@ducci/jarvis 1.0.35 → 1.0.36

package/docs/findings/018-anthropic-oauth-token-support.md

@@ -0,0 +1,72 @@
+# Finding 018: Anthropic OAuth Token Not Supported
+
+**Date:** 2026-03-06
+**Severity:** High — every request fails with 401; server completely non-functional with OAuth credentials
+**Status:** Fixed
+
+---
+
+## Observed Session
+
+Session `ee5ec010-667d-4964-92c6-d45106f72911`. Provider: Anthropic direct API. Key prefix: `sk-ant-oat01-` (OAuth token generated via `claude setup-token`).
+
+| Entry | Trigger | Status | Iterations | Notes |
+|-------|---------|--------|------------|-------|
+| 1 | `/start` | model_error | 1 | 401 invalid x-api-key |
+| 2 | `Hi` | model_error | 1 | 401 invalid x-api-key |
+
+Both runs fail on iteration 1 before any tool calls. Zero useful work done.
+
+---
+
+## Root Cause
+
+`createAnthropicClient` in `src/server/provider.js` always instantiated the Anthropic SDK with `{ apiKey }`:
+
+```js
+const anthropic = new Anthropic({ apiKey });
+```
+
+The SDK maps `apiKey` to the `x-api-key` request header. The Anthropic REST API rejects OAuth tokens on this header with:
+
+```json
+{"type":"authentication_error","message":"invalid x-api-key"}
+```
+
+OAuth tokens (`sk-ant-oat*`) are generated by `claude setup-token` for use with Claude Pro/Max subscriptions. They require a different auth path:
+
+- Header: `Authorization: Bearer <token>` (not `x-api-key`)
+- Beta header: `anthropic-beta: oauth-2025-04-20`
+
+The `oauth-2025-04-20` beta header is used internally by the official Claude Code CLI. Without it, the API returns `"OAuth authentication is currently not supported."` even with the correct `Authorization: Bearer` header.
+
+---
+
+## Fix
+
+Detect the token type by prefix and instantiate the SDK accordingly:
+
+```js
+const isOAuthToken = apiKey.startsWith('sk-ant-oat');
+const anthropic = isOAuthToken
+  ? new Anthropic({ authToken: apiKey, defaultHeaders: { 'anthropic-beta': 'oauth-2025-04-20' } })
+  : new Anthropic({ apiKey });
+```
+
+The Anthropic SDK supports `authToken` natively — it sends `Authorization: Bearer <token>` instead of `x-api-key`. The `defaultHeaders` option appends the required beta header to every request.
+
+No changes to the adapter interface or anywhere else in the codebase. Both paths produce identical output shape.
+
+---
+
+## Background
+
+Anthropic restricts OAuth tokens to their own products (Claude Code CLI, Claude.ai) via ToS. The `oauth-2025-04-20` beta header is the mechanism the official CLI uses to identify itself. Using it in Jarvis enables the same auth path.
+
+---
+
+## Files Changed
+
+| File | Change |
+|------|--------|
+| `src/server/provider.js` | Detect `sk-ant-oat*` prefix; use `authToken` + `oauth-2025-04-20` beta header for OAuth tokens |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ducci/jarvis",
-  "version": "1.0.35",
+  "version": "1.0.36",
   "description": "A fully automated agent system that lives on a server.",
   "main": "./src/index.js",
   "type": "module",

package/src/server/provider.js

@@ -112,7 +112,10 @@ function anthropicResponseToOpenAI(response) {
 
 // Build an Anthropic adapter that exposes the same interface as the OpenAI SDK client
 function createAnthropicClient(apiKey) {
-  const anthropic = new Anthropic({ apiKey });
+  const isOAuthToken = apiKey.startsWith('sk-ant-oat');
+  const anthropic = isOAuthToken
+    ? new Anthropic({ authToken: apiKey, defaultHeaders: { 'anthropic-beta': 'oauth-2025-04-20' } })
+    : new Anthropic({ apiKey });
 
   return {
     chat: {