OpenClaw OAuth Token Authentication Breaks in 2026.3.28+ (Bearer Header Issue)

[arisgysel-design]

Summary

OpenClaw versions 2026.3.28 and later send Anthropic OAuth tokens using Authorization: Bearer header instead of x-api-key, causing authentication failures with HTTP 401 "OAuth authentication is currently not supported".

Version 2026.3.24 works correctly by sending OAuth tokens as x-api-key.

Environment

• Working Version: OpenClaw 2026.3.24 (cff6dc9)
• Broken Versions: 2026.3.28, 2026.4.2 (and likely all versions in between)
• Platform: macOS (tested on Mac mini, Apple Silicon)
• Auth Type: Anthropic OAuth tokens (sk-ant-oat01-...)

Steps to Reproduce

1. Configure OpenClaw with Anthropic OAuth token in auth-profiles.json:

   {
     "profiles": {
       "anthropic:default": {
         "type": "token",
         "token": "sk-ant-oat01-..."
       }
     }
   }

2. Update OpenClaw to 2026.3.28+ via npm install -g openclaw@latest
3. Start gateway and make any model request using anthropic/claude-* model
4. Observe authentication error in logs

Expected Behavior

OAuth tokens should be sent via x-api-key header with anthropic-beta: oauth-2025-04-20 header, as in 2026.3.24:

curl https://api.anthropic.com/v1/messages \
 -H 'x-api-key: sk-ant-oat01-...' \
 -H 'anthropic-beta: oauth-2025-04-20' \
 -H 'anthropic-version: 2023-06-01' \
 -H 'content-type: application/json' \
 -d '{"model":"claude-opus-4-20250514","max_tokens":1024,"messages":[{"role":"user","content":"test"}]}'

Result: Works (404 for invalid model name, but auth succeeds)

Actual Behavior (2026.3.28+)

OAuth tokens are sent via Authorization: Bearer header:

curl https://api.anthropic.com/v1/messages \
 -H 'Authorization: Bearer sk-ant-oat01-...' \
 -H 'anthropic-beta: oauth-2025-04-20' \
 -H 'anthropic-version: 2023-06-01' \
 -H 'content-type: application/json' \
 -d '{"model":"claude-opus-4-20250514","max_tokens":1024,"messages":[{"role":"user","content":"test"}]}'

Result:

{
  "type": "error",
  "error": {
    "type": "authentication_error",
    "message": "OAuth authentication is currently not supported"
  }
}

Analysis

Both versions contain identical OAuth detection logic:

• isAnthropicOAuthApiKey() function exists in both
• PI_AI_OAUTH_ANTHROPIC_BETAS constant exists in both
• oauth-2025-04-20 beta header is set in both

The difference is in the SDK/transport layer — somewhere between 2026.3.24 and 2026.3.28, the HTTP client was changed to send OAuth tokens as Bearer instead of x-api-key.

Workaround

Downgrade to 2026.3.24:

npm install -g openclaw@2026.3.24

Alternative: Use Anthropic API keys (sk-ant-api03-...) instead of OAuth tokens, but this switches from flat-rate to pay-per-token billing.

Impact

• Critical: Users with OAuth tokens cannot use Anthropic models on 2026.3.28+
• Workaround available: Downgrade to 2026.3.24
• Affects: All Anthropic OAuth token users (OAuth was previously working in earlier versions)

Related Issues

Possibly related GitHub issues mentioning OAuth/auth problems:

• [Bug]: Anthropic OAuth tokens stopped working - 'OAuth authentication is currently not supported' #9938
• Anthropic setup-token auth broken after 2026.2.17 update — 'OAuth authentication is currently not supported' #19938
• v2026.2.17: Anthropic auth fails with OAuth error #19769

Additional Context

Testing confirmed:

1. Same OAuth token works on 2026.3.24 but fails on 2026.4.2
2. Same token, same detection code, different HTTP headers
3. Anthropic API correctly rejects Bearer with OAuth tokens (per their error message)
4. Config migration from 2026.3.24 → 2026.4.2 does not help (not a config issue)

Logs

2026.3.24 (working):

ignoring context1m for OAuth token auth on anthropic/claude-opus-4-6; Anthropic rejects context-1m beta with OAuth auth

(Warning only about context-1m beta, auth succeeds)

2026.4.2 (broken):

HTTP 401 authentication_error: OAuth authentication is currently not supported

---

Tested on: 2026-04-03
Reporter: Production deployment with multiple agents affected