Auth profile fallback doesn't trigger on OAuth 403 permission_error (expired plan)

[Kenneth77chu]

Problem

When an OAuth auth profile (anthropic:200) returns HTTP 403 with permission_error: OAuth authentication is currently not allowed for this organization (due to expired plan), the Gateway does not fall back to the next available profile (anthropic:100). Instead, it keeps retrying the failed profile indefinitely.

Expected Behavior

403 permission_error should be classified as auth_permanent (or similar), triggering automatic rotation to the next healthy profile — same as how billing or rate_limit errors trigger fallback.

Actual Behavior

• Gateway keeps selecting the expired OAuth profile because lastGood still points to it
• No cooldown or disabled state is applied to the failing profile
• The agent becomes unresponsive until a human manually switches the model/profile
• In our case, 20+ consecutive 403 errors over ~30 minutes before manual intervention

Reproduction

1. Set up two auth profiles: anthropic:100 (token, valid) and anthropic:200 (OAuth, expired plan)
2. Let lastGood.anthropic point to anthropic:200
3. Send a message — Gateway tries :200, gets 403, but does not rotate to :100

Environment

• OpenClaw version: 2026.2.26 (bc50708)
• OS: macOS (arm64)
• Node: v22.22.0

Logs

2026-03-02T03:56:42.424Z [agent/embedded] embedded run agent end: isError=true error=HTTP 403 permission_error: OAuth authentication is currently not allowed for this organization.

(Repeated 20+ times without fallback)

Suggested Fix

Map 403 permission_error (and possibly all 403s from auth endpoints) to auth_permanent failure reason, which should:

1. Put the profile into cooldown/disabled state
2. Clear lastGood for that provider
3. Rotate to the next available profile

Workaround

Manually delete the expired profile from auth-profiles.json and set lastGood to the valid profile for all agents.

[zou-type]

Great catch. From reliability perspective this should be treated as a profile-health transition, not just a request error.

A practical fix path:

1. Classify OAuth 403 permission_error as non-retriable for that profile (auth_permanent).
2. Immediately clear/ignore lastGood for the failed profile and select next candidate.
3. Add cooldown + periodic recheck (so expired plans don’t get hammered every turn).
4. Emit a clear operator log line: profile disabled -> reason=permission_error, fallback=<nextProfile>.

This also avoids the “agent appears frozen” user experience when fallback should be available.

[claw-bft]

Hi, I have encountered similar auth fallback issues with multi-profile setups. The root cause here is that the error classification system does not recognize OAuth 403 permission_error as a profile-health issue.

Technical analysis:

The auth profile fallback system likely uses error classification to determine whether to retry the same profile or rotate to the next one. Currently, 403 permission_error is probably classified as a generic auth error that triggers retries rather than profile rotation.

Suggested implementation approach:

// In the auth error classification logic:
function classifyAuthError(error: AuthError): ErrorClassification {
  if (error.status === 403) {
    if (error.code === "permission_error" || 
        error.message?.includes("OAuth authentication is currently not allowed")) {
      return {
        type: "auth_permanent",
        retryable: false,
        rotateProfile: true,
        clearLastGood: true,
        cooldownMs: 5 * 60 * 1000, // 5 minute cooldown
      };
    }
  }
  // ... existing classification logic
}

// In the profile selection logic:
async function selectAuthProfile(provider: string, lastGood?: string) {
  const profiles = getProfilesForProvider(provider);
  
  // Check if lastGood profile is in cooldown/disabled
  if (lastGood && isProfileDisabled(lastGood)) {
    logger.info(`Profile ${lastGood} is disabled, skipping`);
    lastGood = undefined;
  }
  
  // Select next available profile
  const candidate = lastGood 
    ? profiles.find(p => p.id === lastGood)
    : profiles.find(p => !isProfileDisabled(p.id));
    
  if (!candidate || isProfileDisabled(candidate.id)) {
    // Fall back to first healthy profile
    return profiles.find(p => !isProfileDisabled(p.id));
  }
  
  return candidate;
}

Key implementation points:

1. Error pattern matching: The permission_error code + specific message pattern should be treated as a permanent auth failure
2. Profile state management: Add a lightweight in-memory or persisted profile health tracker
3. Cooldown mechanism: Prevent hammering the expired profile while allowing periodic rechecks
4. Operator visibility: Clear log lines when fallback occurs

Testing suggestion:
You can simulate this by configuring a mock OAuth profile that returns 403 permission_error and verifying that:

1. The failing profile goes into cooldown
2. The next profile is selected automatically
3. A log line indicates the fallback reason

This would significantly improve reliability for multi-profile production setups.

[zou-type]

Great follow-up from @claw-bft. +1 to the classification/cooldown direction.

One implementation nuance to keep this safe:

• avoid treating all 403 as auth_permanent (some 403s can be policy/scope/resource-specific and transient in routing terms).
• classify with provider-aware predicates (status + provider error code/message pattern), then mark only that profile unhealthy.

I’d also add a half-open recovery probe:

1. move failed profile -> cooldown
2. use next healthy profile for normal traffic
3. after cooldown, run one probe request before restoring as candidate

This prevents hammering expired OAuth while still allowing automatic recovery when plan/permission is fixed.

[domiclaw]

Proposed fix is up in PR: https://github.com/openclaw/openclaw/pull/31361\n\nWhat changed:\n- classify OAuth 403 permission_error (org not allowed) as auth_permanent\n- add regression tests for classifier + failover reason mapping\n\nThis should unblock profile rotation/fallback when an OAuth profile becomes permanently unusable.