Skip to content
RemoteClaw

Authentication

Authentication

RemoteClaw supports OAuth and API keys for model providers. For always-on gateway hosts, API keys are usually the most predictable option. Subscription/OAuth flows are also supported when they match your provider account model.

See /concepts/oauth for the full OAuth flow and storage layout. For SecretRef-based auth (env/file/exec providers), see Secrets Management. For credential eligibility/reason-code rules used by models status --probe, see Auth Credential Semantics.

If you’re running a long-lived gateway, start with an API key for your chosen provider. For Anthropic specifically, API key auth is the safe path and is recommended over subscription setup-token auth.

  1. Create an API key in your provider console.
  2. Put it on the gateway host (the machine running remoteclaw gateway).
Terminal window
export <PROVIDER>_API_KEY="..."
remoteclaw models status
  1. If the Gateway runs under systemd/launchd, prefer putting the key in ~/.remoteclaw/.env so the daemon can read it:
Terminal window
cat >> ~/.remoteclaw/.env <<'EOF'
<PROVIDER>_API_KEY=...
EOF

Then restart the daemon (or restart your Gateway process) and re-check:

Terminal window
remoteclaw models status
remoteclaw doctor

If you’d rather not manage env vars yourself, onboarding can store API keys for daemon use: remoteclaw onboard.

See Help for details on env inheritance (env.shellEnv, ~/.remoteclaw/.env, systemd/launchd).

Anthropic: setup-token (subscription auth)

If you’re using a Claude subscription, the setup-token flow is supported. Run it on the gateway host:

Terminal window
claude setup-token

Then paste it into RemoteClaw:

Terminal window
remoteclaw models auth setup-token --provider anthropic

If the token was created on another machine, paste it manually:

Terminal window
remoteclaw models auth paste-token --provider anthropic

If you see an Anthropic error like:

This credential is only authorized for use with Claude Code and cannot be used for other API requests.

…use an Anthropic API key instead.

Anthropic setup-token support is technical compatibility only. Anthropic has blocked some subscription usage outside Claude Code in the past. Use it only if you decide the policy risk is acceptable, and verify Anthropic's current terms yourself.

Manual token entry (any provider; writes auth-profiles.json + updates config):

Terminal window
remoteclaw models auth paste-token --provider anthropic
remoteclaw models auth paste-token --provider openrouter

Auth profile refs are also supported for static credentials:

  • api_key credentials can use keyRef: { source, provider, id }
  • token credentials can use tokenRef: { source, provider, id }

Automation-friendly check (exit 1 when expired/missing, 2 when expiring):

Terminal window
remoteclaw models status --check

Optional ops scripts (systemd/Termux) are documented here: /automation/auth-monitoring

claude setup-token requires an interactive TTY.

Checking model auth status

Terminal window
remoteclaw models status
remoteclaw doctor

API key rotation behavior (gateway)

Some providers support retrying a request with alternative keys when an API call hits a provider rate limit.

  • Priority order:
    • REMOTECLAW_LIVE_<PROVIDER>_KEY (single override)
    • <PROVIDER>_API_KEYS
    • <PROVIDER>_API_KEY
    • <PROVIDER>_API_KEY_*
  • Google providers also include GOOGLE_API_KEY as an additional fallback.
  • The same key list is deduplicated before use.
  • RemoteClaw retries with the next key only for rate-limit errors (for example 429, rate_limit, quota, resource exhausted).
  • Non-rate-limit errors are not retried with alternate keys.
  • If all keys fail, the final error from the last attempt is returned.

Controlling which credential is used

Per-session (chat command)

Use /model <alias-or-id>@<profileId> to pin a specific provider credential for the current session (example profile ids: anthropic:default, anthropic:work).

Use /model (or /model list) for a compact picker; use /model status for the full view (candidates + next auth profile, plus provider endpoint details when configured).

Per-agent (CLI override)

Set an explicit auth profile order override for an agent (stored in that agent’s auth-profiles.json):

Terminal window
remoteclaw models auth order get --provider anthropic
remoteclaw models auth order set --provider anthropic anthropic:default
remoteclaw models auth order clear --provider anthropic

Use --agent <id> to target a specific agent; omit it to use the configured default agent.

Troubleshooting

”No credentials found”

If the Anthropic token profile is missing, run claude setup-token on the gateway host, then re-check:

Terminal window
remoteclaw models status

Token expiring/expired

Run remoteclaw models status to confirm which profile is expiring. If the profile is missing, rerun claude setup-token and paste the token again.

Requirements

  • Anthropic subscription account (for claude setup-token)
  • Claude Code CLI installed (claude command available)