Claude Code OAuth Auto-Renewal
Automatically detect and renew expired Claude Code OAuth tokens during OpenClaw heartbeat cycles. Prevents agent downtime caused by token expiration.
When to Use
✅ USE this skill when:
- Your OpenClaw agent uses Claude Code as the AI provider
- You want uninterrupted agent operation without manual token renewal
- You're running OpenClaw on macOS with Chrome browser
How It Works
3-Tier Renewal Strategy
Heartbeat triggers check-claude-oauth.sh
│
├─ Token healthy (>6h remaining) → silent exit ✓
│
├─ Tier 1: claude auth status (refresh token)
│ ├─ Success → silent exit ✓
│ └─ Fail ↓
│
├─ Tier 2: Browser automation (osascript + Chrome JXA)
│ ├─ Start claude auth login
│ ├─ Auto-click "Authorize" on claude.ai
│ ├─ Extract auth code from callback page
│ ├─ Feed code back to CLI via expect
│ ├─ Success → silent exit ✓
│ └─ Fail ↓
│
└─ Tier 3: Alert user → agent notifies via configured channel
Token Storage
Claude Code stores OAuth tokens in macOS Keychain under the service name Claude Code-credentials. The token JSON includes:
accessToken— API access token (prefixsk-ant-oat01-)refreshToken— Used for automatic renewal (prefixsk-ant-ort01-)expiresAt— Unix timestamp in milliseconds
Prerequisites
- macOS with
securityCLI (Keychain access) - Claude Code installed and previously authenticated
- Google Chrome with
View → Developer → Allow JavaScript from Apple Eventsenabled (for Tier 2) - python3 available in PATH
- expect available (ships with macOS)
Setup
1. Copy the script
cp skills/claude-oauth-renewal/scripts/check-claude-oauth.sh scripts/check-claude-oauth.sh
chmod +x scripts/check-claude-oauth.sh
2. Add to HEARTBEAT.md
Add as the first step in your heartbeat execution:
## Execution Order
0. Run `bash scripts/check-claude-oauth.sh` — if output exists, relay as highest priority alert
1. (your other heartbeat checks...)
3. Test
# Normal check (silent if token healthy)
bash scripts/check-claude-oauth.sh
# Force trigger by setting high threshold
WARN_HOURS=24 bash scripts/check-claude-oauth.sh
Configuration
| Environment Variable | Default | Description |
|---|---|---|
WARN_HOURS | 6 | Hours before expiry to start renewal attempts |
Troubleshooting
"无法读取 Claude Code token"
- Run
claude auth loginmanually to establish initial credentials - Verify keychain access:
security find-generic-password -s "Claude Code-credentials" -a "$(whoami)" -g
Tier 2 (browser automation) not working
- Enable Chrome JXA:
View → Developer → Allow JavaScript from Apple Events - Or via CLI:
defaults write com.google.Chrome AppleScriptEnabled -bool true(restart Chrome) - Ensure you're logged into claude.ai in Chrome
JSON parsing errors
- The script uses regex extraction (not
json.loads) to handle truncated keychain output - If
security -wtruncates long values, the-gflag is used as fallback
Notes
- Tier 1 (refresh token) handles most cases silently
- Tier 2 (browser) is only needed when refresh token itself expires (typically weeks)
- Tier 3 (alert) is the last resort when no automated renewal is possible
- The script never stores or logs actual token values