fix(anthropic): prefer claude cli over setup-token

2026-05-13 23:56:07 +00:00 · 2026-04-06 15:30:49 +01:00
parent b535d1e2b9
commit ac38f332c5
14 changed files with 33 additions and 27 deletions
--- a/docs/cli/index.md
+++ b/docs/cli/index.md
@@ -1485,7 +1485,7 @@ production, prefer an Anthropic API key or another supported
 subscription-style provider such as OpenAI Codex, Alibaba Cloud Model Studio
 Coding Plan, MiniMax Coding Plan, or Z.AI / GLM Coding Plan.

-Anthropic setup-token is available again as a legacy/manual auth path.
+Anthropic setup-token remains available as a supported token-auth path, but OpenClaw now prefers Claude CLI reuse and `claude -p` when available.

 ### `models` (root)

@@ -1595,7 +1595,7 @@ Notes:
 - `setup-token` and `paste-token` are generic token commands for providers that expose token auth methods.
 - `setup-token` requires an interactive TTY and runs the provider's token-auth method.
 - `paste-token` prompts for the token value and defaults to auth profile id `<provider>:manual` when `--profile-id` is omitted.
- Anthropic `setup-token` / `paste-token` are available again as a legacy/manual OpenClaw path.
+- Anthropic `setup-token` / `paste-token` remain available as a supported OpenClaw token path, but OpenClaw now prefers Claude CLI reuse and `claude -p` when available.

 ### `models auth order get|set|clear`

--- a/docs/cli/models.md
+++ b/docs/cli/models.md
@@ -131,4 +131,4 @@ Notes:
 - `paste-token --expires-in <duration>` stores an absolute token expiry from a
  relative duration such as `365d` or `12h`.
 - Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as sanctioned for this integration unless Anthropic publishes a new policy.
- Anthropic `setup-token` / `paste-token` remain available as a legacy/manual OpenClaw path.
+- Anthropic `setup-token` / `paste-token` remain available as a supported OpenClaw token path, but OpenClaw now prefers Claude CLI reuse and `claude -p` when available.
--- a/docs/concepts/model-providers.md
+++ b/docs/concepts/model-providers.md
@@ -274,7 +274,7 @@ OpenClaw ships with the pi‑ai catalog. These providers require **no**
 - CLI: `openclaw onboard --auth-choice apiKey`
 - Direct public Anthropic requests support the shared `/fast` toggle and `params.fastMode`, including API-key and OAuth-authenticated traffic sent to `api.anthropic.com`; OpenClaw maps that to Anthropic `service_tier` (`auto` vs `standard_only`)
 - Anthropic note: Anthropic staff told us OpenClaw-style Claude CLI usage is allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as sanctioned for this integration unless Anthropic publishes a new policy.
- Anthropic setup-token is available again as a legacy/manual OpenClaw path.
+- Anthropic setup-token remains available as a supported OpenClaw token path, but OpenClaw now prefers Claude CLI reuse and `claude -p` when available.

 ```json5
 {
--- a/docs/concepts/oauth.md
+++ b/docs/concepts/oauth.md
@@ -87,7 +87,7 @@ Plan](/providers/qwen), [MiniMax Coding Plan](/providers/minimax),
 and [Z.AI / GLM Coding Plan](/providers/glm).
 </Warning>

-OpenClaw now exposes Anthropic setup-token again as a legacy/manual path.
+OpenClaw also exposes Anthropic setup-token as a supported token-auth path, but it now prefers Claude CLI reuse and `claude -p` when available.

 ## Anthropic Claude CLI migration

--- a/docs/gateway/authentication.md
+++ b/docs/gateway/authentication.md
@@ -1,5 +1,5 @@
 ---
-summary: "Model authentication: OAuth, API keys, Claude CLI reuse, and legacy Anthropic setup-token"
+summary: "Model authentication: OAuth, API keys, Claude CLI reuse, and Anthropic setup-token"
 read_when:
  - Debugging model auth or OAuth expiry
  - Documenting authentication or credential storage
@@ -9,7 +9,7 @@ title: "Authentication"
 # Authentication (Model Providers)

 <Note>
-This page covers **model provider** authentication (API keys, OAuth, Claude CLI reuse, and legacy Anthropic setup-token). For **gateway connection** authentication (token, password, trusted-proxy), see [Configuration](/gateway/configuration) and [Trusted Proxy Auth](/gateway/trusted-proxy-auth).
+This page covers **model provider** authentication (API keys, OAuth, Claude CLI reuse, and Anthropic setup-token). For **gateway connection** authentication (token, password, trusted-proxy), see [Configuration](/gateway/configuration) and [Trusted Proxy Auth](/gateway/trusted-proxy-auth).
 </Note>

 OpenClaw supports OAuth and API keys for model providers. For always-on gateway
@@ -59,12 +59,13 @@ API keys for daemon use: `openclaw onboard`.
 See [Help](/help) for details on env inheritance (`env.shellEnv`,
 `~/.openclaw/.env`, systemd/launchd).

-## Anthropic: Claude CLI and legacy token compatibility
+## Anthropic: Claude CLI and token compatibility

-Anthropic setup-token auth is still available in OpenClaw as a legacy/manual
+Anthropic setup-token auth is still available in OpenClaw as a supported token
 path. Anthropic staff has since told us that OpenClaw-style Claude CLI usage is
 allowed again, so OpenClaw treats Claude CLI reuse and `claude -p` usage as
-sanctioned for this integration unless Anthropic publishes a new policy.
+sanctioned for this integration unless Anthropic publishes a new policy. When
+Claude CLI reuse is available on the host, that is now the preferred path.

 For long-lived gateway hosts, an Anthropic API key is still the most predictable
 setup. If you want to reuse an existing Claude login on the same host, use the
@@ -172,7 +173,7 @@ to one model id rather than the whole provider profile.
 ### "No credentials found"

 If the Anthropic profile is missing, configure an Anthropic API key on the
-**gateway host** or set up the legacy Anthropic setup-token path, then re-check:
+**gateway host** or set up the Anthropic setup-token path, then re-check:

 ```bash
 openclaw models status
@@ -180,6 +181,6 @@ openclaw models status

 ### Token expiring/expired

-Run `openclaw models status` to confirm which profile is expiring. If a legacy
+Run `openclaw models status` to confirm which profile is expiring. If an
 Anthropic token profile is missing or expired, refresh that setup via
 setup-token or migrate to an Anthropic API key.
--- a/docs/gateway/doctor.md
+++ b/docs/gateway/doctor.md
@@ -307,7 +307,7 @@ Doctor checks:

 Doctor inspects OAuth profiles in the auth store, warns when tokens are
 expiring/expired, and can refresh them when safe. If the Anthropic
-OAuth/token profile is stale, it suggests an Anthropic API key or the legacy
+OAuth/token profile is stale, it suggests an Anthropic API key or the
 Anthropic setup-token path.
 Refresh prompts only appear when running interactively (TTY); `--non-interactive`
 skips refresh attempts.
--- a/docs/help/faq.md
+++ b/docs/help/faq.md
@@ -565,7 +565,7 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
  <Accordion title="What does onboarding actually do?">
    `openclaw onboard` is the recommended setup path. In **local mode** it walks you through:

-    - **Model/auth setup** (provider OAuth, API keys, Anthropic legacy setup-token, plus local model options such as LM Studio)
+    - **Model/auth setup** (provider OAuth, API keys, Anthropic setup-token, plus local model options such as LM Studio)
    - **Workspace** location + bootstrap files
    - **Gateway settings** (bind/port/auth/tailscale)
    - **Channels** (WhatsApp, Telegram, Discord, Mattermost, Signal, iMessage, plus bundled channel plugins like QQ Bot)
@@ -621,7 +621,7 @@ Quick answers plus deeper troubleshooting for real-world setups (local dev, VPS,
    Claude CLI reuse and `claude -p` usage as sanctioned for this integration
    unless Anthropic publishes a new policy.

-    Anthropic setup-token is still available as a legacy/manual OpenClaw path.
+    Anthropic setup-token is still available as a supported OpenClaw token path, but OpenClaw now prefers Claude CLI reuse and `claude -p` when available.
    For production or multi-user workloads, Anthropic API key auth is still the
    safer, more predictable choice. If you want other subscription-style hosted
    options in OpenClaw, see [OpenAI](/providers/openai), [Qwen / Model
--- a/docs/providers/anthropic.md
+++ b/docs/providers/anthropic.md
@@ -215,14 +215,14 @@ The bundled Anthropic `claude-cli` backend is supported in OpenClaw.
  `claude -p`, and Anthropic staff told us OpenClaw-style Claude CLI usage is
  allowed again. We are treating that guidance as settled unless Anthropic
  publishes a new policy change.
- Anthropic setup-token is available again in OpenClaw as a legacy/manual path.
+- Anthropic setup-token remains available in OpenClaw as a supported token-auth path, but OpenClaw now prefers Claude CLI reuse and `claude -p` when available.
 - Auth details + reuse rules are in [/concepts/oauth](/concepts/oauth).

 ## Troubleshooting

 **401 errors / token suddenly invalid**

- Legacy Anthropic token auth can expire or be revoked.
+- Anthropic token auth can expire or be revoked.
 - For new setup, migrate to an Anthropic API key.

 **No API key found for provider "anthropic"**
--- a/docs/reference/wizard.md
+++ b/docs/reference/wizard.md
@@ -32,7 +32,7 @@ For a high-level overview, see [Onboarding (CLI)](/start/wizard).
  <Step title="Model/Auth">
    - **Anthropic API key**: uses `ANTHROPIC_API_KEY` if present or prompts for a key, then saves it for daemon use.
    - **Anthropic API key**: preferred Anthropic assistant choice in onboarding/configure.
-    - **Anthropic setup-token (legacy/manual)**: still available in onboarding/configure.
+    - **Anthropic setup-token**: still available in onboarding/configure, though OpenClaw now prefers Claude CLI reuse when available.
    - **OpenAI Code (Codex) subscription (Codex CLI)**: if `~/.codex/auth.json` exists, onboarding can reuse it. Reused Codex CLI credentials stay managed by Codex CLI; on expiry OpenClaw re-reads that source first and, when the provider can refresh it, writes the refreshed credential back to Codex storage instead of taking ownership itself.
    - **OpenAI Code (Codex) subscription (OAuth)**: browser flow; paste the `code#state`.
      - Sets `agents.defaults.model` to `openai-codex/gpt-5.4` when model is unset or `openai/*`.
--- a/docs/start/wizard-cli-automation.md
+++ b/docs/start/wizard-cli-automation.md
@@ -192,7 +192,7 @@ openclaw onboard --non-interactive \
  </Accordion>
 </AccordionGroup>

-Anthropic setup-token is available again as a legacy/manual onboarding path.
+Anthropic setup-token remains available as a supported onboarding token path, but OpenClaw now prefers Claude CLI reuse when available.
 For production, prefer an Anthropic API key.

 ## Add another agent
--- a/docs/start/wizard.md
+++ b/docs/start/wizard.md
@@ -72,7 +72,7 @@ Onboarding starts with **QuickStart** (defaults) vs **Advanced** (full control).
   For non-interactive runs, `--secret-input-mode ref` stores env-backed refs in auth profiles instead of plaintext API key values.
   In non-interactive `ref` mode, the provider env var must be set; passing inline key flags without that env var fails fast.
   In interactive runs, choosing secret reference mode lets you point at either an environment variable or a configured provider ref (`file` or `exec`), with a fast preflight validation before saving.
-   For Anthropic, interactive onboarding/configure offers **Anthropic Claude CLI** as a local fallback and **Anthropic API key** as the recommended production path. Anthropic setup-token is also available again as a legacy/manual OpenClaw path.
+   For Anthropic, interactive onboarding/configure offers **Anthropic Claude CLI** as the preferred local path and **Anthropic API key** as the recommended production path. Anthropic setup-token also remains available as a supported token-auth path.
 2. **Workspace** — Location for agent files (default `~/.openclaw/workspace`). Seeds bootstrap files.
 3. **Gateway** — Port, bind address, auth mode, Tailscale exposure.
   In interactive token mode, choose default plaintext token storage or opt into SecretRef.
--- a/extensions/anthropic/register.runtime.ts
+++ b/extensions/anthropic/register.runtime.ts
@@ -59,7 +59,8 @@ const _ANTHROPIC_OAUTH_ALLOWLIST = [
  "anthropic/claude-haiku-4-5",
 ] as const;
 const ANTHROPIC_SETUP_TOKEN_NOTE_LINES = [
-  "Anthropic setup-token auth is a legacy/manual path in OpenClaw.",
+  "Anthropic setup-token auth is supported in OpenClaw.",
+  "OpenClaw prefers Claude CLI reuse when it is available on the host.",
  "Anthropic staff told us this OpenClaw path is allowed again.",
  `If you want a direct API billing path instead, use ${formatCliCommand("openclaw models auth login --provider anthropic --method api-key --set-default")} or ${formatCliCommand("openclaw models auth login --provider anthropic --method cli --set-default")}.`,
 ] as const;
@@ -419,16 +420,16 @@ export function registerAnthropicPlugin(api: OpenClawPluginApi): void {
      {
        id: "setup-token",
        label: "Anthropic setup-token",
-        hint: "Legacy/manual bearer token path",
+        hint: "Manual bearer token path",
        kind: "token",
        wizard: {
          choiceId: "setup-token",
          choiceLabel: "Anthropic setup-token",
-          choiceHint: "Legacy/manual path",
+          choiceHint: "Manual token path",
          assistantPriority: 40,
          groupId: "anthropic",
          groupLabel: "Anthropic",
-          groupHint: "Claude CLI + API key + legacy token",
+          groupHint: "Claude CLI + API key + token",
        },
        run: async (ctx: ProviderAuthContext) => await runAnthropicSetupTokenAuth(ctx),
        runNonInteractive: async (ctx: ProviderAuthMethodNonInteractiveContext) =>
--- a/src/commands/models/auth.test.ts
+++ b/src/commands/models/auth.test.ts
@@ -579,7 +579,7 @@ describe("modelsAuthLoginCommand", () => {
    });
  });

-  it("writes pasted Anthropic setup-tokens and logs the legacy warning", async () => {
+  it("writes pasted Anthropic setup-tokens and logs the preference note", async () => {
    const runtime = createRuntime();
    mocks.clackText.mockResolvedValue(`sk-ant-oat01-${"a".repeat(80)}`);

@@ -595,7 +595,10 @@ describe("modelsAuthLoginCommand", () => {
      agentDir: "/tmp/openclaw/agents/main",
    });
    expect(runtime.log).toHaveBeenCalledWith(
-      "Anthropic setup-token auth is a legacy/manual path in OpenClaw.",
+      "Anthropic setup-token auth is supported in OpenClaw.",
+    );
+    expect(runtime.log).toHaveBeenCalledWith(
+      "OpenClaw prefers Claude CLI reuse when it is available on the host.",
    );
    expect(runtime.log).toHaveBeenCalledWith(
      "Anthropic staff told us this OpenClaw path is allowed again.",
--- a/src/commands/models/auth.ts
+++ b/src/commands/models/auth.ts
@@ -420,7 +420,8 @@ export async function modelsAuthPasteTokenCommand(
  logConfigUpdated(runtime);
  runtime.log(`Auth profile: ${profileId} (${provider}/token)`);
  if (provider === "anthropic") {
-    runtime.log("Anthropic setup-token auth is a legacy/manual path in OpenClaw.");
+    runtime.log("Anthropic setup-token auth is supported in OpenClaw.");
+    runtime.log("OpenClaw prefers Claude CLI reuse when it is available on the host.");
    runtime.log("Anthropic staff told us this OpenClaw path is allowed again.");
  }
 }