[BUG] setup-token OAuth PKCE sends lowercase s256 instead of S256 on Termux

Resolved 💬 3 comments Opened Feb 1, 2026 by M0nkeyFl0wer Closed Mar 27, 2026

Bug Description

Running claude setup-token on Termux (Android) fails with:

Invalid OAuth Request
Invalid code_challenge_method: s256. Expected: 'S256'

The PKCE code_challenge_method parameter is being sent as lowercase s256 instead of uppercase S256 as required by RFC 7636.

Steps to Reproduce

  1. Install Claude Code via npm on Termux (Android)
  2. Run claude setup-token
  3. OAuth flow fails with the case-sensitivity error above

Expected Behavior

code_challenge_method should be sent as S256 (uppercase) per the PKCE spec. The setup-token flow should complete and return a long-lived token.

Environment

  • Claude Code version: 2.1.29
  • Platform: Termux on Android (aarch64)
  • Node.js: v22.20.0
  • Installation method: npm
  • OS: Linux 5.15.167-android13-8

Context

  • Standard /login OAuth also expires every ~24 hours on Termux, with Cloudflare blocking token refresh
  • setup-token was attempted as a workaround for the short-lived token issue (see #12447)
  • The s256 vs S256 case issue is a known PKCE pitfall — the RFC only defines uppercase S256
  • This may be related to the npm-to-native installation transition, as the OAuth implementation may have changed

Workaround

Currently authenticating on a separate Linux machine and copying credentials to Termux manually.

Related Issues

  • #12447 - OAuth token expiration disrupts autonomous workflows
  • #15637 - Hardcoded /tmp/claude paths break on Termux
  • #6244 - OAuth authentication errors on Termux

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗