2026-01-09 00:32:48 +00:00
---
2026-04-06 15:30:49 +01:00
summary: "Model authentication: OAuth, API keys, Claude CLI reuse, and Anthropic setup-token"
2026-01-09 00:32:48 +00:00
read_when:
- Debugging model auth or OAuth expiry
- Documenting authentication or credential storage
2026-01-31 16:04:03 -05:00
title: "Authentication"
2026-01-09 00:32:48 +00:00
---
2026-01-31 21:13:13 +09:00
2026-03-31 14:23:59 +09:00
# Authentication (Model Providers)
<Note>
2026-04-06 15:30:49 +01:00
This page covers **model provider ** authentication (API keys, OAuth, Claude CLI reuse, and Anthropic setup-token). For **gateway connection ** authentication (token, password, trusted-proxy), see [Configuration ](/gateway/configuration ) and [Trusted Proxy Auth ](/gateway/trusted-proxy-auth ).
2026-03-31 14:23:59 +09:00
</Note>
2026-01-09 09:42:05 +10:30
2026-03-03 00:02:25 +00:00
OpenClaw supports OAuth and API keys for model providers. For always-on gateway
hosts, API keys are usually the most predictable option. Subscription/OAuth
flows are also supported when they match your provider account model.
2026-01-09 09:42:05 +10:30
2026-01-09 00:32:48 +00:00
See [/concepts/oauth ](/concepts/oauth ) for the full OAuth flow and storage
layout.
2026-02-25 17:58:10 -06:00
For SecretRef-based auth (`env` /`file` /`exec` providers), see [Secrets Management ](/gateway/secrets ).
2026-03-03 20:29:46 -06:00
For credential eligibility/reason-code rules used by `models status --probe` , see
[Auth Credential Semantics ](/auth-credential-semantics ).
2026-01-09 09:42:05 +10:30
2026-03-03 00:02:25 +00:00
## Recommended setup (API key, any provider)
2026-01-09 15:29:50 +01:00
2026-03-03 00:02:25 +00:00
If you’ re running a long-lived gateway, start with an API key for your chosen
provider.
2026-04-06 14:20:51 +01:00
For Anthropic specifically, API key auth is still the most predictable server
setup, but OpenClaw also supports reusing a local Claude CLI login.
2026-01-10 17:36:50 +01:00
2026-03-03 00:02:25 +00:00
1. Create an API key in your provider console.
2026-01-31 21:13:13 +09:00
2. Put it on the **gateway host ** (the machine running `openclaw gateway` ).
2026-01-09 15:29:50 +01:00
``` bash
2026-03-03 00:02:25 +00:00
export <PROVIDER>_API_KEY= "..."
2026-01-30 03:15:10 +01:00
openclaw models status
2026-01-09 15:29:50 +01:00
```
2026-02-06 10:00:08 -05:00
3. If the Gateway runs under systemd/launchd, prefer putting the key in
2026-01-31 21:13:13 +09:00
`~/.openclaw/.env` so the daemon can read it:
2026-01-10 17:36:50 +01:00
``` bash
2026-01-30 03:15:10 +01:00
cat >> ~/.openclaw/.env <<'EOF'
2026-03-03 00:02:25 +00:00
<PROVIDER>_API_KEY=...
2026-01-10 17:36:50 +01:00
EOF
```
Then restart the daemon (or restart your Gateway process) and re-check:
2026-01-09 15:29:50 +01:00
``` bash
2026-01-30 03:15:10 +01:00
openclaw models status
openclaw doctor
2026-01-09 15:29:50 +01:00
```
2026-03-16 19:50:31 -05:00
If you’ d rather not manage env vars yourself, onboarding can store
2026-03-16 05:50:48 +00:00
API keys for daemon use: `openclaw onboard` .
2026-01-10 17:36:50 +01:00
2026-01-16 23:10:10 +00:00
See [Help ](/help ) for details on env inheritance (`env.shellEnv` ,
2026-01-30 03:15:10 +01:00
`~/.openclaw/.env` , systemd/launchd).
2026-01-10 17:36:50 +01:00
2026-04-06 15:30:49 +01:00
## Anthropic: Claude CLI and token compatibility
2026-01-10 17:36:50 +01:00
2026-04-06 15:30:49 +01:00
Anthropic setup-token auth is still available in OpenClaw as a supported token
2026-04-06 14:20:51 +01:00
path. Anthropic staff has since told us that OpenClaw-style Claude CLI usage is
allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as
2026-04-06 15:30:49 +01:00
sanctioned for this integration unless Anthropic publishes a new policy. When
Claude CLI reuse is available on the host, that is now the preferred path.
2026-01-09 17:50:34 +01:00
2026-04-06 14:20:51 +01:00
For long-lived gateway hosts, an Anthropic API key is still the most predictable
setup. If you want to reuse an existing Claude login on the same host, use the
Anthropic Claude CLI path in onboarding/configure.
2026-04-04 22:05:05 +01:00
2026-01-10 17:36:50 +01:00
Manual token entry (any provider; writes `auth-profiles.json` + updates config):
2026-01-09 09:42:05 +10:30
``` bash
2026-01-30 03:15:10 +01:00
openclaw models auth paste-token --provider openrouter
2026-01-09 09:42:05 +10:30
```
2026-02-24 16:26:51 -06:00
Auth profile refs are also supported for static credentials:
2026-02-25 17:58:10 -06:00
- `api_key` credentials can use `keyRef: { source, provider, id }`
- `token` credentials can use `tokenRef: { source, provider, id }`
2026-03-31 02:37:31 -05:00
- OAuth-mode profiles do not support SecretRef credentials; if `auth.profiles.<id>.mode` is set to `"oauth"` , SecretRef-backed `keyRef` /`tokenRef` input for that profile is rejected.
2026-02-24 16:26:51 -06:00
2026-01-09 00:32:48 +00:00
Automation-friendly check (exit `1` when expired/missing, `2` when expiring):
2026-01-09 09:42:05 +10:30
``` bash
2026-01-30 03:15:10 +01:00
openclaw models status --check
2026-01-09 09:42:05 +10:30
```
2026-04-04 20:51:43 +01:00
Live auth probes:
``` bash
openclaw models status --probe
```
Notes:
- Probe rows can come from auth profiles, env credentials, or `models.json` .
- If explicit `auth.order.<provider>` omits a stored profile, probe reports
`excluded_by_auth_order` for that profile instead of trying it.
- If auth exists but OpenClaw cannot resolve a probeable model candidate for
that provider, probe reports `status: no_model` .
2026-04-04 20:54:05 +01:00
- Rate-limit cooldowns can be model-scoped. A profile cooling down for one
model can still be usable for a sibling model on the same provider.
2026-04-04 20:51:43 +01:00
2026-01-09 00:32:48 +00:00
Optional ops scripts (systemd/Termux) are documented here:
2026-04-03 03:16:41 +09:00
[Auth monitoring scripts ](/help/scripts#auth-monitoring-scripts )
2026-01-09 09:42:05 +10:30
2026-04-05 18:04:36 +01:00
## Anthropic note
2026-03-26 23:03:02 +00:00
2026-04-06 14:20:51 +01:00
The Anthropic `claude-cli` backend is supported again.
2026-04-04 14:38:29 +09:00
2026-04-06 14:20:51 +01:00
- Anthropic staff told us this OpenClaw integration path is allowed again.
- OpenClaw therefore treats Claude CLI reuse and `claude -p` usage as sanctioned
for Anthropic-backed runs unless Anthropic publishes a new policy.
- Anthropic API keys remain the most predictable choice for long-lived gateway
hosts and explicit server-side billing control.
2026-04-04 14:49:42 +09:00
2026-01-09 00:32:48 +00:00
## Checking model auth status
2026-01-09 09:42:05 +10:30
``` bash
2026-01-30 03:15:10 +01:00
openclaw models status
openclaw doctor
2026-01-09 09:42:05 +10:30
```
2026-02-18 01:31:11 +01:00
## API key rotation behavior (gateway)
Some providers support retrying a request with alternative keys when an API call
hits a provider rate limit.
- Priority order:
- `OPENCLAW_LIVE_<PROVIDER>_KEY` (single override)
- `<PROVIDER>_API_KEYS`
- `<PROVIDER>_API_KEY`
- `<PROVIDER>_API_KEY_*`
- Google providers also include `GOOGLE_API_KEY` as an additional fallback.
- The same key list is deduplicated before use.
- OpenClaw retries with the next key only for rate-limit errors (for example
2026-04-04 20:43:58 +01:00
`429` , `rate_limit` , `quota` , `resource exhausted` , `Too many concurrent
requests` , `ThrottlingException` , `concurrency limit reached` , or
`workers_ai ... quota limit exceeded` ).
2026-02-18 01:31:11 +01:00
- Non-rate-limit errors are not retried with alternate keys.
- If all keys fail, the final error from the last attempt is returned.
2026-01-09 14:17:49 +00:00
## Controlling which credential is used
### Per-session (chat command)
2026-01-26 19:04:46 +00:00
Use `/model <alias-or-id>@<profileId>` to pin a specific provider credential for the current session (example profile ids: `anthropic:default` , `anthropic:work` ).
2026-01-12 06:38:16 +00:00
Use `/model` (or `/model list` ) for a compact picker; use `/model status` for the full view (candidates + next auth profile, plus provider endpoint details when configured).
2026-01-09 14:17:49 +00:00
### Per-agent (CLI override)
2026-04-06 13:41:44 +01:00
Set an explicit auth profile order override for an agent (stored in that agent’ s `auth-state.json` ):
2026-01-09 14:17:49 +00:00
``` bash
2026-01-30 03:15:10 +01:00
openclaw models auth order get --provider anthropic
openclaw models auth order set --provider anthropic anthropic:default
openclaw models auth order clear --provider anthropic
2026-01-09 14:17:49 +00:00
```
Use `--agent <id>` to target a specific agent; omit it to use the configured default agent.
2026-04-04 20:51:43 +01:00
When you debug order issues, `openclaw models status --probe` shows omitted
stored profiles as `excluded_by_auth_order` instead of silently skipping them.
2026-04-04 20:54:05 +01:00
When you debug cooldown issues, remember that rate-limit cooldowns can be tied
to one model id rather than the whole provider profile.
2026-01-09 14:17:49 +00:00
2026-01-09 00:32:48 +00:00
## Troubleshooting
2026-01-09 09:42:05 +10:30
2026-03-18 01:31:25 -07:00
### "No credentials found"
2026-01-09 09:42:05 +10:30
2026-04-05 18:04:36 +01:00
If the Anthropic profile is missing, configure an Anthropic API key on the
2026-04-06 15:30:49 +01:00
**gateway host ** or set up the Anthropic setup-token path, then re-check:
2026-01-09 09:42:05 +10:30
``` bash
2026-01-30 03:15:10 +01:00
openclaw models status
2026-01-09 09:42:05 +10:30
```
2026-01-09 00:32:48 +00:00
### Token expiring/expired
2026-04-06 15:30:49 +01:00
Run `openclaw models status` to confirm which profile is expiring. If an
2026-04-05 18:04:36 +01:00
Anthropic token profile is missing or expired, refresh that setup via
setup-token or migrate to an Anthropic API key.