Usage tracking broken for setup-token auth (missing user:profile scope)

[GodsBoy]

Problem

OpenClaw's onboard wizard uses claude setup-token to authenticate with Anthropic. However, setup-token only requests the user:inference scope. Usage tracking (showing plan usage in /status) requires the user:profile scope, which is only granted by the full claude login browser OAuth flow.

This means all Claude Max/Pro users who onboard via setup-token lose usage visibility in /status. The OAuth usage endpoint returns:

HTTP 403: OAuth token does not meet scope requirement user:profile

Impact

• All users onboarded via setup-token (the default Anthropic auth path) cannot see usage tracking
• The error message is not actionable — users don't know how to fix it
• The existing fallback to claude.ai web session key requires a separate env var most users won't have

Root Cause

This is an upstream limitation in Claude Code CLI:

• claude setup-token only requests user:inference scope
• claude login (full browser OAuth) requests all scopes including user:profile
• The Anthropic OAuth usage endpoint (/api/oauth/usage) requires user:profile

Related Claude Code issues:

• Can't view usage in claude code anthropics/claude-code#16075
• [Bug] Anthropic API Error: OAuth token missing user:profile scope for /usage command anthropics/claude-code#15243
• [Bug] OAuth token insufficient scope: missing user:profile permission anthropics/claude-code#12020

Proposed Fix

1. Actionable error message: When usage tracking fails with the scope error and no web fallback is available, show a clear message: "setup-token missing user:profile scope — run \claude login` (full OAuth) to enable usage tracking"instead of the genericHTTP 403` error.

2. Post-onboard warning: After setup-token onboarding completes, display a note informing users that usage tracking requires the full OAuth flow and how to upgrade.

Workaround

Users can work around this by:

1. Running claude login on a machine with a browser (full OAuth flow)
2. Using openclaw models auth paste-token to import the resulting token
3. Or setting CLAUDE_AI_SESSION_KEY env var with a claude.ai browser session key

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[GodsBoy]

Still relevant — the upstream scope limitation has not been fixed.

Upstream status: Claude Code issue #8052 (canonical) remains open since Sept 2025. Anthropic's setup-token still only grants user:inference scope, not user:profile. Recent issues (#23703, filed Feb 6 2026) continue to be auto-closed as duplicates without resolution.

Why this matters for Claude Max users: setup-token is the only officially supported auth method for third-party tools under the Claude Max/Pro subscription ToS. Running claude login (full browser OAuth) grants all scopes but is intended for Claude Code itself.

Proposed fixes ready:

• f47467620 — Actionable error message when scope error occurs (instead of generic HTTP 403)
• PR feat(auth): sync Claude Code CLI OAuth credentials for auto-refresh #5988 — OAuth credential sync from Claude CLI, which addresses the root cause by importing full OAuth tokens that include user:profile scope

Both pass CI. Happy to rebase if needed.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.