Skip to content
jackin'

Workspace Claude Token Setup

Status: Partially implemented — CLI setup / rotate / revoke / doctor, 1Password write + validation, expiry banner, and in-container OAuth-token onboarding are shipped; canonical oauth_token auth slot, TUI generate action, Apple Keychain backend, pre-launch validity probe, and bulk migration remain

Parent: Reliable Claude Authentication Strategy

Canonical Docs For Shipped Behavior

Section titled “Canonical Docs For Shipped Behavior”

This roadmap item tracks only remaining work. Shipped orchestrator mechanics live in the standard docs above.

Remaining Work

Section titled “Remaining Work”
  1. TUI generate action. Add a [G] Generate token action in the jackin console Auth panel so operators can run the same setup flow without leaving the TUI.
  2. Canonical auth slot. Replace the current two-key implementation (auth_forward = "oauth_token" plus managed CLAUDE_CODE_OAUTH_TOKEN env) with a dedicated oauth_token field on the Claude auth config. The launcher should synthesize CLAUDE_CODE_OAUTH_TOKEN from that slot.
  3. Pre-launch validity probe. Add a lightweight validity check or cached doctor result so obviously invalid external rotations surface before Claude returns an API 401 inside the session.
  4. Apple Keychain backend. Add a local OS-secret-store source after the cross-cutting Credential Source Pattern lands.
  5. Bulk migration. Add a --all or equivalent workflow for migrating multiple workspaces to Claude OAuth-token mode.

Design Notes

Section titled “Design Notes”
  • The upstream claude setup-token browser consent remains the token minting step; jackin owns capture, storage, config wiring, validation, and lifecycle commands.
  • The canonical slot should be the future user-facing shape. The current managed env entry is an implementation bridge, not the target schema.
  • Any future storage backend must preserve the current safety properties: no token in argv, no token in shell history, no config write before storage validation succeeds.