OAuth Service
- Entity ID:
ent-20260410-f459c845226e - Type:
service - Scope:
shared - Status:
active - Aliases: OAuth, authentication, login, PKCE
Description
The OAuth service (src/services/oauth/) implements OAuth 2.0 Authorization Code flow with PKCE for authenticating with Claude.ai and the Anthropic Console API. It handles browser-based authorization, local callback server, token exchange, profile fetching, and supports both automatic (browser redirect) and manual (code paste) flows.
How it works
OAuth flow (OAuthService.startOAuthFlow())
- Generate PKCE values:
codeVerifier(base64url of 32 random bytes),codeChallenge(SHA-256 of verifier),state(32 random bytes for CSRF protection) - Create
AuthCodeListener— local HTTP server on localhost, OS-assigned port, listening at/callback - Build two auth URLs:
automaticFlowUrl— includes redirect URI for browser redirectmanualFlowUrl— for environments where localhost is unreachable (user copies auth code)- Open browser to authorization endpoint
- Wait for callback with
?code=AUTH_CODE&state=STATE - Validate state parameter (CSRF protection)
- Exchange code for tokens
- Fetch profile info (subscription type, rate limit tier)
Options
| Option | Purpose |
|---|---|
loginWithClaudeAi |
Use Claude.ai OAuth endpoints |
inferenceOnly |
Request inference-only scope |
expiresIn |
Custom token expiry |
orgUUID |
Organization context |
loginHint |
Pre-fill email |
loginMethod |
Force specific method |
skipBrowserOpen |
Manual flow only |
Token response
Returns OAuthTokens: accessToken, refreshToken, expiresAt (Date.now() + expires_in * 1000), scopes, subscriptionType, rateLimitTier, profile, tokenAccount (uuid, emailAddress, organizationUuid).
Auth endpoints
Two endpoint sets determined by shouldUseClaudeAIAuth(scopes):
- Claude.ai: CLAUDE_AI_AUTHORIZE_URL — for Claude.ai inference scope
- Console: CONSOLE_AUTHORIZE_URL — for API console access
PKCE crypto (crypto.ts)
generateCodeVerifier()—base64URLEncode(randomBytes(32))generateCodeChallenge(verifier)— SHA-256 hash, base64url encodedgenerateState()—base64URLEncode(randomBytes(32))
Local callback server (auth-code-listener.ts)
AuthCodeListener class — HTTP server on localhost with OS-assigned port. Captures the ?code=&state= parameters from the OAuth redirect. hasPendingResponse() determines whether to use automatic (browser redirect) or manual (code paste) flow.
Trade-offs
- PKCE only — no client secret required, standard for CLI/native apps. Relies entirely on PKCE for security.
- Localhost callback — works on local machines but fails in remote/container environments. Manual code paste provides a fallback but is less convenient.
- OS-assigned port — avoids port conflicts but means the callback URL includes a random port, requiring dynamic auth URL generation.
- Two endpoint sets — supports both Claude.ai and Console auth but doubles the configuration surface.
Depends on
- entrypoint-system — auth command registered as CLI subcommand
- Node.js
httpmodule — local callback server - Node.js
cryptomodule — PKCE value generation
Key claims
- Uses OAuth 2.0 Authorization Code + PKCE (no client secret)
- Supports automatic (browser redirect) and manual (code paste) flows
- CSRF protection via random state parameter validation
- Two auth endpoint sets: Claude.ai and Console
Relations
related_tomcp-auth (MCP uses its own OAuth flow)used_byentrypoint-system (auth login/logout/status commands)used_byservice-layer
Sources
src-20260409-a5fc157bc756, source code analysis of src/services/oauth/