OAuth
Clawdbot supports “subscription auth” via OAuth for providers that offer it (notably Anthropic (Claude Pro/Max) and OpenAI Codex (ChatGPT OAuth)). This page explains:- how the OAuth token exchange works (PKCE)
- where tokens are stored (and why)
- how we reuse external CLI tokens (Claude Code / Codex CLI)
- how to handle multiple accounts (profiles + per-session overrides)
The token sink (why it exists)
OAuth providers commonly mint a new refresh token during login/refresh flows. Some providers (or OAuth clients) can invalidate older refresh tokens when a new one is issued for the same user/app. Practical symptom:- you log in via Clawdbot and via Claude Code / Codex CLI → one of them randomly gets “logged out” later
auth-profiles.json as a token sink:
- the runtime reads credentials from one place
- we can sync in credentials from external CLIs instead of doing a second login
- we can keep multiple profiles and route them deterministically
Storage (where tokens live)
Secrets are stored per-agent:- Auth profiles (OAuth + API keys):
~/.clawdbot/agents/<agentId>/agent/auth-profiles.json - Runtime cache (managed automatically; don’t edit):
~/.clawdbot/agents/<agentId>/agent/auth.json
~/.clawdbot/credentials/oauth.json(imported intoauth-profiles.jsonon first use)
$CLAWDBOT_STATE_DIR (state dir override). Full reference: /gateway/configuration
Reusing Claude Code / Codex CLI OAuth tokens (recommended)
If you already signed in with the external CLIs on the gateway host, Clawdbot can reuse those tokens without starting a separate OAuth flow:- Claude Code:
anthropic:claude-cli- macOS: Keychain item “Claude Code-credentials” (choose “Always Allow” to avoid launchd prompts)
- Linux/Windows:
~/.claude/.credentials.json
- Codex CLI: reads
~/.codex/auth.json→ profileopenai-codex:codex-cli
clawdbot models status
in a terminal once if the Gateway runs headless and can’t access the entry.
How to verify:
OAuth exchange (how login works)
Clawdbot’s interactive login flows are implemented in@mariozechner/pi-ai and wired into the wizards/commands.
Anthropic (Claude Pro/Max)
Flow shape (PKCE):- generate PKCE verifier/challenge
- open
https://claude.ai/oauth/authorize?... - user pastes
code#state - exchange at
https://console.anthropic.com/v1/oauth/token - store
{ access, refresh, expires }under an auth profile
clawdbot onboard → auth choice oauth (Anthropic).
OpenAI Codex (ChatGPT OAuth)
Flow shape (PKCE):- generate PKCE verifier/challenge + random
state - open
https://auth.openai.com/oauth/authorize?... - try to capture callback on
http://127.0.0.1:1455/auth/callback - if callback can’t bind (or you’re remote/headless), paste the redirect URL/code
- exchange at
https://auth.openai.com/oauth/token - extract
accountIdfrom the access token and store{ access, refresh, expires, accountId }
clawdbot onboard → auth choice openai-codex (or codex-cli to reuse an existing Codex CLI login).
Refresh + expiry
Profiles store anexpires timestamp.
At runtime:
- if
expiresis in the future → use the stored access token - if expired → refresh (under a file lock) and overwrite the stored credentials
Multiple accounts (profiles) + routing
Two patterns:1) Preferred: separate agents
If you want “personal” and “work” to never interact, use isolated agents (separate sessions + credentials + workspace):2) Advanced: multiple profiles in one agent
auth-profiles.json supports multiple profile IDs for the same provider.
Pick which profile is used:
- globally via config ordering (
auth.order) - per-session via
/model ...@<profileId>
/model Opus@anthropic:work
clawdbot providers list --json(showsauth[])
- /concepts/model-failover (rotation + cooldown rules)
- /tools/slash-commands (command surface)