fix: remove Anthropic OAuth token refreshes to protect Claude Code auth#531
Open
Pizzaface wants to merge 1 commit into
Open
fix: remove Anthropic OAuth token refreshes to protect Claude Code auth#531Pizzaface wants to merge 1 commit into
Pizzaface wants to merge 1 commit into
Conversation
PizzaPi was calling getApiKey('anthropic') which triggers OAuth token
refresh, rotating the access/refresh token pair. This breaks Claude Code's
own auth because its stored tokens become stale.
Changes:
- Removed getRefreshedOAuthToken entirely — raw token reads only
- Removed keychain credential sync (syncKeychainToAuthStorage,
syncKeychainToAuthJsonFile) from worker and daemon
- Replaced getApiKey calls with getOAuthAccessToken in usage cache and CLI
- Updated tests accordingly
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PizzaPi was calling
getApiKey('anthropic')which triggers OAuth token refresh, rotating the access/refresh token pair. This breaks Claude Code's own auth because its stored tokens become stale.Changes
usage-auth.ts— RemovedgetRefreshedOAuthToken()entirely; only raw token reads remainrunner-usage-cache.ts— ReplacedgetRefreshedOAuthTokenwithgetOAuthAccessTokenfor Anthropic and Codexindex.ts—pizzapi usagecommand now reads raw token instead of callinggetApiKey()worker.ts— RemovedsyncKeychainToAuthStorage()call that injected Claude Code's Keychain credentialsdaemon.ts— Removed 2-minute periodicsyncKeychainToAuthJsonFilesync loopkeychain-auth.ts— Removed sync/write functions; read-only functions remainWhy
When
getApiKey(anthropic)runs, it uses the refresh token to get a new access token from Anthropic's OAuth endpoint. This rotates the token pair, invalidating the refresh token Claude Code itself holds. Claude Code's subsequent API calls fail because its stored token is now stale.Verification