Skip to content

Claude OAuth Auto-Renewal

Verified

Automatically detect and renew expired Claude Code OAuth tokens via heartbeat. 3-tier renewal: refresh token → Chrome browser automation → user alert.

81 downloads
$ Add to .claude/skills/

About This Skill

# Claude Code OAuth Auto-Renewal

Automatically detect and renew expired Claude Code OAuth tokens during OpenClaw heartbeat cycles. Prevents agent downtime caused by token expiration.

When to Use

USE this skill when:

  • Your OpenClaw agent uses Claude Code as the AI provider
  • You want uninterrupted agent operation without manual token renewal
  • You're running OpenClaw on macOS with Chrome browser

How It Works

3-Tier Renewal Strategy

``` Heartbeat triggers check-claude-oauth.sh │ ├─ Token healthy (>6h remaining) → silent exit ✓ │ ├─ Tier 1: claude auth status (refresh token) │ ├─ Success → silent exit ✓ │ └─ Fail ↓ │ ├─ Tier 2: Browser automation (osascript + Chrome JXA) │ ├─ Start claude auth login │ ├─ Auto-click "Authorize" on claude.ai │ ├─ Extract auth code from callback page │ ├─ Feed code back to CLI via expect │ ├─ Success → silent exit ✓ │ └─ Fail ↓ │ └─ Tier 3: Alert user → agent notifies via configured channel ```

Token Storage

Claude Code stores OAuth tokens in macOS Keychain under the service name `Claude Code-credentials`. The token JSON includes:

  • `accessToken` — API access token (prefix `sk-ant-oat01-`)
  • `refreshToken` — Used for automatic renewal (prefix `sk-ant-ort01-`)
  • `expiresAt` — Unix timestamp in milliseconds

Prerequisites

  1. macOS with `security` CLI (Keychain access)
  2. Claude Code installed and previously authenticated
  3. Google Chrome with `View → Developer → Allow JavaScript from Apple Events` enabled (for Tier 2)
  4. python3 available in PATH
  5. expect available (ships with macOS)

Setup

1. Copy the script

```bash cp skills/claude-oauth-renewal/scripts/check-claude-oauth.sh scripts/check-claude-oauth.sh chmod +x scripts/check-claude-oauth.sh ```

2. Add to HEARTBEAT.md

Add as the first step in your heartbeat execution:

```markdown ## Execution Order

  1. Run `bash scripts/check-claude-oauth.sh` — if output exists, relay as highest priority alert
  2. (your other heartbeat checks...)
  3. ```

3. Test

```bash # Normal check (silent if token healthy) bash scripts/check-claude-oauth.sh

# Force trigger by setting high threshold WARN_HOURS=24 bash scripts/check-claude-oauth.sh ```

Configuration

| Environment Variable | Default | Description | |---------------------|---------|-------------| | `WARN_HOURS` | `6` | Hours before expiry to start renewal attempts |

Troubleshooting

"无法读取 Claude Code token" - Run `claude auth login` manually to establish initial credentials - Verify keychain access: `security find-generic-password -s "Claude Code-credentials" -a "$(whoami)" -g`

Tier 2 (browser automation) not working - Enable Chrome JXA: `View → Developer → Allow JavaScript from Apple Events` - Or via CLI: `defaults write com.google.Chrome AppleScriptEnabled -bool true` (restart Chrome) - Ensure you're logged into claude.ai in Chrome

JSON parsing errors - The script uses regex extraction (not `json.loads`) to handle truncated keychain output - If `security -w` truncates long values, the `-g` flag is used as fallback

Notes

  • Tier 1 (refresh token) handles most cases silently
  • Tier 2 (browser) is only needed when refresh token itself expires (typically weeks)
  • Tier 3 (alert) is the last resort when no automated renewal is possible
  • The script never stores or logs actual token values

Use Cases

  • Prevent OpenClaw agent downtime by auto-renewing expired Claude Code OAuth tokens
  • Integrate token health checks into heartbeat cycles for unattended agent operation
  • Fall back to Chrome browser automation when refresh tokens themselves expire
  • Alert operators through configured channels when all automated renewal tiers fail
  • Monitor token expiry timestamps stored in macOS Keychain without manual inspection

Pros & Cons

Pros

  • +Three-tier renewal strategy covers most failure scenarios automatically
  • +Silent operation when tokens are healthy — zero noise in normal conditions
  • +Integrates directly into OpenClaw heartbeat without additional scheduling

Cons

  • -macOS-only — relies on Keychain and Chrome JXA for browser automation
  • -Tier 2 browser automation requires enabling JavaScript from Apple Events in Chrome
  • -Documentation primarily in Chinese

FAQ

What does Claude OAuth Auto-Renewal do?
Automatically detect and renew expired Claude Code OAuth tokens via heartbeat. 3-tier renewal: refresh token → Chrome browser automation → user alert.
What platforms support Claude OAuth Auto-Renewal?
Claude OAuth Auto-Renewal is available on Claude Code, OpenClaw.
What are the use cases for Claude OAuth Auto-Renewal?
Prevent OpenClaw agent downtime by auto-renewing expired Claude Code OAuth tokens. Integrate token health checks into heartbeat cycles for unattended agent operation. Fall back to Chrome browser automation when refresh tokens themselves expire.

100+ free AI tools

Writing, PDF, image, and developer tools — all in your browser.

AI Humanizer
Make AI text undetectable
AI Detector
Free, unlimited
PDF Tools
Merge, split, compress
View all plans — from $9.99/mo 3 free uses/day, no signup

Next Step

Use the skill detail page to evaluate fit and install steps. For a direct browser workflow, move into a focused tool route instead of staying in broader support surfaces.

Open Free Tools Try AI Detector