Self-contained Anthropic auth provider for OpenCode using your Claude Code credentials — no separate login or API key needed.
The plugin registers its own auth provider with a custom fetch handler that intercepts all Anthropic API requests. It reads OAuth tokens from the macOS Keychain (or ~/.claude/.credentials.json on other platforms), caches them in memory with a 30-second TTL, and handles the full request lifecycle — no builtin Anthropic auth plugin required.
It also syncs credentials to OpenCode's auth.json as a fallback (on Windows, it writes to both %USERPROFILE%\.local\share\opencode\auth.json and %LOCALAPPDATA%\opencode\auth.json to cover all installation methods). If a token is near expiry, it runs the Claude CLI to trigger a refresh. Background re-sync runs every 5 minutes.
- Claude Code installed and authenticated (run
claudeat least once) - OpenCode installed
macOS is preferred (uses Keychain). Linux and Windows work via the credentials file fallback.
Paste this into your AI agent (Claude Code, Cursor, Copilot, etc.):
Fetch https://raw.githubusercontent.com/griffinmartin/opencode-claude-auth/main/installation.md and follow every step exactly as written.
npm install -g opencode-claude-authThen add to the plugin array in your opencode.json:
{
"plugin": ["opencode-claude-auth"]
}Just run OpenCode. The plugin handles auth automatically — it reads your Claude Code credentials, provides them to the Anthropic API, and refreshes them in the background. If your credentials aren't OAuth-based, the plugin falls through to standard API key auth.
15 supported models. Run npm run test:models to verify against your account.
| Model |
|---|
| claude-3-haiku-20240307 |
| claude-haiku-4-5 |
| claude-haiku-4-5-20251001 |
| claude-opus-4-0 |
| claude-opus-4-1 |
| claude-opus-4-1-20250805 |
| claude-opus-4-20250514 |
| claude-opus-4-5 |
| claude-opus-4-5-20251101 |
| claude-opus-4-6 |
| claude-sonnet-4-0 |
| claude-sonnet-4-20250514 |
| claude-sonnet-4-5 |
| claude-sonnet-4-5-20250929 |
| claude-sonnet-4-6 |
The plugin checks these in order:
- macOS Keychain ("Claude Code-credentials" entry)
~/.claude/.credentials.json(fallback, works on all platforms)
| Problem | Solution |
|---|---|
| "Credentials not found" | Run claude to authenticate with Claude Code first |
| "Keychain is locked" | Run security unlock-keychain ~/Library/Keychains/login.keychain-db |
| "Token expired and refresh failed" | The plugin runs claude CLI to refresh automatically. If this fails, re-authenticate manually by running claude |
| Not working on Linux/Windows | Ensure ~/.claude/.credentials.json exists. Run claude to create it |
| Keychain access denied | Grant access when macOS prompts you |
| Keychain read timed out | Restart Keychain Access (can happen on macOS Tahoe) |
| "Credentials are unavailable or expired" | Run claude to refresh your Claude Code credentials |
All configurable parameters can be overridden via environment variables. If Anthropic changes something before we publish an update, set an env var and keep working:
| Variable | Description | Default |
|---|---|---|
ANTHROPIC_CLI_VERSION |
Claude CLI version for user-agent and billing headers | 2.1.80 |
ANTHROPIC_USER_AGENT |
Full User-Agent string (overrides CLI version) | claude-cli/{version} (external, cli) |
ANTHROPIC_BETA_FLAGS |
Comma-separated beta feature flags | claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,prompt-caching-scope-2026-01-05 |
Example:
export ANTHROPIC_CLI_VERSION=2.2.0- Registers an
auth.loaderwith a customfetchthat intercepts all Anthropic API requests - Sets
Authorization: Bearerwith fresh OAuth tokens (cached in memory, 30s TTL) - Translates tool names between OpenCode and Anthropic API formats (adds/strips
mcp_prefix) - Buffers SSE response streams at event boundaries for reliable tool name translation
- Injects Claude Code identity into system prompts via
experimental.chat.system.transform - Sets required API headers (beta flags, billing, user-agent) with model-aware selection
- Syncs credentials to
auth.jsonon startup and every 5 minutes as a fallback - On Windows, writes to both
%USERPROFILE%\.local\share\opencode\auth.jsonand%LOCALAPPDATA%\opencode\auth.json - Retries API requests on 429 (rate limit) and 529 (overloaded) with exponential backoff, respecting
retry-afterheaders - When a token is within 60 seconds of expiry, runs
claudeCLI to trigger a refresh (with one automatic retry) - If credentials aren't OAuth-based, the auth loader returns
{}and falls through to API key auth - If credentials are unavailable or unreadable, the plugin disables itself and OpenCode continues without Claude auth
This plugin uses Claude Code's OAuth credentials to authenticate with Anthropic's API. Anthropic's Terms of Service state that Claude Pro/Max subscription tokens should only be used with official Anthropic clients. This plugin exists as a community workaround and may stop working if Anthropic changes their OAuth infrastructure. Use at your own discretion.
MIT