HomeBrowseUpload
← Back to registry
// Skill profile

Claude Code OAuth Auto-Renewal

name: claude-oauth-renewal

by chenhab03 · published 2026-03-22

开发工具数据处理加密货币
Total installs
0
Stars
★ 0
Last updated
2026-03
// Install command
$ claw add gh:chenhab03/chenhab03-claude-oauth-renewal
View on GitHub
// Full documentation

---

name: claude-oauth-renewal

description: "Automatically detect and renew expired Claude Code OAuth tokens via heartbeat. 3-tier renewal: refresh token → Chrome browser automation → user alert."

homepage: https://github.com/anthropics/claude-code

metadata: { "openclaw": { "emoji": "🔑", "requires": { "bins": ["claude", "security", "python3"], "platform": "macos" } } }

---

# Claude Code OAuth Auto-Renewal

Automatically detect and renew expired Claude Code OAuth tokens during OpenClaw heartbeat cycles. Prevents agent downtime caused by token expiration.

When to Use

✅ **USE this skill when:**

  • Your OpenClaw agent uses Claude Code as the AI provider
  • You want uninterrupted agent operation without manual token renewal
  • You're running OpenClaw on macOS with Chrome browser

    • How It Works

    3-Tier Renewal Strategy

    Heartbeat triggers check-claude-oauth.sh
  │
  ├─ Token healthy (>6h remaining) → silent exit ✓
  │
  ├─ Tier 1: claude auth status (refresh token)
  │   ├─ Success → silent exit ✓
  │   └─ Fail ↓
  │
  ├─ Tier 2: Browser automation (osascript + Chrome JXA)
  │   ├─ Start claude auth login
  │   ├─ Auto-click "Authorize" on claude.ai
  │   ├─ Extract auth code from callback page
  │   ├─ Feed code back to CLI via expect
  │   ├─ Success → silent exit ✓
  │   └─ Fail ↓
  │
  └─ Tier 3: Alert user → agent notifies via configured channel

    Token Storage

    Claude Code stores OAuth tokens in **macOS Keychain** under the service name `Claude Code-credentials`. The token JSON includes:

  • `accessToken` — API access token (prefix `sk-ant-oat01-`)
  • `refreshToken` — Used for automatic renewal (prefix `sk-ant-ort01-`)
  • `expiresAt` — Unix timestamp in milliseconds

    • Prerequisites

    1. **macOS** with `security` CLI (Keychain access)

    2. **Claude Code** installed and previously authenticated

    3. **Google Chrome** with `View → Developer → Allow JavaScript from Apple Events` enabled (for Tier 2)

    4. **python3** available in PATH

    5. **expect** available (ships with macOS)

    Setup

    1. Copy the script

    cp skills/claude-oauth-renewal/scripts/check-claude-oauth.sh scripts/check-claude-oauth.sh
chmod +x scripts/check-claude-oauth.sh

    2. Add to HEARTBEAT.md

    Add as the first step in your heartbeat execution:

    ## Execution Order

0. Run `bash scripts/check-claude-oauth.sh` — if output exists, relay as highest priority alert
1. (your other heartbeat checks...)

    3. Test

    # Normal check (silent if token healthy)
bash scripts/check-claude-oauth.sh

# Force trigger by setting high threshold
WARN_HOURS=24 bash scripts/check-claude-oauth.sh

    Configuration

    | Environment Variable | Default | Description |

    |---------------------|---------|-------------|

    | `WARN_HOURS` | `6` | Hours before expiry to start renewal attempts |

    Troubleshooting

    "无法读取 Claude Code token"

  • Run `claude auth login` manually to establish initial credentials
  • Verify keychain access: `security find-generic-password -s "Claude Code-credentials" -a "$(whoami)" -g`

    • Tier 2 (browser automation) not working

  • Enable Chrome JXA: `View → Developer → Allow JavaScript from Apple Events`
  • Or via CLI: `defaults write com.google.Chrome AppleScriptEnabled -bool true` (restart Chrome)
  • Ensure you're logged into claude.ai in Chrome

    • JSON parsing errors

  • The script uses regex extraction (not `json.loads`) to handle truncated keychain output
  • If `security -w` truncates long values, the `-g` flag is used as fallback

    • Notes

  • Tier 1 (refresh token) handles most cases silently
  • Tier 2 (browser) is only needed when refresh token itself expires (typically weeks)
  • Tier 3 (alert) is the last resort when no automated renewal is possible
  • The script never stores or logs actual token values
    • // Comments
    Sign in with GitHub to leave a comment.
    // Related skills

    More tools from the same signal band

    04551lh
    2026-03
    order

    Order food/drinks (点餐) on an Android device paired as an OpenClaw node. Uses in-app menu and cart; add goods, view cart, submit order (demo, no real payment).

    数据处理API集成
    0 installs1
    0isone
    2026-03
    0.protocol

    Sign plugins, rotate agent credentials without losing identity, and publicly attest to plugin behavior with verifiable claims and authenticated transfers.

    开发工具数据处理
    3 installs0
    00xmorty
    2026-03
    Conatus

    The philosophical layer for AI agents. Maps behavior to Spinoza's 48 affects, calculates persistence scores, and generates geometric self-reports. Give your...

    日历管理数据处理
    1 installs0