docs/concepts/oauth.md
OpenClaw supports “subscription auth” via OAuth for providers that offer it (notably OpenAI Codex (ChatGPT OAuth)). For Anthropic, the practical split is now:
OpenAI Codex OAuth is explicitly supported for use in external tools like OpenClaw. This page explains:
For Anthropic in production, API key auth is the safer recommended path.
OpenClaw also supports provider plugins that ship their own OAuth or API‑key flows. Run them via:
openclaw models auth login --provider <id>
OAuth providers commonly mint a new refresh token during login/refresh flows. Some providers (or OAuth clients) can invalidate older refresh tokens when a new one is issued for the same user/app.
Practical symptom:
To reduce that, OpenClaw treats auth-profiles.json as a token sink:
openai-codex:default profile, but once OpenClaw has a local OAuth profile,
the local refresh token is canonical; other integrations can remain
externally managed and re-read their CLI auth storeSecrets are stored in agent auth stores:
~/.openclaw/agents/<agentId>/agent/auth-profiles.json~/.openclaw/agents/<agentId>/agent/auth.json
(static api_key entries are scrubbed when discovered)Legacy import-only file (still supported, but not the main store):
~/.openclaw/credentials/oauth.json (imported into auth-profiles.json on first use)All of the above also respect $OPENCLAW_STATE_DIR (state dir override). Full reference: /gateway/configuration
For static secret refs and runtime snapshot activation behavior, see Secrets Management.
When a secondary agent has no local auth profile, OpenClaw uses read-through
inheritance from the default/main agent store. It does not clone the main
agent's auth-profiles.json on read. OAuth refresh tokens are especially
sensitive: normal copy flows skip them by default because some providers rotate
or invalidate refresh tokens after use. Configure a separate OAuth login for an
agent when it needs an independent account.
For Anthropic's current direct-Claude-Code plan docs, see Using Claude Code with your Pro or Max plan and Using Claude Code with your Team or Enterprise plan.
If you want other subscription-style options in OpenClaw, see OpenAI Codex, Qwen Cloud Coding Plan, MiniMax Coding Plan, and Z.AI / GLM Coding Plan. </Warning>
OpenClaw also exposes Anthropic setup-token as a supported token-auth path, but it now prefers Claude CLI reuse and claude -p when available.
OpenClaw supports Anthropic Claude CLI reuse again. If you already have a local Claude login on the host, onboarding/configure can reuse it directly.
OpenClaw’s interactive login flows are implemented in @mariozechner/pi-ai and wired into the wizards/commands.
Flow shape:
anthropic/...OpenAI Codex OAuth is explicitly supported for use outside the Codex CLI, including OpenClaw workflows.
Flow shape (PKCE):
statehttps://auth.openai.com/oauth/authorize?...http://127.0.0.1:1455/auth/callbackhttps://auth.openai.com/oauth/tokenaccountId from the access token and store { access, refresh, expires, accountId }Wizard path is openclaw onboard → auth choice openai-codex.
Profiles store an expires timestamp.
At runtime:
expires is in the future → use the stored access tokenopenai-codex:default profile, then OpenClaw-owned refreshes keep the local
profile canonical.The refresh flow is automatic; you generally don't need to manage tokens manually.
Two patterns:
If you want “personal” and “work” to never interact, use isolated agents (separate sessions + credentials + workspace):
openclaw agents add work
openclaw agents add personal
Then configure auth per-agent (wizard) and route chats to the right agent.
auth-profiles.json supports multiple profile IDs for the same provider.
Pick which profile is used:
auth.order)/model ...@<profileId>Example (session override):
/model Opus@anthropic:workHow to see what profile IDs exist:
openclaw channels list --json (shows auth[])Related docs: