Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Claude Max OAuth token sent as Bearer instead of x-api-key on v2026.3.24 — breaks Opus/Sonnet 4.6 [2 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#56934Fetched 2026-04-08 01:45:47
View on GitHub
Comments
2
Participants
3
Timeline
2
Reactions
2
Author
mrgb5mrgb5
Participants
cce15cce15mrgb5mrgb5nashdanashda
Timeline (top)
commented ×2

Error Message

  • Direct curl with x-api-key header + Opus/Sonnet → 400 invalid_request_error: "Error"
  • #19769 (Anthropic auth fails with OAuth error)

Fix Action

Fix / Workaround

Workaround needed

RAW_BUFFERClick to expand / collapse

Bug Description

OpenClaw v2026.3.24 sends Claude Max subscription OAuth tokens (sk-ant-oat01-*) as Authorization: Bearer header instead of x-api-key header, even when the auth profile type is set to api_key. This breaks Opus 4.6 and Sonnet 4.6 (Haiku 4.5 works with x-api-key).

Environment

  • OpenClaw version: 2026.3.24 (cff6dc9)
  • Platform: Hostinger VPS, Docker (ghcr.io/hostinger/hvps-openclaw:latest)
  • Subscription: Claude Max
  • Models affected: anthropic/claude-opus-4-6, anthropic/claude-sonnet-4-6
  • Models working: anthropic/claude-haiku-4-5 (when sent as x-api-key via curl)

What works

  • claude -p "ok" --model opus inside the container → works perfectly
  • CLAUDE_CODE_OAUTH_TOKEN env var is valid (claude auth statusloggedIn: true, authMethod: oauth_token)
  • Direct curl with x-api-key header + Haiku → 200 OK

What fails

  • openclaw agent -m "ok" --agent mainHTTP 401 authentication_error: Invalid bearer token
  • Direct curl with x-api-key header + Opus/Sonnet → 400 invalid_request_error: "Error"
  • Any auth profile (both type: token and type: api_key) → gateway sends Bearer

Steps to reproduce

  1. Fresh OpenClaw v2026.3.24 on Docker
  2. Set CLAUDE_CODE_OAUTH_TOKEN env var with a valid Max subscription token
  3. Run openclaw models auth login --provider anthropic → choose "Anthropic API key" → paste sk-ant-oat01-* token
  4. Auth profile created as anthropic:default (anthropic/api_key)
  5. Run openclaw agent -m "ok" --agent main --timeout 30
  6. Result: HTTP 401 authentication_error: Invalid bearer token

Evidence

The gateway sends the token as Authorization: Bearer sk-ant-oat01-* even though the profile is type: api_key. Confirmed by intercepting traffic with a local HTTPS proxy — the proxy logs show Bearer header being sent, and converting it to x-api-key reaches the API successfully (proxy received requests and forwarded them).

Expected behavior

When type: api_key, OpenClaw should send the token as x-api-key header, not Authorization: Bearer.

Related issues

  • #19938 (setup-token auth broken after 2026.2.17)
  • #19769 (Anthropic auth fails with OAuth error)
  • #23472 (Opus 4.6 1M context not available for Max)

Workaround needed

Is there a configuration to force x-api-key header for Anthropic OAuth tokens? Or a version where this works correctly?

extent analysis

Fix Plan

To fix the issue, you need to modify the OpenClaw configuration to send the token as x-api-key header instead of Authorization: Bearer.

Here are the steps:

  • Update the openclaw configuration file to include a custom header for Anthropic API requests.
  • Set the X-API-KEY header with the sk-ant-oat01-* token.

Example configuration update:

auth_profiles:
  anthropic:
    type: api_key
    token: sk-ant-oat01-*
    headers:
      X-API-KEY: sk-ant-oat01-*

Alternatively, you can use environment variables to set the custom header:

export OPENCLAW_AUTH_PROFILES_ANTHROPIC_HEADERS_X_API_KEY=sk-ant-oat01-*

If you are using a Docker container, you can update the docker-compose.yml file to include the custom header:

version: '3'
services:
  openclaw:
    ...
    environment:
      - OPENCLAW_AUTH_PROFILES_ANTHROPIC_HEADERS_X_API_KEY=sk-ant-oat01-*

Verification

To verify that the fix worked, you can use a tool like curl to intercept the requests and check the headers:

curl -X GET \
  https://api.anthropic.com/ \
  -H 'X-API-KEY: sk-ant-oat01-*' \
  -v

This should show the X-API-KEY header being sent with the request. You can also check the OpenClaw logs to ensure that the custom header is being sent correctly.

Extra Tips

  • Make sure to update the openclaw version to the latest available to ensure that any related issues are fixed.
  • If you are using a load balancer or proxy, ensure that it is configured to forward the custom header correctly.
  • You can also use a debugging tool like tcpdump or Wireshark to inspect the network traffic and verify that the custom header is being sent correctly.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

When type: api_key, OpenClaw should send the token as x-api-key header, not Authorization: Bearer.

#api#dependency conflict#environment setup#docker error#permission error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING