Agent runtimes & authentication

Workspace Claude Token Setup

Status: Partially implemented — CLI setup / rotate / revoke / doctor, 1Password write + validation, expiry banner, host-side PTY OAuth-token onboarding, the shared op_picker Create mode, the plain-prompt --interactive storage-location picker, and the console Auth-tab generate-token action are shipped; canonical oauth_token auth slot, Apple Keychain backend, pre-launch validity probe, and bulk migration remain

Parent: Reliable Claude Authentication Strategy

Canonical Docs For Shipped Behavior

  • Agent Authentication — operator-facing Claude OAuth-token mode and setup command.
  • workspace claude-token — CLI reference for setup, rotate, revoke, and doctor.
  • Claude Token Orchestrator — contributor details for PTY capture, 1Password writes, validation, expiry stamps, the op_picker Create mode, the CLI --interactive picker, the console Auth-tab generate action, and tests.

This roadmap item tracks only remaining work. Shipped orchestrator mechanics live in the standard docs above.

Shipped facts

jackin workspace claude-token setup/rotate/revoke/doctor mint, validate, wire, and inspect a workspace or role's Claude OAuth token end to end, with the token never touching argv and no config write before post-write 1Password validation succeeds. Two interactive storage pickers landed on top of that: the CLI's plain-prompt --interactive flow and the console Auth-tab G generate action, both routed through a shared op_picker Create mode so the operator can pick an existing 1Password item/field or create one in place. See Claude Token Orchestrator for the full mechanics of both the base orchestrator and the interactive pickers.

Remaining Work

  1. Canonical auth slot. Replace the current two-key implementation (auth_forward = "oauth_token" plus managed CLAUDE_CODE_OAUTH_TOKEN env) with a dedicated oauth_token field on the Claude auth config. The launcher should synthesize CLAUDE_CODE_OAUTH_TOKEN from that slot.

  2. Pre-launch validity probe. Add a lightweight validity check or cached doctor result so obviously invalid external rotations surface before Claude returns an API 401 inside the session. The design and implementation home for this probe is Auth health and operator visibility; this item tracks the Claude-specific integration point.

  3. Apple Keychain backend. Add a local OS-secret-store source after the cross-cutting Credential Source Pattern lands.

  4. Bulk migration. Add a --all or equivalent workflow for migrating multiple workspaces to Claude OAuth-token mode.

On this page