claudeauth

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 16, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	StatusOK          = "ok"
	StatusAuthFailed  = "auth_failed"
	StatusRateLimited = "rate_limited"
)
View Source
const ClaudeCodeSystemPrefix = "You are Claude Code, Anthropic's official CLI for Claude."

ClaudeCodeSystemPrefix must be the first system block on every OAuth request. Anthropic rejects/500s OAuth traffic that lacks the Claude Code identity.

View Source
const ProviderType = "claude-code"

ProviderType is the provider_type string for Claude Code subscription auth.

Variables

View Source
var (
	ErrReloginRequired = errors.New("claude: re-login required")
	ErrNoCredentials   = errors.New("claude: no healthy credentials available")
	ErrStateMismatch   = errors.New("claude: oauth state mismatch")
)
View Source
var APIBaseURL = resolvedAPIBaseURL()

APIBaseURL is the base URL for Anthropic Messages API requests. Override with DOWNLINK_CLAUDE_BASE_URL for testing or alternative deployments.

Functions

func BuildAuthorizeURL

func BuildAuthorizeURL(challenge, state string) string

BuildAuthorizeURL builds the browser authorization URL. The verifier is never placed in the URL; only its S256 challenge is. State is an independent value.

func ClaudeHeaders

func ClaudeHeaders(accessToken string) http.Header

ClaudeHeaders returns the identity headers required for every request to the Anthropic Messages API when authenticating with a Claude Code OAuth token. The Authorization: Bearer header is set by the caller, mirroring codexauth.

func GeneratePKCE

func GeneratePKCE() (verifier, challenge string, err error)

GeneratePKCE returns a PKCE code_verifier and its S256 code_challenge.

func GenerateState

func GenerateState() (string, error)

GenerateState returns a random CSRF state value, independent of the verifier.

func SplitCallbackCode

func SplitCallbackCode(pasted string) (code, state string)

SplitCallbackCode splits the user-pasted "<code>#<state>" string.

Types

type ConfigGetter

type ConfigGetter func() *models.ServerConfig

ConfigGetter returns the current in-memory config.

type ConfigSaver

type ConfigSaver func(cfg *models.ServerConfig) error

ConfigSaver is the function the manager calls to atomically persist config.

type Lease

type Lease struct {
	CredID      string
	AccessToken string
	Headers     http.Header
	// contains filtered or unexported fields
}

Lease is a handle to a live credential for a single LLM call. Call one of the Mark* methods when done to update the credential's health state.

func (*Lease) MarkAuthFailed

func (l *Lease) MarkAuthFailed(reason string)

func (*Lease) MarkOK

func (l *Lease) MarkOK()

func (*Lease) MarkRateLimited

func (l *Lease) MarkRateLimited(resetAt time.Time)

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager holds one Pool per claude-code provider config entry and wires pool persistence back to config.json via the ConfigSaver.

func NewManager

func NewManager(get ConfigGetter, save ConfigSaver) *Manager

NewManager creates a Manager and initialises pools from the current config.

func (*Manager) EnsurePool

func (m *Manager) EnsurePool(providerName string) *Pool

EnsurePool creates an empty pool for providerName if one doesn't exist yet.

func (*Manager) Pool

func (m *Manager) Pool(providerName string) (*Pool, bool)

Pool returns the Pool for the named provider config entry.

func (*Manager) Reload

func (m *Manager) Reload()

Reload rebuilds pools from the current config. Call after config hot-reload.

type PersistFn

type PersistFn func(creds []models.CodexCredential) error

PersistFn is called by the pool whenever credentials need to be persisted.

type Pool

type Pool struct {
	// contains filtered or unexported fields
}

Pool manages a set of Claude Code OAuth credentials for one provider config entry.

func NewPool

func NewPool(creds []models.CodexCredential, persist PersistFn) *Pool

NewPool creates a pool backed by the given credentials and persist function.

func (*Pool) Acquire

func (p *Pool) Acquire(ctx context.Context) (*Lease, error)

Acquire picks the best available credential, refreshing its access token if needed, and returns a Lease. Returns ErrNoCredentials when all credentials are either rate-limited or auth-failed.

func (*Pool) AddCredential

func (p *Pool) AddCredential(cred models.CodexCredential) error

AddCredential appends a new credential and persists.

func (*Pool) Credentials

func (p *Pool) Credentials() []models.CodexCredential

Credentials returns a snapshot of the current credential list.

func (*Pool) RemoveCredential

func (p *Pool) RemoveCredential(id string) error

RemoveCredential removes a credential by ID and persists.

func (*Pool) SetPriority

func (p *Pool) SetPriority(id string, priority int) error

SetPriority updates the priority of a credential by ID and persists.

func (*Pool) UpdateCredentials

func (p *Pool) UpdateCredentials(creds []models.CodexCredential)

UpdateCredentials replaces the pool's credential set (e.g. after config reload).

type TokenPair

type TokenPair struct {
	AccessToken  string
	RefreshToken string
	ExpiresAt    time.Time
}

TokenPair holds the OAuth tokens and the computed absolute expiry.

func ExchangeCode

func ExchangeCode(ctx context.Context, code, state, verifier string) (*TokenPair, error)

ExchangeCode exchanges the authorization code (with its PKCE verifier) for tokens. The caller is responsible for validating the returned state against the state it generated before calling this.

func RefreshTokens

func RefreshTokens(ctx context.Context, refreshToken string) (*TokenPair, error)

RefreshTokens exchanges a refresh token for a new access token (and possibly a new refresh token). Returns ErrReloginRequired when the refresh token is no longer valid.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL