[Bug]: OAuth 403 misclassified as rate_limit → infinite cooldown loop, no CLI recovery

[onurcinar92-stack]

Environment

• OpenClaw 2026.2.9 (33c75cb)
• WSL2 Ubuntu, Node 22.22.0
• Telegram channel, 1 agent (main)
• Auth: 2 Anthropic OAuth tokens in auth-profiles.json
• Default model: anthropic/claude-opus-4-6

Bug Description

An Anthropic OAuth token missing the user:profile scope returns HTTP 403. OpenClaw misclassifies this as rate_limit instead of auth_error, putting the entire Anthropic provider into cooldown. Since all fallback models (opus-4-6, opus-4-5, haiku-4-5) share the same provider, all models become unavailable simultaneously.

The heartbeat cron job and incoming Telegram messages continuously retry the failed provider, resetting the cooldown timer each time → infinite cooldown loop. The bot becomes completely unresponsive with no CLI path to recovery.

Expected Behavior

1. HTTP 403 with scope error should be classified as auth_error, not rate_limit
2. Clear error message indicating the OAuth scope issue
3. Cooldown should not block all models when the issue is token-specific
4. A CLI command should exist to reset provider cooldowns

Actual Behavior

error Embedded agent failed before reply: All models failed (3):
  anthropic/claude-opus-4-6: Provider anthropic is in cooldown (all profiles unavailable) (rate_limit)
  anthropic/claude-opus-4-5: Provider anthropic is in cooldown (all profiles unavailable) (rate_limit)
  anthropic/claude-haiku-4-5: Provider anthropic is in cooldown (all profiles unavailable) (rate_limit)

openclaw status shows:

Usage: Claude: HTTP 403: OAuth token does not meet scope requirement user:profile

openclaw models status shows:

anthropic:default=token:sk-ant-o...V1piGgAA [cooldown 5m]

Recovery Attempts (all failed)

Command	Result
openclaw gateway restart	Cooldown persisted (loaded from auth-profiles.json)
openclaw provider refresh anthropic	Command doesn't exist
openclaw system refresh --providers	Command doesn't exist
openclaw login anthropic	Command doesn't exist
openclaw agent restart main	Requires -m flag, then rejects it ("too many arguments")
openclaw config set agents.defaults.model "..."	Validation error: "expected object, received string"

Actual Fix (manual)

1. Edit auth-profiles.json: remove cooldownUntil, set errorCount: 0, failureCounts: {}
2. Switch model via openclaw models set anthropic/claude-3-5-sonnet-latest
3. openclaw gateway restart

DX Impact: AI assistants can't help users recover

Because no CLI recovery path exists, users who ask AI assistants (Gemini, ChatGPT, etc.) for help get stuck in a loop of non-existent commands. The AI correctly identifies what should exist (provider refresh, cooldown reset, login) but these commands don't exist in OpenClaw 2026.2.9.

In a real-world debugging session, an external AI assistant suggested the following commands — none of which exist:

• openclaw provider refresh anthropic
• openclaw system refresh --providers
• openclaw login anthropic
• openclaw gateway install --force
• openclaw config --path

This resulted in ~45 minutes of troubleshooting with zero progress until the user manually edited auth-profiles.json. The AI also misdiagnosed the root cause repeatedly (blaming rate limits, security warnings, model tiers, WSL2 networking, and memory plugin status — none of which were the actual problem).

This highlights that the missing CLI commands aren't just nice-to-haves — they're essential for recoverability.

Suggestions

1. Classify 403 correctly — Auth/scope errors are not rate limits. A 403 with "scope requirement" should surface as auth_error with a clear message like: Token missing required scope 'user:profile'. Re-authenticate with: openclaw auth refresh anthropic

2. Add openclaw provider reset <name> — CLI command to clear cooldown state for a provider without editing JSON files manually

3. Add openclaw auth refresh <provider> — Re-validate or re-authenticate tokens when scope/permission issues arise

4. Per-profile cooldown, not per-provider — Don't take down all models when one token/profile is bad. If anthropic:default fails, anthropic:gohan should still be tried

5. Circuit breaker for heartbeat/cron — Stop retrying (and extending cooldown) after N consecutive auth failures. Log a persistent warning instead

6. openclaw agent restart fix — The -m flag handling is broken in 2026.2.9 (requires it, then rejects it)

7. Cooldown should not persist across gateway restarts — Or at minimum, openclaw gateway restart should have a --clear-cooldowns flag

8. openclaw doctor — A diagnostic command that checks for common issues (expired tokens, cooldown loops, scope errors) and suggests fixes

[AceWalkerAI]

While waiting for an official fix, I created a cleanup script that can help recover from this state:

🔗 https://github.com/AceWalkerAI/openclaw-cleanup-tool

⚠️ WARNING / 警告:

• Please backup your ~/.openclaw/ directory before running!
• 執行前請先備份你的 ~/.openclaw/ 目錄！

The script automatically creates a backup of openclaw.json, but a full manual backup is recommended.

The script:

• Backs up your current openclaw.json
• Removes all auth-profiles.json files (clears the cooldown state)
• Clears API keys and auth configs from the main config
• Allows you to run openclaw configure fresh

This is a workaround, not a fix - the underlying classification issue should still be addressed. But it provides a CLI recovery path for users stuck in this loop.

Hope this helps someone! 🦊

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[gabriel1ll7]

Root Cause Analysis

Traced through the compiled source (pi-embedded-Cn8f5u97.js, OpenClaw 2026.2.9). Two bugs contribute to this issue:

Bug 1: Hardcoded "rate_limit" in failover loop (confirmed)

In runWithModelFallback, when all profiles for a provider are in cooldown and the probe check (shouldProbePrimaryDuringCooldown) returns false, the failover attempt is recorded with a hardcoded reason: "rate_limit":

// runWithModelFallback — when all profiles are in cooldown
attempts.push({
    provider: candidate.provider,
    model: candidate.model,
    error: `Provider ${candidate.provider} is in cooldown (all profiles unavailable)`,
    reason: "rate_limit"  // ← hardcoded, should reflect actual cooldown reason
});

This is why the user sees (rate_limit) in the error output regardless of the actual failure cause. The reason should instead be derived from the dominant failureCounts key in the cooldown profiles' usageStats, or at minimum be "cooldown" rather than masquerading as "rate_limit".

Bug 2: Initial 403 misclassification (needs investigation)

The auth-profiles.json stores failureCounts: { "rate_limit": 5 } — not { "auth": 5 }. This means the initial API error is also being classified as rate_limit before cooldown even starts.

resolveFailoverReasonFromError has the correct logic:

if (status === 401 || status === 403) return "auth";

And classifyFailoverReason has /\b403\b/ in its auth patterns, which should match "HTTP 403: OAuth token does not meet scope requirement user:profile".

So either:

• The Anthropic SDK error object doesn't expose .status = 403 (making getStatusCode return undefined)
• The error message reaching classifyFailoverReason doesn't contain "403"
• The error takes a different code path (e.g., the usage-check path at fetchClaudeOAuthUsage which has special 403 scope handling but may still feed into the cooldown system incorrectly)

Suggested fixes

1. Replace the hardcoded "rate_limit" with the actual dominant reason from the profiles' failureCounts, e.g.:

   reason: getDominantCooldownReason(authStore, profileIds) ?? "rate_limit"

2. Add explicit pattern for the scope error in isAuthErrorMessage:

   auth: [
       // ... existing patterns ...
       "scope requirement",
       "does not meet scope"
   ]

3. Add openclaw provider reset <name> CLI command — the manual recovery (editing JSON, clearing cooldownUntil/errorCount/failureCounts) is fragile and undiscoverable

4. Don't persist cooldowns across gateway restart — or add --clear-cooldowns flag

---

Reproduced on macOS, OpenClaw 2026.2.9, 3 Anthropic OAuth token profiles — all three entered rate_limit cooldown simultaneously.

[vignesh07]

This is addressed by the fix merged in 5c7c37a02a3b5bb0e31253d5cfbef1c86dd17235.

Specifically, when all auth profiles are unavailable, OpenClaw no longer hardcodes the failover reason to rate_limit. It now infers the reason from active auth-profile state (disabledReason and active cooldown failure counts), so OAuth/auth-disabled windows surface as auth/billing instead of being mislabeled as rate limits.

Thanks for the detailed report and recovery notes, @onurcinar92-stack.