|clear`

4
docs/cli/models.md
View File

@@ -130,5 +130,5 @@ Notes:
`--profile-id`.
- `paste-token --expires-in <duration>` stores an absolute token expiry from a
relative duration such as `365d` or `12h`.
- Anthropic billing note: for Anthropic in OpenClaw, the practical split is **API key** or **Claude subscription with Extra Usage**. Anthropic notified OpenClaw users on **April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that the **OpenClaw** Claude-login path counts as third-party harness usage and requires **Extra Usage** billed separately from the subscription. Our local repros also show the OpenClaw-identifying prompt string does not reproduce on the Anthropic SDK + API-key path.
- Anthropic `setup-token` / `paste-token` are available again as a legacy/manual OpenClaw path. Use them with the expectation that Anthropic told OpenClaw users this path requires **Extra Usage**.
- Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as sanctioned for this integration unless Anthropic publishes a new policy.
- Anthropic `setup-token` / `paste-token` remain available as a legacy/manual OpenClaw path.

4
docs/concepts/model-providers.md
View File

@@ -273,8 +273,8 @@ OpenClaw ships with the piai catalog. These providers require **no**
- Example model: `anthropic/claude-opus-4-6`
- CLI: `openclaw onboard --auth-choice apiKey`
- Direct public Anthropic requests support the shared `/fast` toggle and `params.fastMode`, including API-key and OAuth-authenticated traffic sent to `api.anthropic.com`; OpenClaw maps that to Anthropic `service_tier` (`auto` vs `standard_only`)
- Billing note: for Anthropic in OpenClaw, the practical split is **API key** or **Claude subscription with Extra Usage**. Anthropic notified OpenClaw users on **April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that the **OpenClaw** Claude-login path counts as third-party harness usage and requires **Extra Usage** billed separately from the subscription. Our local repros also show the OpenClaw-identifying prompt string does not reproduce on the Anthropic SDK + API-key path.
- Anthropic setup-token is available again as a legacy/manual OpenClaw path. Use it with the expectation that Anthropic told OpenClaw users this path requires **Extra Usage**.
- Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as sanctioned for this integration unless Anthropic publishes a new policy.
- Anthropic setup-token is available again as a legacy/manual OpenClaw path.
```json5
{

24
docs/concepts/oauth.md
View File

@@ -15,9 +15,8 @@ OpenClaw supports “subscription auth” via OAuth for providers that offer it
is now:
- **Anthropic API key**: normal Anthropic API billing
- **Anthropic subscription auth inside OpenClaw**: Anthropic notified OpenClaw
users on **April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that this now
requires **Extra Usage**
- **Anthropic Claude CLI / subscription auth inside OpenClaw**: Anthropic staff
told us this usage is allowed again
OpenAI Codex OAuth is explicitly supported for use in external tools like
OpenClaw. This page explains:
@@ -71,12 +70,10 @@ For static secret refs and runtime snapshot activation behavior, see [Secrets Ma
<Warning>
Anthropic's public Claude Code docs say direct Claude Code use stays within
Claude subscription limits. Separately, Anthropic told OpenClaw users on
**April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that **OpenClaw counts as a
third-party harness**. Existing Anthropic token profiles remain technically
usable in OpenClaw, but Anthropic says the OpenClaw path now requires **Extra
Usage** (pay-as-you-go billed separately from the subscription) for that
traffic.
Claude subscription limits, and Anthropic staff told us OpenClaw-style Claude
CLI usage is allowed again. OpenClaw therefore treats Claude CLI reuse and
`claude -p` usage as sanctioned for this integration unless Anthropic
publishes a new policy.
For Anthropic's current direct-Claude-Code plan docs, see [Using Claude Code
with your Pro or Max
@@ -91,16 +88,11 @@ and [Z.AI / GLM Coding Plan](/providers/glm).
</Warning>
OpenClaw now exposes Anthropic setup-token again as a legacy/manual path.
Anthropic's OpenClaw-specific billing notice still applies to that path, so
use it with the expectation that Anthropic requires **Extra Usage** for
OpenClaw-driven Claude-login traffic.
## Anthropic Claude CLI migration
Anthropic no longer has a supported local Claude CLI migration path in
OpenClaw. Use Anthropic API keys for Anthropic traffic, or keep legacy
token-based auth only where it is already configured and with the expectation
that Anthropic treats that OpenClaw path as **Extra Usage**.
OpenClaw supports Anthropic Claude CLI reuse again. If you already have a local
Claude login on the host, onboarding/configure can reuse it directly.
## OAuth exchange (how login works)

52
docs/gateway/authentication.md
View File

@@ -1,5 +1,5 @@
---
summary: "Model authentication: OAuth, API keys, and legacy Anthropic setup-token"
summary: "Model authentication: OAuth, API keys, Claude CLI reuse, and legacy Anthropic setup-token"
read_when:
- Debugging model auth or OAuth expiry
- Documenting authentication or credential storage
@@ -9,7 +9,7 @@ title: "Authentication"
# Authentication (Model Providers)
<Note>
This page covers **model provider** authentication (API keys, OAuth, and legacy Anthropic setup-token). For **gateway connection** authentication (token, password, trusted-proxy), see [Configuration](/gateway/configuration) and [Trusted Proxy Auth](/gateway/trusted-proxy-auth).
This page covers **model provider** authentication (API keys, OAuth, Claude CLI reuse, and legacy Anthropic setup-token). For **gateway connection** authentication (token, password, trusted-proxy), see [Configuration](/gateway/configuration) and [Trusted Proxy Auth](/gateway/trusted-proxy-auth).
</Note>
OpenClaw supports OAuth and API keys for model providers. For always-on gateway
@@ -26,9 +26,8 @@ For credential eligibility/reason-code rules used by `models status --probe`, se
If youre running a long-lived gateway, start with an API key for your chosen
provider.
For Anthropic specifically, API key auth is the safe path. Anthropic
subscription-style auth inside OpenClaw is the legacy setup-token path and
should be treated as an **Extra Usage** path, not a plan-limits path.
For Anthropic specifically, API key auth is still the most predictable server
setup, but OpenClaw also supports reusing a local Claude CLI login.
1. Create an API key in your provider console.
2. Put it on the **gateway host** (the machine running `openclaw gateway`).
@@ -60,18 +59,16 @@ API keys for daemon use: `openclaw onboard`.
See [Help](/help) for details on env inheritance (`env.shellEnv`,
`~/.openclaw/.env`, systemd/launchd).
## Anthropic: legacy token compatibility
## Anthropic: Claude CLI and legacy token compatibility
Anthropic setup-token auth is still available in OpenClaw as a
legacy/manual path. Anthropic's public Claude Code docs still cover direct
Claude Code terminal use under Claude plans, but Anthropic separately told
OpenClaw users that the **OpenClaw** Claude-login path counts as third-party
harness usage and requires **Extra Usage** billed separately from the
subscription.
Anthropic setup-token auth is still available in OpenClaw as a legacy/manual
path. Anthropic staff has since told us that OpenClaw-style Claude CLI usage is
allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as
sanctioned for this integration unless Anthropic publishes a new policy.
For the clearest setup path, use an Anthropic API key. If you must keep a
subscription-style Anthropic path in OpenClaw, use the legacy setup-token path
with the expectation that Anthropic treats it as **Extra Usage**.
For long-lived gateway hosts, an Anthropic API key is still the most predictable
setup. If you want to reuse an existing Claude login on the same host, use the
Anthropic Claude CLI path in onboarding/configure.
Manual token entry (any provider; writes `auth-profiles.json` + updates config):
@@ -112,15 +109,13 @@ Optional ops scripts (systemd/Termux) are documented here:
## Anthropic note
The Anthropic `claude-cli` backend was removed.
The Anthropic `claude-cli` backend is supported again.
- Use Anthropic API keys for Anthropic traffic in OpenClaw.
- Anthropic setup-token remains a legacy/manual path and should be used with
the Extra Usage billing expectation Anthropic communicated to OpenClaw users.
- `openclaw doctor` now detects stale removed Anthropic Claude CLI state. If
stored credential bytes still exist, doctor converts them back into
Anthropic token/OAuth profiles. If not, doctor removes the stale Claude CLI
config and points you to API key or setup-token recovery.
- Anthropic staff told us this OpenClaw integration path is allowed again.
- OpenClaw therefore treats Claude CLI reuse and `claude -p` usage as sanctioned
for Anthropic-backed runs unless Anthropic publishes a new policy.
- Anthropic API keys remain the most predictable choice for long-lived gateway
hosts and explicit server-side billing control.
## Checking model auth status
@@ -188,14 +183,3 @@ openclaw models status
Run `openclaw models status` to confirm which profile is expiring. If a legacy
Anthropic token profile is missing or expired, refresh that setup via
setup-token or migrate to an Anthropic API key.
If the machine still has stale removed Anthropic Claude CLI state from older
builds, run:
```bash
openclaw doctor --yes
```
Doctor converts `anthropic:claude-cli` back to Anthropic token/OAuth when the
stored credential bytes still exist. Otherwise it removes stale Claude CLI
profile/config/model refs and leaves the next-step guidance.

12
docs/gateway/cli-backends.md
View File

@@ -143,12 +143,12 @@ The provider id becomes the left side of your model ref:
4. **Parses output** (JSON or plain text) and returns the final text.
5. **Persists session ids** per backend, so follow-ups reuse the same CLI session.
<Warning>
The bundled Anthropic `claude-cli` backend was removed after Anthropic's
OpenClaw billing boundary changed. OpenClaw still supports generic CLI
backends, but Anthropic API traffic should use the Anthropic provider directly
instead of the removed local Claude CLI path.
</Warning>
<Note>
The bundled Anthropic `claude-cli` backend is supported again. Anthropic staff
told us OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats
`claude -p` usage as sanctioned for this integration unless Anthropic publishes
a new policy.
</Note>
## Sessions

7
docs/gateway/doctor.md
View File

@@ -312,13 +312,6 @@ Anthropic setup-token path.
Refresh prompts only appear when running interactively (TTY); `--non-interactive`
skips refresh attempts.
Doctor also detects stale removed Anthropic Claude CLI state. If old
`anthropic:claude-cli` credential bytes still exist in `auth-profiles.json`,
doctor converts them back into Anthropic token/OAuth profiles and rewrites
stale `claude-cli/...` model refs plus `agents.defaults.cliBackends.claude-cli`.
If the bytes are gone, doctor removes the stale config and prints recovery
commands instead.
Doctor also reports auth profiles that are temporarily unusable due to:
- short cooldowns (rate limits/timeouts/auth failures)

2
docs/gateway/troubleshooting.md
View File

@@ -50,7 +50,7 @@ Look for:
Fix options:
1. Disable `context1m` for that model to fall back to the normal context window.
2. Use an Anthropic API key with billing, or enable Anthropic Extra Usage on the Anthropic OAuth/subscription account.
2. Use an Anthropic credential that is eligible for long-context requests, or switch to an Anthropic API key.
3. Configure fallback models so runs continue when Anthropic long-context requests are rejected.
Related:

48
docs/help/faq.md
View File

@@ -584,15 +584,14 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
For Anthropic in OpenClaw, the practical split is:
- **Anthropic API key**: normal Anthropic API billing
- **Claude subscription auth in OpenClaw**: Anthropic told OpenClaw users on
**April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that this requires
**Extra Usage** billed separately from the subscription
- **Claude CLI / Claude subscription auth in OpenClaw**: Anthropic staff
told us this usage is allowed again, and OpenClaw is treating `claude -p`
usage as sanctioned for this integration unless Anthropic publishes a new
policy
Our local repros also show that `claude -p --append-system-prompt ...` can
hit the same Extra Usage guard when the appended prompt identifies
OpenClaw, while the same prompt string does **not** reproduce that block on
the Anthropic SDK + API-key path. OpenAI Codex OAuth is explicitly
supported for external tools like OpenClaw.
For long-lived gateway hosts, Anthropic API keys are still the more
predictable setup. OpenAI Codex OAuth is explicitly supported for external
tools like OpenClaw.
OpenClaw also supports other hosted subscription-style options including
**Qwen Cloud Coding Plan**, **MiniMax Coding Plan**, and
@@ -606,33 +605,28 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
</Accordion>
<Accordion title="Can I use Claude Max subscription without an API key?">
Yes, but treat it as **Claude subscription auth with Extra Usage**.
Yes.
Claude Pro/Max subscriptions do not include an API key. In OpenClaw, that
means Anthropic's OpenClaw-specific billing notice applies: subscription
traffic requires **Extra Usage**. If you want Anthropic traffic without
that Extra Usage path, use an Anthropic API key instead.
Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so
OpenClaw treats Claude subscription auth and `claude -p` usage as sanctioned
for this integration unless Anthropic publishes a new policy. If you want
the most predictable server-side setup, use an Anthropic API key instead.
</Accordion>
<Accordion title="Do you support Claude subscription auth (Claude Pro or Max)?">
Yes, but the supported interpretation is now:
Yes.
- Anthropic in OpenClaw with a subscription means **Extra Usage**
- Anthropic in OpenClaw without that path means **API key**
Anthropic staff told us this usage is allowed again, so OpenClaw treats
Claude CLI reuse and `claude -p` usage as sanctioned for this integration
unless Anthropic publishes a new policy.
Anthropic setup-token is still available as a legacy/manual OpenClaw path,
and Anthropic's OpenClaw-specific billing notice still applies there. We
also reproduced the same billing guard locally with direct
`claude -p --append-system-prompt ...` usage when the appended prompt
identifies OpenClaw, while the same prompt string did **not** reproduce on
the Anthropic SDK + API-key path.
For production or multi-user workloads, Anthropic API key auth is the
safer, recommended choice. If you want other subscription-style hosted
Anthropic setup-token is still available as a legacy/manual OpenClaw path.
For production or multi-user workloads, Anthropic API key auth is still the
safer, more predictable choice. If you want other subscription-style hosted
options in OpenClaw, see [OpenAI](/providers/openai), [Qwen / Model
Cloud](/providers/qwen), [MiniMax](/providers/minimax), and
[GLM Models](/providers/glm).
Cloud](/providers/qwen), [MiniMax](/providers/minimax), and [GLM
Models](/providers/glm).
</Accordion>

72
docs/providers/anthropic.md
View File

@@ -1,5 +1,5 @@
---
summary: "Use Anthropic Claude via API keys in OpenClaw"
summary: "Use Anthropic Claude via API keys or Claude CLI in OpenClaw"
read_when:
- You want to use Anthropic models in OpenClaw
title: "Anthropic"
@@ -7,31 +7,19 @@ title: "Anthropic"
# Anthropic (Claude)
Anthropic builds the **Claude** model family and provides access via an API.
In OpenClaw, new Anthropic setup should use an API key. Existing legacy
Anthropic token profiles are still honored at runtime if they are already
configured.
Anthropic builds the **Claude** model family and provides access via an API and
Claude CLI. In OpenClaw, Anthropic API keys and Claude CLI reuse are both
supported. Existing legacy Anthropic token profiles are still honored at
runtime if they are already configured.
<Warning>
For Anthropic in OpenClaw, the billing split is:
Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so
OpenClaw treats Claude CLI reuse and `claude -p` usage as sanctioned for this
integration unless Anthropic publishes a new policy.
- **Anthropic API key**: normal Anthropic API billing.
- **Claude subscription auth inside OpenClaw**: Anthropic told OpenClaw users on
**April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that this counts as
third-party harness usage and requires **Extra Usage** (pay-as-you-go,
billed separately from the subscription).
Our local repros match that split:
- direct `claude -p` may still work
- `claude -p --append-system-prompt ...` can trip the Extra Usage guard when
the prompt identifies OpenClaw
- the same OpenClaw-like system prompt does **not** reproduce the block on the
Anthropic SDK + `ANTHROPIC_API_KEY` path
So the practical rule is: **Anthropic API key, or Claude subscription with
Extra Usage**. If you want the clearest production path, use an Anthropic API
key.
For long-lived gateway hosts, Anthropic API keys are still the clearest and
most predictable production path. If you already use Claude CLI on the host,
OpenClaw can reuse that login directly.
Anthropic's current public docs:
@@ -202,10 +190,7 @@ requests.
This only activates when `params.context1m` is explicitly set to `true` for
that model.
Requirement: Anthropic must allow long-context usage on that credential
(typically API key billing, or OpenClaw's Claude-login path / legacy token auth
with Extra Usage enabled). Otherwise Anthropic returns:
`HTTP 429: rate_limit_error: Extra usage is required for long context requests`.
Requirement: Anthropic must allow long-context usage on that credential.
Note: Anthropic currently rejects `context-1m-*` beta requests when using
legacy Anthropic token auth (`sk-ant-oat-*`). If you configure
@@ -213,33 +198,24 @@ legacy Anthropic token auth (`sk-ant-oat-*`). If you configure
falls back to the standard context window by skipping the context1m beta
header while keeping the required OAuth betas.
## Removed: Claude CLI backend
## Claude CLI backend
The bundled Anthropic `claude-cli` backend was removed.
The bundled Anthropic `claude-cli` backend is supported in OpenClaw.
- Anthropic's April 4, 2026 notice says OpenClaw-driven Claude-login traffic is
third-party harness usage and requires **Extra Usage**.
- Our local repros also show that direct
`claude -p --append-system-prompt ...` can hit the same guard when the
appended prompt identifies OpenClaw.
- The same OpenClaw-like system prompt does not hit that guard on the
Anthropic SDK + `ANTHROPIC_API_KEY` path.
- Use Anthropic API keys for Anthropic traffic in OpenClaw.
- If you need a local CLI fallback runtime, use another supported CLI backend
such as Codex CLI. See [/gateway/cli-backends](/gateway/cli-backends).
- Anthropic staff told us this usage is allowed again.
- OpenClaw therefore treats Claude CLI reuse and `claude -p` usage as
sanctioned for this integration unless Anthropic publishes a new policy.
- Anthropic API keys remain the clearest production path for always-on gateway
hosts and explicit server-side billing control.
- Setup and runtime details are in [/gateway/cli-backends](/gateway/cli-backends).
## Notes
- Anthropic's public Claude Code docs still document direct CLI usage such as
`claude -p`, but Anthropic's separate notice to OpenClaw users says the
**OpenClaw** Claude-login path is third-party harness usage and requires
**Extra Usage** (pay-as-you-go billed separately from the subscription).
Our local repros also show that direct
`claude -p --append-system-prompt ...` can hit the same guard when the
appended prompt identifies OpenClaw, while the same prompt shape does not
reproduce on the Anthropic SDK + `ANTHROPIC_API_KEY` path. For production, we
recommend Anthropic API keys instead.
- Anthropic setup-token is available again in OpenClaw as a legacy/manual path. Anthropic's OpenClaw-specific billing notice still applies, so use it with the expectation that Anthropic requires **Extra Usage** for this path.
`claude -p`, and Anthropic staff told us OpenClaw-style Claude CLI usage is
allowed again. We are treating that guidance as settled unless Anthropic
publishes a new policy change.
- Anthropic setup-token is available again in OpenClaw as a legacy/manual path.
- Auth details + reuse rules are in [/concepts/oauth](/concepts/oauth).
## Troubleshooting

12
docs/reference/api-usage-costs.md
View File

@@ -31,13 +31,11 @@ OpenClaw features that can generate provider usage or paid API calls.
`stats`, normalizes `stats.cached` into `cacheRead`, and derives input tokens
from `stats.input_tokens - stats.cached` when needed.
Anthropic note: Anthropic's public Claude Code docs still include direct Claude
Code terminal usage in Claude plan limits. Separately, Anthropic told OpenClaw
users that starting **April 4, 2026 at 12:00 PM PT / 8:00 PM BST**, the
**OpenClaw** Claude-login path counts as third-party harness usage and
requires **Extra Usage** billed separately from the subscription. Anthropic
does not expose a per-message dollar estimate that OpenClaw can show in
`/usage full`.
Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is
allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as
sanctioned for this integration unless Anthropic publishes a new policy.
Anthropic still does not expose a per-message dollar estimate that OpenClaw can
show in `/usage full`.
**CLI usage windows (provider quotas)**

6
docs/reference/token-use.md
View File

@@ -177,10 +177,8 @@ This maps to Anthropic's `context-1m-2025-08-07` beta header.
This only applies when `context1m: true` is set on that model entry.
Requirement: the credential must be eligible for long-context usage (API key
billing, or OpenClaw's Claude-login path with Extra Usage enabled). If not,
Anthropic responds
with `HTTP 429: rate_limit_error: Extra usage is required for long context requests`.
Requirement: the credential must be eligible for long-context usage. If not,
Anthropic responds with a provider-side rate limit error for that request.
If you authenticate Anthropic with OAuth/subscription tokens (`sk-ant-oat-*`),
OpenClaw skips the `context-1m-*` beta header because Anthropic currently

2
docs/reference/wizard.md
View File

@@ -32,7 +32,7 @@ For a high-level overview, see [Onboarding (CLI)](/start/wizard).
<Step title="Model/Auth">
- **Anthropic API key**: uses `ANTHROPIC_API_KEY` if present or prompts for a key, then saves it for daemon use.
- **Anthropic API key**: preferred Anthropic assistant choice in onboarding/configure.
- **Anthropic setup-token (legacy/manual)**: available again in onboarding/configure, but Anthropic told OpenClaw users that the OpenClaw Claude-login path counts as third-party harness usage and requires **Extra Usage** on the Claude account.
- **Anthropic setup-token (legacy/manual)**: still available in onboarding/configure.
- **OpenAI Code (Codex) subscription (Codex CLI)**: if `~/.codex/auth.json` exists, onboarding can reuse it. Reused Codex CLI credentials stay managed by Codex CLI; on expiry OpenClaw re-reads that source first and, when the provider can refresh it, writes the refreshed credential back to Codex storage instead of taking ownership itself.
- **OpenAI Code (Codex) subscription (OAuth)**: browser flow; paste the `code#state`.
- Sets `agents.defaults.model` to `openai-codex/gpt-5.4` when model is unset or `openai/*`.

4
docs/start/wizard-cli-automation.md
View File

@@ -193,9 +193,7 @@ openclaw onboard --non-interactive \
</AccordionGroup>
Anthropic setup-token is available again as a legacy/manual onboarding path.
Use it with the expectation that Anthropic told OpenClaw users the OpenClaw
Claude-login path requires **Extra Usage**. For production, prefer an
Anthropic API key.
For production, prefer an Anthropic API key.
## Add another agent

2
docs/start/wizard.md
View File

@@ -72,7 +72,7 @@ Onboarding starts with **QuickStart** (defaults) vs **Advanced** (full control).
For non-interactive runs, `--secret-input-mode ref` stores env-backed refs in auth profiles instead of plaintext API key values.
In non-interactive `ref` mode, the provider env var must be set; passing inline key flags without that env var fails fast.
In interactive runs, choosing secret reference mode lets you point at either an environment variable or a configured provider ref (`file` or `exec`), with a fast preflight validation before saving.
For Anthropic, interactive onboarding/configure offers **Anthropic Claude CLI** as a local fallback and **Anthropic API key** as the recommended production path. Anthropic setup-token is also available again as a legacy/manual OpenClaw path, with Anthropic's OpenClaw-specific **Extra Usage** billing expectation.
For Anthropic, interactive onboarding/configure offers **Anthropic Claude CLI** as a local fallback and **Anthropic API key** as the recommended production path. Anthropic setup-token is also available again as a legacy/manual OpenClaw path.
2. **Workspace** — Location for agent files (default `~/.openclaw/workspace`). Seeds bootstrap files.
3. **Gateway** — Port, bind address, auth mode, Tailscale exposure.
In interactive token mode, choose default plaintext token storage or opt into SecretRef.

7
extensions/anthropic/register.runtime.ts
View File

@@ -63,7 +63,7 @@ const ANTHROPIC_OAUTH_ALLOWLIST = [
] as const;
const ANTHROPIC_SETUP_TOKEN_NOTE_LINES = [
"Anthropic setup-token auth is a legacy/manual path in OpenClaw.",
"Anthropic told OpenClaw users that OpenClaw counts as a third-party harness, so this path requires Extra Usage on the Claude account.",
"Anthropic staff told us this OpenClaw path is allowed again.",
`If you want a direct API billing path instead, use ${formatCliCommand("openclaw models auth login --provider anthropic --method api-key --set-default")} or ${formatCliCommand("openclaw models auth login --provider anthropic --method cli --set-default")}.`,
] as const;
@@ -386,7 +386,6 @@ export function registerAnthropicPlugin(api: OpenClawPluginApi): void {
docsPath: "/providers/models",
hookAliases: [CLAUDE_CLI_BACKEND_ID],
envVars: ["ANTHROPIC_OAUTH_TOKEN", "ANTHROPIC_API_KEY"],
deprecatedProfileIds: [claudeCliProfileId],
oauthProfileIdRepairs: [
{
legacyProfileId: "anthropic:default",
@@ -424,12 +423,12 @@ export function registerAnthropicPlugin(api: OpenClawPluginApi): void {
{
id: "setup-token",
label: "Anthropic setup-token",
hint: "Legacy/manual bearer token path; requires Extra Usage when used through OpenClaw",
hint: "Legacy/manual bearer token path",
kind: "token",
wizard: {
choiceId: "setup-token",
choiceLabel: "Anthropic setup-token",
choiceHint: "Legacy/manual path; requires Extra Usage in OpenClaw",
choiceHint: "Legacy/manual path",
assistantPriority: 40,
groupId: "anthropic",
groupLabel: "Anthropic",

1
extensions/openai/openai-codex-provider.ts
View File

@@ -269,7 +269,6 @@ export function buildOpenAICodexProviderPlugin(): ProviderPlugin {
id: PROVIDER_ID,
label: "OpenAI Codex",
docsPath: "/providers/models",
deprecatedProfileIds: [CODEX_CLI_PROFILE_ID],
auth: [
{
id: "oauth",

4
src/agents/system-prompt.ts
View File

@@ -479,11 +479,11 @@ export function buildAgentSystemPrompt(params: {
// For "none" mode, return just the basic identity line
if (promptMode === "none") {
return "You are a personal assistant running inside OpenClaw.";
return "You are a personal assistant operating inside OpenClaw.";
}
const lines = [
"You are a personal assistant running inside OpenClaw.",
"You are a personal assistant operating inside OpenClaw.",
"",
"## Tooling",
"Structured tool definitions are the source of truth for tool names, descriptions, and parameters.",

95
src/commands/doctor-auth.deprecated-cli-profiles.test.ts
View File

@@ -5,10 +5,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
import type { ProviderPlugin } from "../plugins/types.js";
import { captureEnv } from "../test-utils/env.js";
import {
maybeRemoveDeprecatedCliAuthProfiles,
maybeRepairLegacyOAuthProfileIds,
} from "./doctor-auth.js";
import { maybeRepairLegacyOAuthProfileIds } from "./doctor-auth.js";
import type { DoctorPrompter } from "./doctor-prompter.js";
import type { DoctorRepairMode } from "./doctor-repair-mode.js";
@@ -58,96 +55,6 @@ afterEach(() => {
}
});
describe("maybeRemoveDeprecatedCliAuthProfiles", () => {
it("removes deprecated CLI auth profiles from store + config", async () => {
if (!tempAgentDir) {
throw new Error("Missing temp agent dir");
}
const authPath = path.join(tempAgentDir, "auth-profiles.json");
fs.writeFileSync(
authPath,
`${JSON.stringify(
{
version: 1,
profiles: {
"anthropic:claude-cli": {
type: "oauth",
provider: "anthropic",
access: "token-a",
refresh: "token-r",
expires: Date.now() + 60_000,
},
"openai-codex:codex-cli": {
type: "oauth",
provider: "openai-codex",
access: "token-b",
refresh: "token-r2",
expires: Date.now() + 60_000,
},
"openai-codex:default": {
type: "oauth",
provider: "openai-codex",
access: "token-c",
refresh: "token-r3",
expires: Date.now() + 60_000,
},
},
},
null,
2,
)}\n`,
"utf8",
);
resolvePluginProvidersMock.mockReturnValue([
{
id: "anthropic",
label: "Anthropic",
auth: [],
deprecatedProfileIds: ["anthropic:claude-cli"],
},
{
id: "openai-codex",
label: "OpenAI Codex",
auth: [],
deprecatedProfileIds: ["openai-codex:codex-cli"],
},
]);
const cfg = {
auth: {
profiles: {
"anthropic:claude-cli": { provider: "anthropic", mode: "oauth" },
"openai-codex:codex-cli": { provider: "openai-codex", mode: "oauth" },
"openai-codex:default": { provider: "openai-codex", mode: "oauth" },
},
order: {
anthropic: ["anthropic:claude-cli"],
"openai-codex": ["openai-codex:codex-cli", "openai-codex:default"],
},
},
} as const;
const next = await maybeRemoveDeprecatedCliAuthProfiles(
cfg as unknown as OpenClawConfig,
makePrompter(true),
);
const raw = JSON.parse(fs.readFileSync(authPath, "utf8")) as {
profiles?: Record<string, unknown>;
};
expect(raw.profiles?.["anthropic:claude-cli"]).toBeUndefined();
expect(raw.profiles?.["openai-codex:codex-cli"]).toBeUndefined();
expect(raw.profiles?.["openai-codex:default"]).toBeDefined();
expect(next.auth?.profiles?.["anthropic:claude-cli"]).toBeUndefined();
expect(next.auth?.profiles?.["openai-codex:codex-cli"]).toBeUndefined();
expect(next.auth?.profiles?.["openai-codex:default"]).toBeDefined();
expect(next.auth?.order?.anthropic).toBeUndefined();
expect(next.auth?.order?.["openai-codex"]).toEqual(["openai-codex:default"]);
});
});
describe("maybeRepairLegacyOAuthProfileIds", () => {
it("repairs provider-owned legacy OAuth profile ids", async () => {
if (!tempAgentDir) {

168
src/commands/doctor-auth.ts
View File

@@ -11,16 +11,11 @@ import {
resolveProfileUnusableUntilForDisplay,
} from "../agents/auth-profiles.js";
import { formatAuthDoctorHint } from "../agents/auth-profiles/doctor.js";
import { updateAuthProfileStoreWithLock } from "../agents/auth-profiles/store.js";
import { formatCliCommand } from "../cli/command-format.js";
import type { OpenClawConfig } from "../config/config.js";
import { resolvePluginProviders } from "../plugins/providers.runtime.js";
import { note } from "../terminal/note.js";
import type { DoctorPrompter } from "./doctor-prompter.js";
import {
buildProviderAuthRecoveryHint,
resolveProviderAuthLoginCommand,
} from "./provider-auth-guidance.js";
import { buildProviderAuthRecoveryHint } from "./provider-auth-guidance.js";
export async function maybeRepairLegacyOAuthProfileIds(
cfg: OpenClawConfig,
@@ -59,167 +54,6 @@ export async function maybeRepairLegacyOAuthProfileIds(
return nextCfg;
}
function pruneAuthOrder(
order: Record<string, string[]> | undefined,
profileIds: Set<string>,
): { next: Record<string, string[]> | undefined; changed: boolean } {
if (!order) {
return { next: order, changed: false };
}
let changed = false;
const next: Record<string, string[]> = {};
for (const [provider, list] of Object.entries(order)) {
const filtered = list.filter((id) => !profileIds.has(id));
if (filtered.length !== list.length) {
changed = true;
}
if (filtered.length > 0) {
next[provider] = filtered;
}
}
return { next: Object.keys(next).length > 0 ? next : undefined, changed };
}
function pruneAuthProfiles(
cfg: OpenClawConfig,
profileIds: Set<string>,
): { next: OpenClawConfig; changed: boolean } {
const profiles = cfg.auth?.profiles;
const order = cfg.auth?.order;
const nextProfiles = profiles ? { ...profiles } : undefined;
let changed = false;
if (nextProfiles) {
for (const id of profileIds) {
if (id in nextProfiles) {
delete nextProfiles[id];
changed = true;
}
}
}
const prunedOrder = pruneAuthOrder(order, profileIds);
if (prunedOrder.changed) {
changed = true;
}
if (!changed) {
return { next: cfg, changed: false };
}
const nextAuth =
nextProfiles || prunedOrder.next
? {
...cfg.auth,
profiles: nextProfiles && Object.keys(nextProfiles).length > 0 ? nextProfiles : undefined,
order: prunedOrder.next,
}
: undefined;
return {
next: {
...cfg,
auth: nextAuth,
},
changed: true,
};
}
export async function maybeRemoveDeprecatedCliAuthProfiles(
cfg: OpenClawConfig,
prompter: DoctorPrompter,
): Promise<OpenClawConfig> {
const store = ensureAuthProfileStore(undefined, { allowKeychainPrompt: false });
const providers = resolvePluginProviders({
config: cfg,
env: process.env,
mode: "setup",
});
const deprecatedEntries = providers.flatMap((provider) =>
(provider.deprecatedProfileIds ?? [])
.filter((profileId) => store.profiles[profileId] || cfg.auth?.profiles?.[profileId])
.map((profileId) => ({
profileId,
providerId: provider.id,
providerLabel: provider.label,
})),
);
const deprecated = new Set(deprecatedEntries.map((entry) => entry.profileId));
if (deprecated.size === 0) {
return cfg;
}
const lines = ["Deprecated external CLI auth profiles detected (no longer supported):"];
for (const entry of deprecatedEntries) {
const authCommand =
resolveProviderAuthLoginCommand({
provider: entry.providerId,
config: cfg,
env: process.env,
}) ?? formatCliCommand("openclaw configure");
lines.push(`- ${entry.profileId} (${entry.providerLabel}): use ${authCommand}`);
}
note(lines.join("\n"), "Auth profiles");
const shouldRemove = await prompter.confirmAutoFix({
message: "Remove deprecated CLI auth profiles now?",
initialValue: true,
});
if (!shouldRemove) {
return cfg;
}
await updateAuthProfileStoreWithLock({
updater: (nextStore) => {
let mutated = false;
for (const id of deprecated) {
if (nextStore.profiles[id]) {
delete nextStore.profiles[id];
mutated = true;
}
if (nextStore.usageStats?.[id]) {
delete nextStore.usageStats[id];
mutated = true;
}
}
if (nextStore.order) {
for (const [provider, list] of Object.entries(nextStore.order)) {
const filtered = list.filter((id) => !deprecated.has(id));
if (filtered.length !== list.length) {
mutated = true;
if (filtered.length > 0) {
nextStore.order[provider] = filtered;
} else {
delete nextStore.order[provider];
}
}
}
}
if (nextStore.lastGood) {
for (const [provider, profileId] of Object.entries(nextStore.lastGood)) {
if (deprecated.has(profileId)) {
delete nextStore.lastGood[provider];
mutated = true;
}
}
}
return mutated;
},
});
const pruned = pruneAuthProfiles(cfg, deprecated);
if (pruned.changed) {
note(
Array.from(deprecated.values())
.map((id) => `- removed ${id} from config`)
.join("\n"),
"Doctor changes",
);
}
return pruned.next;
}
type AuthIssue = {
profileId: string;
provider: string;

2
src/commands/models/auth.test.ts
View File

@@ -598,7 +598,7 @@ describe("modelsAuthLoginCommand", () => {
"Anthropic setup-token auth is a legacy/manual path in OpenClaw.",
);
expect(runtime.log).toHaveBeenCalledWith(
"Anthropic told OpenClaw users this path requires Extra Usage on the Claude account.",
"Anthropic staff told us this OpenClaw path is allowed again.",
);
});

4
src/commands/models/auth.ts
View File

@@ -421,9 +421,7 @@ export async function modelsAuthPasteTokenCommand(
runtime.log(`Auth profile: ${profileId} (${provider}/token)`);
if (provider === "anthropic") {
runtime.log("Anthropic setup-token auth is a legacy/manual path in OpenClaw.");
runtime.log(
"Anthropic told OpenClaw users this path requires Extra Usage on the Claude account.",
);
runtime.log("Anthropic staff told us this OpenClaw path is allowed again.");
}
}

2
src/flows/doctor-health-contributions.ts
View File

@@ -10,7 +10,6 @@ import {
import { runChannelPluginStartupMaintenance } from "../channels/plugins/lifecycle-startup.js";
import { formatCliCommand } from "../cli/command-format.js";
import {
maybeRemoveDeprecatedCliAuthProfiles,
maybeRepairLegacyOAuthProfileIds,
noteAuthProfileHealth,
} from "../commands/doctor-auth.js";
@@ -143,7 +142,6 @@ async function runGatewayConfigHealth(ctx: DoctorHealthFlowContext): Promise<voi
async function runAuthProfileHealth(ctx: DoctorHealthFlowContext): Promise<void> {
ctx.cfg = await maybeRepairLegacyOAuthProfileIds(ctx.cfg, ctx.prompter);
ctx.cfg = await maybeRemoveDeprecatedCliAuthProfiles(ctx.cfg, ctx.prompter);
await noteAuthProfileHealth({
cfg: ctx.cfg,
prompter: ctx.prompter,