fix(oauth): use platform.claude.com endpoint for token refresh + startup warning#2968
fix(oauth): use platform.claude.com endpoint for token refresh + startup warning#2968ygd58 wants to merge 1 commit into
Conversation
|
Hey @ygd58 — thanks for the quick fix on this. Just checking in: the PR has a merge conflict now (base branch moved since Mar 25) and the supply chain audit CI check failed. Would you be able to rebase against main to resolve the conflict? We filed the original issue (#2962) and can confirm the root cause analysis — we've been running Hermes on a headless server with Anthropic Max OAuth tokens and hit this exact failure daily. The endpoint correction to Would love to see this get merged. Happy to help test if needed. cc @NousResearch maintainers — would appreciate a review when the conflict is resolved. This is a pretty straightforward fix (correct endpoint + startup warning) that makes OAuth refresh actually work for headless deployments. |
…tartup warning when refresh credentials missing
ddc4bf4 to
09705b5
Compare
|
Rebased against main — conflict resolved. The fix now uses refresh_anthropic_oauth_pure(use_json=True) for platform.claude.com first, then falls back to use_json=False for console.anthropic.com legacy tokens. |
Adds a public wrapper pair for the per-turn session-identity ContextVar in gateway.session_context, mirroring the structural pattern that tools/approval.py uses for the approval-session ContextVar. Naming: deliberately distinct from approval.py's set_current_session_key -- the two ContextVars carry different concerns and downstream callers will eventually need to set both. 'turn_session' disambiguates from the approval-session. Motivation: hermes-webui PR NousResearch#2968 (nesquena/hermes-webui#2968) currently binds per-turn session identity by importing _SESSION_KEY and calling .set() directly, which the maintainer flagged as a private-API touch. This wrapper closes that gap; the webui-side refactor lands as a follow-up commit on that PR once this lands.
Fixes #2962
Fix 1: Correct OAuth token refresh endpoint
_refresh_oauth_token() was using https://console.anthropic.com/v1/oauth/token which returns HTTP 500 for tokens obtained via Claude Code OAuth flow.
Now tries platform.claude.com first (correct endpoint per Claude Code's cli.js), then falls back to console.anthropic.com for legacy tokens. Also tries both application/json and application/x-www-form-urlencoded content types.
Fix 2: Startup warning when refresh credentials missing
When an OAuth token is detected but no ~/.claude/.credentials.json with a refreshToken exists, logs a warning at startup so users know the token will expire in ~8 hours with no auto-renewal path.
Fix 3 (already existed)
401 recovery via _try_refresh_anthropic_client_credentials() was already implemented — Fix 1 makes it actually work by correcting the endpoint.