[BUG] setup-token OAuth PKCE sends lowercase s256 instead of S256 on Termux
Resolved 💬 3 comments Opened Feb 1, 2026 by M0nkeyFl0wer Closed Mar 27, 2026
Bug Description
Running claude setup-token on Termux (Android) fails with:
Invalid OAuth Request
Invalid code_challenge_method: s256. Expected: 'S256'
The PKCE code_challenge_method parameter is being sent as lowercase s256 instead of uppercase S256 as required by RFC 7636.
Steps to Reproduce
- Install Claude Code via npm on Termux (Android)
- Run
claude setup-token - OAuth flow fails with the case-sensitivity error above
Expected Behavior
code_challenge_method should be sent as S256 (uppercase) per the PKCE spec. The setup-token flow should complete and return a long-lived token.
Environment
- Claude Code version: 2.1.29
- Platform: Termux on Android (aarch64)
- Node.js: v22.20.0
- Installation method: npm
- OS: Linux 5.15.167-android13-8
Context
- Standard
/loginOAuth also expires every ~24 hours on Termux, with Cloudflare blocking token refresh setup-tokenwas attempted as a workaround for the short-lived token issue (see #12447)- The
s256vsS256case issue is a known PKCE pitfall — the RFC only defines uppercaseS256 - This may be related to the npm-to-native installation transition, as the OAuth implementation may have changed
Workaround
Currently authenticating on a separate Linux machine and copying credentials to Termux manually.
Related Issues
- #12447 - OAuth token expiration disrupts autonomous workflows
- #15637 - Hardcoded /tmp/claude paths break on Termux
- #6244 - OAuth authentication errors on Termux
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗