[Bug]: Anthropic OAuth refresh token discarded by configure; auto-refresh always fails, requires manual re-auth every ~8h

[wiziswiz]

Environment

• Version: 2026.3.2
• OS: macOS
• Provider: Anthropic (claude-sonnet-4-6)

Describe the bug

When running openclaw configure for Anthropic, the OAuth flow correctly obtains both an access token and refresh token. However the refresh token is discarded and the auto-renew mechanism never works, requiring manual re-authentication every ~8 hours despite the refresh token being valid for ~1 year.

Steps to reproduce

1. Run openclaw configure and authenticate with Anthropic via OAuth
2. Use openclaw normally for ~8 hours
3. Token expires — gateway begins returning OAuth token refresh failed for anthropic: Failed to refresh OAuth token for anthropic. Please try again or re-authenticate
4. All Anthropic models fail, fallback chain gets rate-limited, gateway becomes unusable

Root cause (observed via source inspection)

• openclaw configure saves the OAuth result into anthropic:default as type: token — a static credential with no refresh token stored
• The anthropic:claude-cli profile (type: oauth, which does store a refresh token) is not updated when re-running configure
• When the access token expires, refreshOAuthTokenWithLock is called but always fails because no valid refresh token is available
• Running configure again creates a new anthropic:default static token AND adds a broken auth.order entry that puts anthropic:default first, poisoning both Anthropic models simultaneously (since they share provider-level auth)

auth-profiles.json state after configure

"anthropic:default": {
  "type": "token",
  "provider": "anthropic",
  "token": "sk-ant-oat01-..."
}

No refresh field. No expires field. Auto-renew impossible.

openclaw.json corruption after configure

Every openclaw configure run also:

• Resets auth.order to put anthropic:default first (breaking all Anthropic auth)
• Resets model fallbacks (overwriting user's custom fallback chain)

Expected behavior

openclaw configure should:

1. Store the full OAuth credential pair (access + refresh token) into anthropic:claude-cli as type: oauth with a proper expires timestamp
2. Not overwrite auth.order or model fallbacks on subsequent configure runs

Actual behavior

Only the access token is stored as a static type: token. Refresh token is discarded. Auth order is corrupted. Manual re-auth required every ~8h indefinitely.

Workaround

Manually edit ~/.openclaw/agents/main/agent/auth-profiles.json after every configure run:

"anthropic:claude-cli": {
  "type": "oauth",
  "provider": "anthropic",
  "access": "sk-ant-oat01-...",
  "expires": <now + 8h in ms>
}

And manually remove auth.order from openclaw.json.

[Dingding-leo]

Feature - Make sessions_spawn a privileged tool.

Problem:

• Any agent can call sessions_spawn
• Can spawn unlimited sub-agents at no cost to the caller
• Creates resource abuse potential

Proposed fix:

1. Add sessions_spawn to the privileged tools list
2. Require tool policy approval for spawning
3. Optional: track spawn costs against parent session

Config:

{
  "tools": {
    "privileged": ["sessions_spawn", "sessions_create", "sessions_kill"]
  }
}

Security considerations:

• Prevent runaway sub-agent spawning
• Allowlist which agents can spawn
• Optional: rate limiting per session

This is a good security improvement - spawn is powerful and should require approval.

[wiziswiz]

Correction / additional detail

After further investigation, the root cause is slightly different than originally described:

The token created by openclaw configure / claude setup-token is explicitly a 1-year long-lived token (the CLI output says: "✓ Long-lived authentication token created successfully! Your OAuth token (valid for 1 year)").

However, openclaw stores it in auth-profiles.json with expires: now + 8h — an artificial 8-hour expiry that does not reflect the token's actual lifetime. After 8h, openclaw attempts refreshOAuthTokenWithLock, which fails (no refresh token, and the token didn't need refreshing anyway), causing the gateway to break.

Corrected root cause: openclaw sets an incorrect 8h expires value for a token that is valid for 1 year.

Workaround: Manually set expires in auth-profiles.json to now + 1 year in milliseconds after each configure run. The token will work for the full year without any refresh attempts.

Suggested fix: When storing a long-lived OAuth token, openclaw should either (a) parse the actual expiry from the token/OAuth response and store that, or (b) default to a 1-year expiry for tokens that don't have an explicit short TTL.

[sahilsatralkar]

Hi, I am looking into this issue, will update here with my findings

[IIIyban]

Confirming this is still an issue on 2026.3.11. In our case the refresh token IS stored (type: oauth, not token), but it gets invalidated when ~/.claude/.credentials.json refreshes first — Anthropic rotates refresh tokens, so the old one in auth-profiles becomes dead.

The fundamental problem: two credential stores (~/.claude/.credentials.json and auth-profiles.json) with no sync mechanism. Filed #44919 with full reproduction and a workaround (systemd timer sync script).

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.