Skip to content

feat(auth): add OAuth login with SDK-based subscription providers#32

Merged
yinwm merged 3 commits intosipeed:mainfrom
corylanou:issue-18-add-support-for-openai-anthropic-oauth-based-login
Feb 12, 2026
Merged

feat(auth): add OAuth login with SDK-based subscription providers#32
yinwm merged 3 commits intosipeed:mainfrom
corylanou:issue-18-add-support-for-openai-anthropic-oauth-based-login

Conversation

@corylanou
Copy link
Contributor

@corylanou corylanou commented Feb 11, 2026
edited
Loading

Summary

  • Add OAuth-based login for OpenAI (browser PKCE + device code) and Anthropic (paste token)
  • Add ClaudeProvider wrapping anthropic-sdk-go for Anthropic Messages API with Bearer auth
  • Add CodexProvider wrapping openai-go for OpenAI Codex Responses API at chatgpt.com/backend-api/codex/responses
  • Route subscription auth to correct endpoints with correct API formats (not pay-per-token endpoints)
  • Secure credential storage at ~/.picoclaw/auth.json with automatic token refresh

New CLI commands

  • picoclaw auth login --provider openai — OAuth browser flow (or --device-code for headless)
  • picoclaw auth login --provider anthropic — Paste API token
  • picoclaw auth logout — Clear stored credentials
  • picoclaw auth status — Show auth state

Provider routing

Config auth_method Provider Endpoint
"oauth" (OpenAI) CodexProvider (openai-go SDK) chatgpt.com/backend-api/codex/responses
"token" (Anthropic) ClaudeProvider (anthropic-sdk-go) api.anthropic.com/v1/messages
empty (API key) HTTPProvider (unchanged) provider-specific /chat/completions

Test plan

  • 17 auth tests pass (PKCE, store, OAuth flows, token refresh)
  • 17 provider tests pass (message translation, mock server round-trips for both SDKs)
  • go build ./... compiles
  • go vet ./... passes
  • Existing API key auth path unchanged
  • Manual: picoclaw auth login --provider openaipicoclaw agent -m "hello" uses Codex endpoint
  • Manual: picoclaw auth login --provider anthropicpicoclaw agent -m "hello" uses Claude Messages API

Closes #18

🤖 Generated with Claude Code

corylanou and others added 2 commits February 11, 2026 11:41
@corylanou @claude
feat(auth): add OAuth and token-based login for OpenAI and Anthropic
5efe8a2 
Add `picoclaw auth` CLI command supporting:
- OpenAI OAuth2 (PKCE + browser callback or device code flow)
- Anthropic paste-token flow
- Token storage at ~/.picoclaw/auth.json with 0600 permissions
- Auto-refresh for expired OAuth tokens in provider

Closes sipeed#18

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@corylanou @claude
feat(providers): add SDK-based providers for subscription OAuth login
fbad753 
Add ClaudeProvider (anthropic-sdk-go) and CodexProvider (openai-go) that
use the correct subscription endpoints and API formats:

- CodexProvider: chatgpt.com/backend-api/codex/responses (Responses API)
  with OAuth Bearer auth and Chatgpt-Account-Id header
- ClaudeProvider: api.anthropic.com/v1/messages (Messages API) with
  Authorization: Bearer token auth

Update CreateProvider() routing to use new SDK-based providers when
auth_method is "oauth" or "token", removing the stopgap that sent
subscription tokens to pay-per-token endpoints.

Closes sipeed#18

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@corylanou corylanou changed the title feat(auth): add OAuth and token-based login for OpenAI and Anthropic feat(auth): add OAuth login with SDK-based subscription providers Feb 11, 2026
@corylanou @claude
chore(deps): upgrade openai-go from v1.12.0 to v3.21.0
83f6e44 
Update to latest major version of the official OpenAI Go SDK.
Fix breaking change: FunctionCallOutput.Output is now a union type
(ResponseInputItemFunctionCallOutputOutputUnionParam) instead of string.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@yinwm
Copy link
Collaborator

yinwm commented Feb 12, 2026

LGTM! 🎉

Great work on adding OAuth login support! The code quality is solid with good test coverage (17 auth + 17 provider tests). This is ready to
merge.

Non-blocking suggestions for future iterations:

🔧 Technical debt (optional follow-ups):

  • Token refresh in gateway mode: potential race condition when multiple channels trigger refresh concurrently
  • OAuth flow: several io.ReadAll errors are silently ignored
  • HTTP server: missing ReadTimeout/WriteTimeout (could cause goroutine leaks)

🎯 Minor improvements:

  • OAuth scope: email and profile are requested but not used, consider reducing to just openid offline_access
  • OAuth port: hardcoded to 1455, could fail if port is taken

These don't block merge - just keeping track for future improvements. Thanks for this contribution! 🙏

@yinwm yinwm merged commit 5f1caed into sipeed:main Feb 12, 2026
emadomedher pushed a commit to emadomedher/picoclaw that referenced this pull request Feb 17, 2026
@yinwm
Merge pull request sipeed#32 from corylanou/issue-18-add-support-for-…
a6a28ad 
…openai-anthropic-oauth-based-login

feat(auth): add OAuth login with SDK-based subscription providers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for OpenAI/Anthropic OAuth based login

2 participants

@corylanou @yinwm