diff --git a/docs/cli/index.md b/docs/cli/index.md index 3b8c0fedaa6..9b15290b154 100644 --- a/docs/cli/index.md +++ b/docs/cli/index.md @@ -1478,20 +1478,14 @@ Tip: the owner-only `gateway` runtime tool still refuses to rewrite `tools.exec. See [/concepts/models](/concepts/models) for fallback behavior and scanning strategy. -Billing note: for Anthropic in OpenClaw, the practical split is **API key** or -**Claude subscription with Extra Usage**. Anthropic notified OpenClaw users on -**April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that the **OpenClaw** -Claude-login path counts as third-party harness usage and requires -**Extra Usage** billed separately from the subscription. Our local repros also -show the OpenClaw-identifying prompt string does not reproduce on the -Anthropic SDK + API-key path. For production, prefer an Anthropic API key or -another supported subscription-style provider such as OpenAI Codex, Alibaba -Cloud Model Studio Coding Plan, MiniMax Coding Plan, or Z.AI / GLM Coding -Plan. +Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is +allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as +sanctioned for this integration unless Anthropic publishes a new policy. For +production, prefer an Anthropic API key or another supported +subscription-style provider such as OpenAI Codex, Alibaba Cloud Model Studio +Coding Plan, MiniMax Coding Plan, or Z.AI / GLM Coding Plan. Anthropic setup-token is available again as a legacy/manual auth path. -Use it only with the expectation that Anthropic told OpenClaw users the -OpenClaw-managed Anthropic subscription path requires **Extra Usage**. ### `models` (root) @@ -1601,7 +1595,7 @@ Notes: - `setup-token` and `paste-token` are generic token commands for providers that expose token auth methods. - `setup-token` requires an interactive TTY and runs the provider's token-auth method. - `paste-token` prompts for the token value and defaults to auth profile id `:manual` when `--profile-id` is omitted. -- Anthropic `setup-token` / `paste-token` are available again as a legacy/manual OpenClaw path. Anthropic told OpenClaw users this path requires **Extra Usage** on the Claude account. +- Anthropic `setup-token` / `paste-token` are available again as a legacy/manual OpenClaw path. ### `models auth order get|set|clear` diff --git a/docs/cli/models.md b/docs/cli/models.md index f59a64618e6..d08740626f1 100644 --- a/docs/cli/models.md +++ b/docs/cli/models.md @@ -130,5 +130,5 @@ Notes: `--profile-id`. - `paste-token --expires-in ` stores an absolute token expiry from a relative duration such as `365d` or `12h`. -- Anthropic billing note: for Anthropic in OpenClaw, the practical split is **API key** or **Claude subscription with Extra Usage**. Anthropic notified OpenClaw users on **April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that the **OpenClaw** Claude-login path counts as third-party harness usage and requires **Extra Usage** billed separately from the subscription. Our local repros also show the OpenClaw-identifying prompt string does not reproduce on the Anthropic SDK + API-key path. -- Anthropic `setup-token` / `paste-token` are available again as a legacy/manual OpenClaw path. Use them with the expectation that Anthropic told OpenClaw users this path requires **Extra Usage**. +- Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as sanctioned for this integration unless Anthropic publishes a new policy. +- Anthropic `setup-token` / `paste-token` remain available as a legacy/manual OpenClaw path. diff --git a/docs/concepts/model-providers.md b/docs/concepts/model-providers.md index 98dabdafc29..ba8ca4e6867 100644 --- a/docs/concepts/model-providers.md +++ b/docs/concepts/model-providers.md @@ -273,8 +273,8 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no** - Example model: `anthropic/claude-opus-4-6` - CLI: `openclaw onboard --auth-choice apiKey` - Direct public Anthropic requests support the shared `/fast` toggle and `params.fastMode`, including API-key and OAuth-authenticated traffic sent to `api.anthropic.com`; OpenClaw maps that to Anthropic `service_tier` (`auto` vs `standard_only`) -- Billing note: for Anthropic in OpenClaw, the practical split is **API key** or **Claude subscription with Extra Usage**. Anthropic notified OpenClaw users on **April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that the **OpenClaw** Claude-login path counts as third-party harness usage and requires **Extra Usage** billed separately from the subscription. Our local repros also show the OpenClaw-identifying prompt string does not reproduce on the Anthropic SDK + API-key path. -- Anthropic setup-token is available again as a legacy/manual OpenClaw path. Use it with the expectation that Anthropic told OpenClaw users this path requires **Extra Usage**. +- Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as sanctioned for this integration unless Anthropic publishes a new policy. +- Anthropic setup-token is available again as a legacy/manual OpenClaw path. ```json5 { diff --git a/docs/concepts/oauth.md b/docs/concepts/oauth.md index 77ee4a50cb7..94906a58ff1 100644 --- a/docs/concepts/oauth.md +++ b/docs/concepts/oauth.md @@ -15,9 +15,8 @@ OpenClaw supports “subscription auth” via OAuth for providers that offer it is now: - **Anthropic API key**: normal Anthropic API billing -- **Anthropic subscription auth inside OpenClaw**: Anthropic notified OpenClaw - users on **April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that this now - requires **Extra Usage** +- **Anthropic Claude CLI / subscription auth inside OpenClaw**: Anthropic staff + told us this usage is allowed again OpenAI Codex OAuth is explicitly supported for use in external tools like OpenClaw. This page explains: @@ -71,12 +70,10 @@ For static secret refs and runtime snapshot activation behavior, see [Secrets Ma Anthropic's public Claude Code docs say direct Claude Code use stays within -Claude subscription limits. Separately, Anthropic told OpenClaw users on -**April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that **OpenClaw counts as a -third-party harness**. Existing Anthropic token profiles remain technically -usable in OpenClaw, but Anthropic says the OpenClaw path now requires **Extra -Usage** (pay-as-you-go billed separately from the subscription) for that -traffic. +Claude subscription limits, and Anthropic staff told us OpenClaw-style Claude +CLI usage is allowed again. OpenClaw therefore treats Claude CLI reuse and +`claude -p` usage as sanctioned for this integration unless Anthropic +publishes a new policy. For Anthropic's current direct-Claude-Code plan docs, see [Using Claude Code with your Pro or Max @@ -91,16 +88,11 @@ and [Z.AI / GLM Coding Plan](/providers/glm). OpenClaw now exposes Anthropic setup-token again as a legacy/manual path. -Anthropic's OpenClaw-specific billing notice still applies to that path, so -use it with the expectation that Anthropic requires **Extra Usage** for -OpenClaw-driven Claude-login traffic. ## Anthropic Claude CLI migration -Anthropic no longer has a supported local Claude CLI migration path in -OpenClaw. Use Anthropic API keys for Anthropic traffic, or keep legacy -token-based auth only where it is already configured and with the expectation -that Anthropic treats that OpenClaw path as **Extra Usage**. +OpenClaw supports Anthropic Claude CLI reuse again. If you already have a local +Claude login on the host, onboarding/configure can reuse it directly. ## OAuth exchange (how login works) diff --git a/docs/gateway/authentication.md b/docs/gateway/authentication.md index 05a5842aedc..4c3e76f69eb 100644 --- a/docs/gateway/authentication.md +++ b/docs/gateway/authentication.md @@ -1,5 +1,5 @@ --- -summary: "Model authentication: OAuth, API keys, and legacy Anthropic setup-token" +summary: "Model authentication: OAuth, API keys, Claude CLI reuse, and legacy Anthropic setup-token" read_when: - Debugging model auth or OAuth expiry - Documenting authentication or credential storage @@ -9,7 +9,7 @@ title: "Authentication" # Authentication (Model Providers) -This page covers **model provider** authentication (API keys, OAuth, and legacy Anthropic setup-token). For **gateway connection** authentication (token, password, trusted-proxy), see [Configuration](/gateway/configuration) and [Trusted Proxy Auth](/gateway/trusted-proxy-auth). +This page covers **model provider** authentication (API keys, OAuth, Claude CLI reuse, and legacy Anthropic setup-token). For **gateway connection** authentication (token, password, trusted-proxy), see [Configuration](/gateway/configuration) and [Trusted Proxy Auth](/gateway/trusted-proxy-auth). OpenClaw supports OAuth and API keys for model providers. For always-on gateway @@ -26,9 +26,8 @@ For credential eligibility/reason-code rules used by `models status --probe`, se If you’re running a long-lived gateway, start with an API key for your chosen provider. -For Anthropic specifically, API key auth is the safe path. Anthropic -subscription-style auth inside OpenClaw is the legacy setup-token path and -should be treated as an **Extra Usage** path, not a plan-limits path. +For Anthropic specifically, API key auth is still the most predictable server +setup, but OpenClaw also supports reusing a local Claude CLI login. 1. Create an API key in your provider console. 2. Put it on the **gateway host** (the machine running `openclaw gateway`). @@ -60,18 +59,16 @@ API keys for daemon use: `openclaw onboard`. See [Help](/help) for details on env inheritance (`env.shellEnv`, `~/.openclaw/.env`, systemd/launchd). -## Anthropic: legacy token compatibility +## Anthropic: Claude CLI and legacy token compatibility -Anthropic setup-token auth is still available in OpenClaw as a -legacy/manual path. Anthropic's public Claude Code docs still cover direct -Claude Code terminal use under Claude plans, but Anthropic separately told -OpenClaw users that the **OpenClaw** Claude-login path counts as third-party -harness usage and requires **Extra Usage** billed separately from the -subscription. +Anthropic setup-token auth is still available in OpenClaw as a legacy/manual +path. Anthropic staff has since told us that OpenClaw-style Claude CLI usage is +allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as +sanctioned for this integration unless Anthropic publishes a new policy. -For the clearest setup path, use an Anthropic API key. If you must keep a -subscription-style Anthropic path in OpenClaw, use the legacy setup-token path -with the expectation that Anthropic treats it as **Extra Usage**. +For long-lived gateway hosts, an Anthropic API key is still the most predictable +setup. If you want to reuse an existing Claude login on the same host, use the +Anthropic Claude CLI path in onboarding/configure. Manual token entry (any provider; writes `auth-profiles.json` + updates config): @@ -112,15 +109,13 @@ Optional ops scripts (systemd/Termux) are documented here: ## Anthropic note -The Anthropic `claude-cli` backend was removed. +The Anthropic `claude-cli` backend is supported again. -- Use Anthropic API keys for Anthropic traffic in OpenClaw. -- Anthropic setup-token remains a legacy/manual path and should be used with - the Extra Usage billing expectation Anthropic communicated to OpenClaw users. -- `openclaw doctor` now detects stale removed Anthropic Claude CLI state. If - stored credential bytes still exist, doctor converts them back into - Anthropic token/OAuth profiles. If not, doctor removes the stale Claude CLI - config and points you to API key or setup-token recovery. +- Anthropic staff told us this OpenClaw integration path is allowed again. +- OpenClaw therefore treats Claude CLI reuse and `claude -p` usage as sanctioned + for Anthropic-backed runs unless Anthropic publishes a new policy. +- Anthropic API keys remain the most predictable choice for long-lived gateway + hosts and explicit server-side billing control. ## Checking model auth status @@ -188,14 +183,3 @@ openclaw models status Run `openclaw models status` to confirm which profile is expiring. If a legacy Anthropic token profile is missing or expired, refresh that setup via setup-token or migrate to an Anthropic API key. - -If the machine still has stale removed Anthropic Claude CLI state from older -builds, run: - -```bash -openclaw doctor --yes -``` - -Doctor converts `anthropic:claude-cli` back to Anthropic token/OAuth when the -stored credential bytes still exist. Otherwise it removes stale Claude CLI -profile/config/model refs and leaves the next-step guidance. diff --git a/docs/gateway/cli-backends.md b/docs/gateway/cli-backends.md index ecaa546879c..44e42e71241 100644 --- a/docs/gateway/cli-backends.md +++ b/docs/gateway/cli-backends.md @@ -143,12 +143,12 @@ The provider id becomes the left side of your model ref: 4. **Parses output** (JSON or plain text) and returns the final text. 5. **Persists session ids** per backend, so follow-ups reuse the same CLI session. - -The bundled Anthropic `claude-cli` backend was removed after Anthropic's -OpenClaw billing boundary changed. OpenClaw still supports generic CLI -backends, but Anthropic API traffic should use the Anthropic provider directly -instead of the removed local Claude CLI path. - + +The bundled Anthropic `claude-cli` backend is supported again. Anthropic staff +told us OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats +`claude -p` usage as sanctioned for this integration unless Anthropic publishes +a new policy. + ## Sessions diff --git a/docs/gateway/doctor.md b/docs/gateway/doctor.md index de793c4f743..8fca0b6e25f 100644 --- a/docs/gateway/doctor.md +++ b/docs/gateway/doctor.md @@ -312,13 +312,6 @@ Anthropic setup-token path. Refresh prompts only appear when running interactively (TTY); `--non-interactive` skips refresh attempts. -Doctor also detects stale removed Anthropic Claude CLI state. If old -`anthropic:claude-cli` credential bytes still exist in `auth-profiles.json`, -doctor converts them back into Anthropic token/OAuth profiles and rewrites -stale `claude-cli/...` model refs plus `agents.defaults.cliBackends.claude-cli`. -If the bytes are gone, doctor removes the stale config and prints recovery -commands instead. - Doctor also reports auth profiles that are temporarily unusable due to: - short cooldowns (rate limits/timeouts/auth failures) diff --git a/docs/gateway/troubleshooting.md b/docs/gateway/troubleshooting.md index 779ca58877d..0cd550d4057 100644 --- a/docs/gateway/troubleshooting.md +++ b/docs/gateway/troubleshooting.md @@ -50,7 +50,7 @@ Look for: Fix options: 1. Disable `context1m` for that model to fall back to the normal context window. -2. Use an Anthropic API key with billing, or enable Anthropic Extra Usage on the Anthropic OAuth/subscription account. +2. Use an Anthropic credential that is eligible for long-context requests, or switch to an Anthropic API key. 3. Configure fallback models so runs continue when Anthropic long-context requests are rejected. Related: diff --git a/docs/help/faq.md b/docs/help/faq.md index e5ef075c2a7..549a24113d8 100644 --- a/docs/help/faq.md +++ b/docs/help/faq.md @@ -584,15 +584,14 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS, For Anthropic in OpenClaw, the practical split is: - **Anthropic API key**: normal Anthropic API billing - - **Claude subscription auth in OpenClaw**: Anthropic told OpenClaw users on - **April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that this requires - **Extra Usage** billed separately from the subscription + - **Claude CLI / Claude subscription auth in OpenClaw**: Anthropic staff + told us this usage is allowed again, and OpenClaw is treating `claude -p` + usage as sanctioned for this integration unless Anthropic publishes a new + policy - Our local repros also show that `claude -p --append-system-prompt ...` can - hit the same Extra Usage guard when the appended prompt identifies - OpenClaw, while the same prompt string does **not** reproduce that block on - the Anthropic SDK + API-key path. OpenAI Codex OAuth is explicitly - supported for external tools like OpenClaw. + For long-lived gateway hosts, Anthropic API keys are still the more + predictable setup. OpenAI Codex OAuth is explicitly supported for external + tools like OpenClaw. OpenClaw also supports other hosted subscription-style options including **Qwen Cloud Coding Plan**, **MiniMax Coding Plan**, and @@ -606,33 +605,28 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS, - Yes, but treat it as **Claude subscription auth with Extra Usage**. + Yes. - Claude Pro/Max subscriptions do not include an API key. In OpenClaw, that - means Anthropic's OpenClaw-specific billing notice applies: subscription - traffic requires **Extra Usage**. If you want Anthropic traffic without - that Extra Usage path, use an Anthropic API key instead. + Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so + OpenClaw treats Claude subscription auth and `claude -p` usage as sanctioned + for this integration unless Anthropic publishes a new policy. If you want + the most predictable server-side setup, use an Anthropic API key instead. - Yes, but the supported interpretation is now: + Yes. - - Anthropic in OpenClaw with a subscription means **Extra Usage** - - Anthropic in OpenClaw without that path means **API key** + Anthropic staff told us this usage is allowed again, so OpenClaw treats + Claude CLI reuse and `claude -p` usage as sanctioned for this integration + unless Anthropic publishes a new policy. - Anthropic setup-token is still available as a legacy/manual OpenClaw path, - and Anthropic's OpenClaw-specific billing notice still applies there. We - also reproduced the same billing guard locally with direct - `claude -p --append-system-prompt ...` usage when the appended prompt - identifies OpenClaw, while the same prompt string did **not** reproduce on - the Anthropic SDK + API-key path. - - For production or multi-user workloads, Anthropic API key auth is the - safer, recommended choice. If you want other subscription-style hosted + Anthropic setup-token is still available as a legacy/manual OpenClaw path. + For production or multi-user workloads, Anthropic API key auth is still the + safer, more predictable choice. If you want other subscription-style hosted options in OpenClaw, see [OpenAI](/providers/openai), [Qwen / Model - Cloud](/providers/qwen), [MiniMax](/providers/minimax), and - [GLM Models](/providers/glm). + Cloud](/providers/qwen), [MiniMax](/providers/minimax), and [GLM + Models](/providers/glm). diff --git a/docs/providers/anthropic.md b/docs/providers/anthropic.md index a6c4011a6a4..32154599f16 100644 --- a/docs/providers/anthropic.md +++ b/docs/providers/anthropic.md @@ -1,5 +1,5 @@ --- -summary: "Use Anthropic Claude via API keys in OpenClaw" +summary: "Use Anthropic Claude via API keys or Claude CLI in OpenClaw" read_when: - You want to use Anthropic models in OpenClaw title: "Anthropic" @@ -7,31 +7,19 @@ title: "Anthropic" # Anthropic (Claude) -Anthropic builds the **Claude** model family and provides access via an API. -In OpenClaw, new Anthropic setup should use an API key. Existing legacy -Anthropic token profiles are still honored at runtime if they are already -configured. +Anthropic builds the **Claude** model family and provides access via an API and +Claude CLI. In OpenClaw, Anthropic API keys and Claude CLI reuse are both +supported. Existing legacy Anthropic token profiles are still honored at +runtime if they are already configured. -For Anthropic in OpenClaw, the billing split is: +Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so +OpenClaw treats Claude CLI reuse and `claude -p` usage as sanctioned for this +integration unless Anthropic publishes a new policy. -- **Anthropic API key**: normal Anthropic API billing. -- **Claude subscription auth inside OpenClaw**: Anthropic told OpenClaw users on - **April 4, 2026 at 12:00 PM PT / 8:00 PM BST** that this counts as - third-party harness usage and requires **Extra Usage** (pay-as-you-go, - billed separately from the subscription). - -Our local repros match that split: - -- direct `claude -p` may still work -- `claude -p --append-system-prompt ...` can trip the Extra Usage guard when - the prompt identifies OpenClaw -- the same OpenClaw-like system prompt does **not** reproduce the block on the - Anthropic SDK + `ANTHROPIC_API_KEY` path - -So the practical rule is: **Anthropic API key, or Claude subscription with -Extra Usage**. If you want the clearest production path, use an Anthropic API -key. +For long-lived gateway hosts, Anthropic API keys are still the clearest and +most predictable production path. If you already use Claude CLI on the host, +OpenClaw can reuse that login directly. Anthropic's current public docs: @@ -202,10 +190,7 @@ requests. This only activates when `params.context1m` is explicitly set to `true` for that model. -Requirement: Anthropic must allow long-context usage on that credential -(typically API key billing, or OpenClaw's Claude-login path / legacy token auth -with Extra Usage enabled). Otherwise Anthropic returns: -`HTTP 429: rate_limit_error: Extra usage is required for long context requests`. +Requirement: Anthropic must allow long-context usage on that credential. Note: Anthropic currently rejects `context-1m-*` beta requests when using legacy Anthropic token auth (`sk-ant-oat-*`). If you configure @@ -213,33 +198,24 @@ legacy Anthropic token auth (`sk-ant-oat-*`). If you configure falls back to the standard context window by skipping the context1m beta header while keeping the required OAuth betas. -## Removed: Claude CLI backend +## Claude CLI backend -The bundled Anthropic `claude-cli` backend was removed. +The bundled Anthropic `claude-cli` backend is supported in OpenClaw. -- Anthropic's April 4, 2026 notice says OpenClaw-driven Claude-login traffic is - third-party harness usage and requires **Extra Usage**. -- Our local repros also show that direct - `claude -p --append-system-prompt ...` can hit the same guard when the - appended prompt identifies OpenClaw. -- The same OpenClaw-like system prompt does not hit that guard on the - Anthropic SDK + `ANTHROPIC_API_KEY` path. -- Use Anthropic API keys for Anthropic traffic in OpenClaw. -- If you need a local CLI fallback runtime, use another supported CLI backend - such as Codex CLI. See [/gateway/cli-backends](/gateway/cli-backends). +- Anthropic staff told us this usage is allowed again. +- OpenClaw therefore treats Claude CLI reuse and `claude -p` usage as + sanctioned for this integration unless Anthropic publishes a new policy. +- Anthropic API keys remain the clearest production path for always-on gateway + hosts and explicit server-side billing control. +- Setup and runtime details are in [/gateway/cli-backends](/gateway/cli-backends). ## Notes - Anthropic's public Claude Code docs still document direct CLI usage such as - `claude -p`, but Anthropic's separate notice to OpenClaw users says the - **OpenClaw** Claude-login path is third-party harness usage and requires - **Extra Usage** (pay-as-you-go billed separately from the subscription). - Our local repros also show that direct - `claude -p --append-system-prompt ...` can hit the same guard when the - appended prompt identifies OpenClaw, while the same prompt shape does not - reproduce on the Anthropic SDK + `ANTHROPIC_API_KEY` path. For production, we - recommend Anthropic API keys instead. -- Anthropic setup-token is available again in OpenClaw as a legacy/manual path. Anthropic's OpenClaw-specific billing notice still applies, so use it with the expectation that Anthropic requires **Extra Usage** for this path. + `claude -p`, and Anthropic staff told us OpenClaw-style Claude CLI usage is + allowed again. We are treating that guidance as settled unless Anthropic + publishes a new policy change. +- Anthropic setup-token is available again in OpenClaw as a legacy/manual path. - Auth details + reuse rules are in [/concepts/oauth](/concepts/oauth). ## Troubleshooting diff --git a/docs/reference/api-usage-costs.md b/docs/reference/api-usage-costs.md index 6d75bf034bf..9fd4cfcfede 100644 --- a/docs/reference/api-usage-costs.md +++ b/docs/reference/api-usage-costs.md @@ -31,13 +31,11 @@ OpenClaw features that can generate provider usage or paid API calls. `stats`, normalizes `stats.cached` into `cacheRead`, and derives input tokens from `stats.input_tokens - stats.cached` when needed. -Anthropic note: Anthropic's public Claude Code docs still include direct Claude -Code terminal usage in Claude plan limits. Separately, Anthropic told OpenClaw -users that starting **April 4, 2026 at 12:00 PM PT / 8:00 PM BST**, the -**OpenClaw** Claude-login path counts as third-party harness usage and -requires **Extra Usage** billed separately from the subscription. Anthropic -does not expose a per-message dollar estimate that OpenClaw can show in -`/usage full`. +Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is +allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as +sanctioned for this integration unless Anthropic publishes a new policy. +Anthropic still does not expose a per-message dollar estimate that OpenClaw can +show in `/usage full`. **CLI usage windows (provider quotas)** diff --git a/docs/reference/token-use.md b/docs/reference/token-use.md index dbb1194248c..1371097a8e2 100644 --- a/docs/reference/token-use.md +++ b/docs/reference/token-use.md @@ -177,10 +177,8 @@ This maps to Anthropic's `context-1m-2025-08-07` beta header. This only applies when `context1m: true` is set on that model entry. -Requirement: the credential must be eligible for long-context usage (API key -billing, or OpenClaw's Claude-login path with Extra Usage enabled). If not, -Anthropic responds -with `HTTP 429: rate_limit_error: Extra usage is required for long context requests`. +Requirement: the credential must be eligible for long-context usage. If not, +Anthropic responds with a provider-side rate limit error for that request. If you authenticate Anthropic with OAuth/subscription tokens (`sk-ant-oat-*`), OpenClaw skips the `context-1m-*` beta header because Anthropic currently diff --git a/docs/reference/wizard.md b/docs/reference/wizard.md index 7b2561b22d8..058c3b9bb64 100644 --- a/docs/reference/wizard.md +++ b/docs/reference/wizard.md @@ -32,7 +32,7 @@ For a high-level overview, see [Onboarding (CLI)](/start/wizard). - **Anthropic API key**: uses `ANTHROPIC_API_KEY` if present or prompts for a key, then saves it for daemon use. - **Anthropic API key**: preferred Anthropic assistant choice in onboarding/configure. - - **Anthropic setup-token (legacy/manual)**: available again in onboarding/configure, but Anthropic told OpenClaw users that the OpenClaw Claude-login path counts as third-party harness usage and requires **Extra Usage** on the Claude account. + - **Anthropic setup-token (legacy/manual)**: still available in onboarding/configure. - **OpenAI Code (Codex) subscription (Codex CLI)**: if `~/.codex/auth.json` exists, onboarding can reuse it. Reused Codex CLI credentials stay managed by Codex CLI; on expiry OpenClaw re-reads that source first and, when the provider can refresh it, writes the refreshed credential back to Codex storage instead of taking ownership itself. - **OpenAI Code (Codex) subscription (OAuth)**: browser flow; paste the `code#state`. - Sets `agents.defaults.model` to `openai-codex/gpt-5.4` when model is unset or `openai/*`. diff --git a/docs/start/wizard-cli-automation.md b/docs/start/wizard-cli-automation.md index f39cf483c91..120007d3c87 100644 --- a/docs/start/wizard-cli-automation.md +++ b/docs/start/wizard-cli-automation.md @@ -193,9 +193,7 @@ openclaw onboard --non-interactive \ Anthropic setup-token is available again as a legacy/manual onboarding path. -Use it with the expectation that Anthropic told OpenClaw users the OpenClaw -Claude-login path requires **Extra Usage**. For production, prefer an -Anthropic API key. +For production, prefer an Anthropic API key. ## Add another agent diff --git a/docs/start/wizard.md b/docs/start/wizard.md index 286502118b7..4b3801418b3 100644 --- a/docs/start/wizard.md +++ b/docs/start/wizard.md @@ -72,7 +72,7 @@ Onboarding starts with **QuickStart** (defaults) vs **Advanced** (full control). For non-interactive runs, `--secret-input-mode ref` stores env-backed refs in auth profiles instead of plaintext API key values. In non-interactive `ref` mode, the provider env var must be set; passing inline key flags without that env var fails fast. In interactive runs, choosing secret reference mode lets you point at either an environment variable or a configured provider ref (`file` or `exec`), with a fast preflight validation before saving. - For Anthropic, interactive onboarding/configure offers **Anthropic Claude CLI** as a local fallback and **Anthropic API key** as the recommended production path. Anthropic setup-token is also available again as a legacy/manual OpenClaw path, with Anthropic's OpenClaw-specific **Extra Usage** billing expectation. + For Anthropic, interactive onboarding/configure offers **Anthropic Claude CLI** as a local fallback and **Anthropic API key** as the recommended production path. Anthropic setup-token is also available again as a legacy/manual OpenClaw path. 2. **Workspace** — Location for agent files (default `~/.openclaw/workspace`). Seeds bootstrap files. 3. **Gateway** — Port, bind address, auth mode, Tailscale exposure. In interactive token mode, choose default plaintext token storage or opt into SecretRef. diff --git a/extensions/anthropic/register.runtime.ts b/extensions/anthropic/register.runtime.ts index 6137296c4cb..f4d0d02291f 100644 --- a/extensions/anthropic/register.runtime.ts +++ b/extensions/anthropic/register.runtime.ts @@ -63,7 +63,7 @@ const ANTHROPIC_OAUTH_ALLOWLIST = [ ] as const; const ANTHROPIC_SETUP_TOKEN_NOTE_LINES = [ "Anthropic setup-token auth is a legacy/manual path in OpenClaw.", - "Anthropic told OpenClaw users that OpenClaw counts as a third-party harness, so this path requires Extra Usage on the Claude account.", + "Anthropic staff told us this OpenClaw path is allowed again.", `If you want a direct API billing path instead, use ${formatCliCommand("openclaw models auth login --provider anthropic --method api-key --set-default")} or ${formatCliCommand("openclaw models auth login --provider anthropic --method cli --set-default")}.`, ] as const; @@ -386,7 +386,6 @@ export function registerAnthropicPlugin(api: OpenClawPluginApi): void { docsPath: "/providers/models", hookAliases: [CLAUDE_CLI_BACKEND_ID], envVars: ["ANTHROPIC_OAUTH_TOKEN", "ANTHROPIC_API_KEY"], - deprecatedProfileIds: [claudeCliProfileId], oauthProfileIdRepairs: [ { legacyProfileId: "anthropic:default", @@ -424,12 +423,12 @@ export function registerAnthropicPlugin(api: OpenClawPluginApi): void { { id: "setup-token", label: "Anthropic setup-token", - hint: "Legacy/manual bearer token path; requires Extra Usage when used through OpenClaw", + hint: "Legacy/manual bearer token path", kind: "token", wizard: { choiceId: "setup-token", choiceLabel: "Anthropic setup-token", - choiceHint: "Legacy/manual path; requires Extra Usage in OpenClaw", + choiceHint: "Legacy/manual path", assistantPriority: 40, groupId: "anthropic", groupLabel: "Anthropic", diff --git a/extensions/openai/openai-codex-provider.ts b/extensions/openai/openai-codex-provider.ts index 2b13d7b35c9..21464291ec5 100644 --- a/extensions/openai/openai-codex-provider.ts +++ b/extensions/openai/openai-codex-provider.ts @@ -269,7 +269,6 @@ export function buildOpenAICodexProviderPlugin(): ProviderPlugin { id: PROVIDER_ID, label: "OpenAI Codex", docsPath: "/providers/models", - deprecatedProfileIds: [CODEX_CLI_PROFILE_ID], auth: [ { id: "oauth", diff --git a/src/agents/system-prompt.ts b/src/agents/system-prompt.ts index 810a9088763..322593db1bf 100644 --- a/src/agents/system-prompt.ts +++ b/src/agents/system-prompt.ts @@ -479,11 +479,11 @@ export function buildAgentSystemPrompt(params: { // For "none" mode, return just the basic identity line if (promptMode === "none") { - return "You are a personal assistant running inside OpenClaw."; + return "You are a personal assistant operating inside OpenClaw."; } const lines = [ - "You are a personal assistant running inside OpenClaw.", + "You are a personal assistant operating inside OpenClaw.", "", "## Tooling", "Structured tool definitions are the source of truth for tool names, descriptions, and parameters.", diff --git a/src/commands/doctor-auth.deprecated-cli-profiles.test.ts b/src/commands/doctor-auth.deprecated-cli-profiles.test.ts index d8bd596583b..39389caf866 100644 --- a/src/commands/doctor-auth.deprecated-cli-profiles.test.ts +++ b/src/commands/doctor-auth.deprecated-cli-profiles.test.ts @@ -5,10 +5,7 @@ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest"; import type { OpenClawConfig } from "../config/config.js"; import type { ProviderPlugin } from "../plugins/types.js"; import { captureEnv } from "../test-utils/env.js"; -import { - maybeRemoveDeprecatedCliAuthProfiles, - maybeRepairLegacyOAuthProfileIds, -} from "./doctor-auth.js"; +import { maybeRepairLegacyOAuthProfileIds } from "./doctor-auth.js"; import type { DoctorPrompter } from "./doctor-prompter.js"; import type { DoctorRepairMode } from "./doctor-repair-mode.js"; @@ -58,96 +55,6 @@ afterEach(() => { } }); -describe("maybeRemoveDeprecatedCliAuthProfiles", () => { - it("removes deprecated CLI auth profiles from store + config", async () => { - if (!tempAgentDir) { - throw new Error("Missing temp agent dir"); - } - const authPath = path.join(tempAgentDir, "auth-profiles.json"); - fs.writeFileSync( - authPath, - `${JSON.stringify( - { - version: 1, - profiles: { - "anthropic:claude-cli": { - type: "oauth", - provider: "anthropic", - access: "token-a", - refresh: "token-r", - expires: Date.now() + 60_000, - }, - "openai-codex:codex-cli": { - type: "oauth", - provider: "openai-codex", - access: "token-b", - refresh: "token-r2", - expires: Date.now() + 60_000, - }, - "openai-codex:default": { - type: "oauth", - provider: "openai-codex", - access: "token-c", - refresh: "token-r3", - expires: Date.now() + 60_000, - }, - }, - }, - null, - 2, - )}\n`, - "utf8", - ); - - resolvePluginProvidersMock.mockReturnValue([ - { - id: "anthropic", - label: "Anthropic", - auth: [], - deprecatedProfileIds: ["anthropic:claude-cli"], - }, - { - id: "openai-codex", - label: "OpenAI Codex", - auth: [], - deprecatedProfileIds: ["openai-codex:codex-cli"], - }, - ]); - - const cfg = { - auth: { - profiles: { - "anthropic:claude-cli": { provider: "anthropic", mode: "oauth" }, - "openai-codex:codex-cli": { provider: "openai-codex", mode: "oauth" }, - "openai-codex:default": { provider: "openai-codex", mode: "oauth" }, - }, - order: { - anthropic: ["anthropic:claude-cli"], - "openai-codex": ["openai-codex:codex-cli", "openai-codex:default"], - }, - }, - } as const; - - const next = await maybeRemoveDeprecatedCliAuthProfiles( - cfg as unknown as OpenClawConfig, - makePrompter(true), - ); - - const raw = JSON.parse(fs.readFileSync(authPath, "utf8")) as { - profiles?: Record; - }; - expect(raw.profiles?.["anthropic:claude-cli"]).toBeUndefined(); - expect(raw.profiles?.["openai-codex:codex-cli"]).toBeUndefined(); - expect(raw.profiles?.["openai-codex:default"]).toBeDefined(); - - expect(next.auth?.profiles?.["anthropic:claude-cli"]).toBeUndefined(); - expect(next.auth?.profiles?.["openai-codex:codex-cli"]).toBeUndefined(); - expect(next.auth?.profiles?.["openai-codex:default"]).toBeDefined(); - expect(next.auth?.order?.anthropic).toBeUndefined(); - expect(next.auth?.order?.["openai-codex"]).toEqual(["openai-codex:default"]); - }); -}); - describe("maybeRepairLegacyOAuthProfileIds", () => { it("repairs provider-owned legacy OAuth profile ids", async () => { if (!tempAgentDir) { diff --git a/src/commands/doctor-auth.ts b/src/commands/doctor-auth.ts index a12e162c36f..945351c945e 100644 --- a/src/commands/doctor-auth.ts +++ b/src/commands/doctor-auth.ts @@ -11,16 +11,11 @@ import { resolveProfileUnusableUntilForDisplay, } from "../agents/auth-profiles.js"; import { formatAuthDoctorHint } from "../agents/auth-profiles/doctor.js"; -import { updateAuthProfileStoreWithLock } from "../agents/auth-profiles/store.js"; -import { formatCliCommand } from "../cli/command-format.js"; import type { OpenClawConfig } from "../config/config.js"; import { resolvePluginProviders } from "../plugins/providers.runtime.js"; import { note } from "../terminal/note.js"; import type { DoctorPrompter } from "./doctor-prompter.js"; -import { - buildProviderAuthRecoveryHint, - resolveProviderAuthLoginCommand, -} from "./provider-auth-guidance.js"; +import { buildProviderAuthRecoveryHint } from "./provider-auth-guidance.js"; export async function maybeRepairLegacyOAuthProfileIds( cfg: OpenClawConfig, @@ -59,167 +54,6 @@ export async function maybeRepairLegacyOAuthProfileIds( return nextCfg; } -function pruneAuthOrder( - order: Record | undefined, - profileIds: Set, -): { next: Record | undefined; changed: boolean } { - if (!order) { - return { next: order, changed: false }; - } - let changed = false; - const next: Record = {}; - for (const [provider, list] of Object.entries(order)) { - const filtered = list.filter((id) => !profileIds.has(id)); - if (filtered.length !== list.length) { - changed = true; - } - if (filtered.length > 0) { - next[provider] = filtered; - } - } - return { next: Object.keys(next).length > 0 ? next : undefined, changed }; -} - -function pruneAuthProfiles( - cfg: OpenClawConfig, - profileIds: Set, -): { next: OpenClawConfig; changed: boolean } { - const profiles = cfg.auth?.profiles; - const order = cfg.auth?.order; - const nextProfiles = profiles ? { ...profiles } : undefined; - let changed = false; - - if (nextProfiles) { - for (const id of profileIds) { - if (id in nextProfiles) { - delete nextProfiles[id]; - changed = true; - } - } - } - - const prunedOrder = pruneAuthOrder(order, profileIds); - if (prunedOrder.changed) { - changed = true; - } - - if (!changed) { - return { next: cfg, changed: false }; - } - - const nextAuth = - nextProfiles || prunedOrder.next - ? { - ...cfg.auth, - profiles: nextProfiles && Object.keys(nextProfiles).length > 0 ? nextProfiles : undefined, - order: prunedOrder.next, - } - : undefined; - - return { - next: { - ...cfg, - auth: nextAuth, - }, - changed: true, - }; -} - -export async function maybeRemoveDeprecatedCliAuthProfiles( - cfg: OpenClawConfig, - prompter: DoctorPrompter, -): Promise { - const store = ensureAuthProfileStore(undefined, { allowKeychainPrompt: false }); - const providers = resolvePluginProviders({ - config: cfg, - env: process.env, - mode: "setup", - }); - const deprecatedEntries = providers.flatMap((provider) => - (provider.deprecatedProfileIds ?? []) - .filter((profileId) => store.profiles[profileId] || cfg.auth?.profiles?.[profileId]) - .map((profileId) => ({ - profileId, - providerId: provider.id, - providerLabel: provider.label, - })), - ); - const deprecated = new Set(deprecatedEntries.map((entry) => entry.profileId)); - - if (deprecated.size === 0) { - return cfg; - } - - const lines = ["Deprecated external CLI auth profiles detected (no longer supported):"]; - for (const entry of deprecatedEntries) { - const authCommand = - resolveProviderAuthLoginCommand({ - provider: entry.providerId, - config: cfg, - env: process.env, - }) ?? formatCliCommand("openclaw configure"); - lines.push(`- ${entry.profileId} (${entry.providerLabel}): use ${authCommand}`); - } - note(lines.join("\n"), "Auth profiles"); - - const shouldRemove = await prompter.confirmAutoFix({ - message: "Remove deprecated CLI auth profiles now?", - initialValue: true, - }); - if (!shouldRemove) { - return cfg; - } - - await updateAuthProfileStoreWithLock({ - updater: (nextStore) => { - let mutated = false; - for (const id of deprecated) { - if (nextStore.profiles[id]) { - delete nextStore.profiles[id]; - mutated = true; - } - if (nextStore.usageStats?.[id]) { - delete nextStore.usageStats[id]; - mutated = true; - } - } - if (nextStore.order) { - for (const [provider, list] of Object.entries(nextStore.order)) { - const filtered = list.filter((id) => !deprecated.has(id)); - if (filtered.length !== list.length) { - mutated = true; - if (filtered.length > 0) { - nextStore.order[provider] = filtered; - } else { - delete nextStore.order[provider]; - } - } - } - } - if (nextStore.lastGood) { - for (const [provider, profileId] of Object.entries(nextStore.lastGood)) { - if (deprecated.has(profileId)) { - delete nextStore.lastGood[provider]; - mutated = true; - } - } - } - return mutated; - }, - }); - - const pruned = pruneAuthProfiles(cfg, deprecated); - if (pruned.changed) { - note( - Array.from(deprecated.values()) - .map((id) => `- removed ${id} from config`) - .join("\n"), - "Doctor changes", - ); - } - return pruned.next; -} - type AuthIssue = { profileId: string; provider: string; diff --git a/src/commands/models/auth.test.ts b/src/commands/models/auth.test.ts index fdfb75b444f..f8221ed60de 100644 --- a/src/commands/models/auth.test.ts +++ b/src/commands/models/auth.test.ts @@ -598,7 +598,7 @@ describe("modelsAuthLoginCommand", () => { "Anthropic setup-token auth is a legacy/manual path in OpenClaw.", ); expect(runtime.log).toHaveBeenCalledWith( - "Anthropic told OpenClaw users this path requires Extra Usage on the Claude account.", + "Anthropic staff told us this OpenClaw path is allowed again.", ); }); diff --git a/src/commands/models/auth.ts b/src/commands/models/auth.ts index 957c1a61014..d76e733408f 100644 --- a/src/commands/models/auth.ts +++ b/src/commands/models/auth.ts @@ -421,9 +421,7 @@ export async function modelsAuthPasteTokenCommand( runtime.log(`Auth profile: ${profileId} (${provider}/token)`); if (provider === "anthropic") { runtime.log("Anthropic setup-token auth is a legacy/manual path in OpenClaw."); - runtime.log( - "Anthropic told OpenClaw users this path requires Extra Usage on the Claude account.", - ); + runtime.log("Anthropic staff told us this OpenClaw path is allowed again."); } } diff --git a/src/flows/doctor-health-contributions.ts b/src/flows/doctor-health-contributions.ts index 25cb8de845f..5f24f03de36 100644 --- a/src/flows/doctor-health-contributions.ts +++ b/src/flows/doctor-health-contributions.ts @@ -10,7 +10,6 @@ import { import { runChannelPluginStartupMaintenance } from "../channels/plugins/lifecycle-startup.js"; import { formatCliCommand } from "../cli/command-format.js"; import { - maybeRemoveDeprecatedCliAuthProfiles, maybeRepairLegacyOAuthProfileIds, noteAuthProfileHealth, } from "../commands/doctor-auth.js"; @@ -143,7 +142,6 @@ async function runGatewayConfigHealth(ctx: DoctorHealthFlowContext): Promise { ctx.cfg = await maybeRepairLegacyOAuthProfileIds(ctx.cfg, ctx.prompter); - ctx.cfg = await maybeRemoveDeprecatedCliAuthProfiles(ctx.cfg, ctx.prompter); await noteAuthProfileHealth({ cfg: ctx.cfg, prompter: ctx.prompter,