Skip to content

feat(auth): add Claude Code OAuth support for Anthropic provider#3299

Draft
sunipan wants to merge 5 commits into
tailcallhq:mainfrom
sunipan:pr/claude-auth-upstream
Draft

feat(auth): add Claude Code OAuth support for Anthropic provider#3299
sunipan wants to merge 5 commits into
tailcallhq:mainfrom
sunipan:pr/claude-auth-upstream

Conversation

@sunipan
Copy link
Copy Markdown

@sunipan sunipan commented May 8, 2026

Summary

Adds Claude Code OAuth support for ForgeCode’s Anthropic provider.

This is a ForgeCode port of the Claude/Anthropic auth behavior from:

https://github.com/ex-machina-co/opencode-anthropic-auth

I’m opening this as a draft/community PR because it helps users who want to authenticate ForgeCode with Claude subscription-style OAuth rather than a normal Anthropic API key, but it includes provider-specific behavior that maintainers should explicitly review before deciding whether it belongs upstream.

Context

This PR was prepared with AI assistance.

I’ve mirrored the relevant changes from opencode-anthropic-auth for ForgeCode’s Rust provider stack. I want to stress that using this provider for Claude Code may carry potential account or policy risks, although I personally have not had any issues.

Changes

  • Add Claude Code OAuth provider config updates:

    • Claude platform token URL
    • Claude platform callback URL
    • additional Claude Code scopes
    • provider-level anthropic-client custom header

  • Extend Anthropic OAuth code exchange parsing:

    • full callback URL
    • code#state
    • query-string code=...&state=...
    • raw code fallback

  • Update Anthropic request headers for OAuth:

    • use Authorization: Bearer ... for OAuth credentials
    • include OAuth beta flag
    • include Claude Code user-agent
    • preserve provider-level custom headers

  • Add Claude Code request transforms for OAuth-backed Anthropic requests:

    • billing metadata system block
    • Claude Code auth system message
    • MCP tool name conversion
    • tool name capitalization

  • Cap Anthropic cache_control blocks at Anthropic’s 4-block limit.

Source / Provenance

The Claude Code OAuth-specific behavior is ported from:

https://github.com/ex-machina-co/opencode-anthropic-auth

The current branch was reconciled against the source repo’s current mainline behavior, including Claude Code version/user-agent and billing metadata constants.

Risk / Maintainer Decision Points

This PR intentionally does not hide that the feature may have product, policy, or provider-relationship implications.

Things maintainers should decide before merging:

  • Whether ForgeCode wants first-class Claude subscription OAuth support in-tree.
  • Whether this should instead live behind a provider/plugin/proxy architecture.
  • Whether the Claude Code billing metadata/request-shaping behavior is acceptable for upstream.
  • Whether additional docs, user opt-in, or maintainership boundaries are needed.

If maintainers prefer not to carry this behavior, I’m happy to close this PR and keep it as a fork-only patch or move toward an external proxy/plugin-style approach.

Testing

Ran:

cargo fmt -p forge_app -p forge_repo -p forge_infra -- --check
cargo test -p forge_app billing_header
cargo test -p forge_app set_cache
cargo test -p forge_infra auth::http::anthropic
cargo check -p forge_app -p forge_repo -p forge_infra

Results:

  • billing_header: 4 passed
  • set_cache: 20 passed
  • auth::http::anthropic: 1 passed
  • cargo check: passed for changed packages

sunipan added 3 commits May 8, 2026 08:17
@sunipan
feat(auth): add Anthropic OAuth support for Claude Code subscription
8936668 
- Change claude_code redirect_uri to localhost:3456 for automatic callback capture
- Add anthropic-client custom header to identify as Claude Code client
- Enable provider-level custom headers in Anthropic provider
- Add billing-header transform to zero out costs (OAuth subscription usage)
- Apply billing-header transform to Anthropic request DTO

This allows ForgeCode to authenticate via Anthropic's OAuth flow using
the official Claude Code client_id, enabling Claude Pro/Max subscription
usage through the CLI.
@sunipan
fix(anthropic): restore OAuth callback URL and cap cache_control blocks
18f0c71 
- Revert claude_code OAuth redirect_uri to https://platform.claude.com/oauth/code/callback
- Update token_url to platform.claude.com and add user:mcp_servers, user:file_upload scopes
- Parse full callback URLs, code#state, query strings, and raw codes when exchanging codes
- Cap cache_control markers at Anthropic's 4-block limit, preferring newest breakpoints
@sunipan
chore(auth): align Claude auth port with source
01bc2b6
@github-actions github-actions Bot added type: feature Brand new functionality, features, pages, workflows, endpoints, etc. type: provider Updates provider.json configuration. labels May 8, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026

Action required: PR inactive for 5 days.
Status update or closure in 10 days.

@github-actions github-actions Bot added the state: inactive No current action needed/possible; issue fixed, out of scope, or superseded. label May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

state: inactive No current action needed/possible; issue fixed, out of scope, or superseded. type: feature Brand new functionality, features, pages, workflows, endpoints, etc. type: provider Updates provider.json configuration.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sunipan