openclaw - 💡(How to fix) Fix [Docs]: OAuth tokens require undocumented system prompt identity for non-Haiku models — pi-ai handles it, but service_tier gap remains [1 comments, 2 participants]

Summary

After extensive investigation into why OAuth-authenticated OpenClaw agents get HTTP 400/529 errors on non-Haiku models, we've identified two separate issues:

1. Anthropic's undocumented system prompt validation (already handled by pi-ai) — OAuth tokens require "You are Claude Code, Anthropic's official CLI for Claude." as the first system entry. pi-ai already injects this correctly.

2. The service_tier gap (#55758, still unfixed) — OAuth tokens are excluded from service_tier injection, making OpenClaw agents significantly more vulnerable to 529 overloaded errors during high API load compared to Claude CLI users.

This issue documents the findings for the community and tracks the remaining service_tier gap.

The system prompt validation (resolved in pi-ai)

Anthropic silently validates that OAuth token requests include a specific identity string in the system prompt. We confirmed this via controlled curl tests from our production server:

pi-ai already handles this correctly in buildParams (anthropic.js):

if (isOAuthToken) {
    params.system = [
        { type: "text", text: "You are Claude Code, Anthropic's official CLI for Claude." },
    ];
    if (context.systemPrompt) {
        params.system.push({ type: "text", text: sanitizeSurrogates(context.systemPrompt) });
    }
}

This means OpenClaw agents can use Opus/Sonnet with OAuth tokens — the identity injection works. If you're getting 400 errors on non-Haiku models, check that:

• Your pi-ai version includes the OAuth system prompt injection
• Nothing in your pipeline is overriding or flattening the system array after pi-ai constructs it

The remaining issue: service_tier (#55758)

OAuth tokens are explicitly excluded from service_tier injection in createAnthropicFastModeWrapper:

if (isAnthropicOAuthApiKey(options?.apiKey))   // ← OAuth skipped
    return underlying(model, context, options);

payloadObj.service_tier = serviceTier;  // ← Only non-OAuth gets this

This means during any Anthropic capacity incident:

• Claude CLI (same OAuth token, with service_tier) → gets priority → works
• OpenClaw (same OAuth token, without service_tier) → lowest priority → 529 cascade → cooldown spiral

We experienced this firsthand during the Anthropic incident on 2026-03-27 ("Elevated error rates on Opus 4.6"). Our agents were hit with 132 overloaded errors in bursts, while the CLI worked fine with the same token.

Why this matters

Many OpenClaw users have been stuck on Haiku or forced to buy separate API keys, believing OAuth is fundamentally broken for non-Haiku models. In reality:

• The system prompt validation is handled by pi-ai ✓
• The 529 vulnerability from missing service_tier is the real ongoing risk
• The Anthropic error message ({"message":"Error"}) gives zero debugging signal, making it nearly impossible to diagnose without reverse-engineering the CLI

Related issues

• #55758 — OAuth tokens skip service_tier (root cause of 529 vulnerability)
• #55857 — OAuth token injection broken after embedded run auth controller refactor
• #41444 — oauth-2025-04-20 beta not injected when context1m set via model headers
• #46733 — Opus 4.6 1M context broken with OAuth
• #55777 — OAuth auto-refresh silently fails

Upstream (Anthropic):

• anthropics/claude-code#40515 — Our issue documenting the undocumented system prompt validation
• anthropics/claude-code#34412, #35269, #8052 — Community reports, all auto-closed without staff engagement

Environment

• OpenClaw: 2026.3.24 (testing upgrade to 2026.3.28)
• pi-ai: version deployed with OpenClaw (includes OAuth system prompt injection)
• OAuth token: sk-ant-oat01-* (Claude Max, setup token)
• Server: Ubuntu 24.04, Docker