Support device-code authentication flow (RFC 8628) for Pro/Max subscription users in headless environments
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Claude Code's OAuth flow requires a browser redirect back to the machine running Claude Code. This makes it impossible to authenticate on headless environments (VMs, SSH sessions, containers, cloud instances) when using a Pro/Max subscription.
API key users can simply set ANTHROPIC_API_KEY — but subscription users have no equivalent workaround.
Proposed Solution
A device-code auth flow (RFC 8628), where authentication happens entirely on a separate device:
$ claude
/login
No browser detected. Use this code to authenticate from another device:
Open: https://claude.ai/device
Code: XXXX-XXXX
Waiting for authentication...
✓ Authentication complete.
This pattern is well-established in major CLI tools:
- GitHub CLI (
gh auth login): device code flow with one-time code at github.com/login/device - Azure CLI (
az login --use-device-code): device code flow - AWS CLI (
aws sso login --use-device-code): device code flow
The key difference from the current OAuth flow is that a device-code flow requires no redirect back to the headless machine — the CLI simply polls for a token after the user completes auth on any browser, anywhere.
Alternative Solutions
Currently I work around this by temporarily installing a minimal GUI + browser on the headless VM, completing OAuth in the browser, then purging the GUI packages. Auth persists after removal.
Steps:
- sudo apt install -y xfce4 xfce4-session firefox dbus-x11 sddm
- Reboot, log into desktop, run
claude, complete OAuth in Firefox - sudo apt purge -y xfce4 xfce4-* sddm firefox dbus-x11 && sudo apt autoremove -y
- Reboot, SSH back in — Claude Code works headless
This works but takes 15+ minutes, downloads ~2-3GB of packages, and shouldn't be necessary.
Other approaches I tried that did NOT work:
- SSH port forwarding (ssh -L 8765:localhost:8765) — redirect still fails
- Copying ~/.claude/ credentials from host via scp — VM still prompts for login
Priority
Critical - Blocking my work
Feature Category
CLI commands and flags
Use Case Example
- I run Claude Code inside a headless Ubuntu Server VM for security isolation
- The VM has no GUI or browser — I access it only via SSH
- I have a Max subscription, not an API key
- Running
claudeshows the OAuth URL but the redirect fails because there's no browser - With a device-code flow, I could run
/login, get a one-time code, paste the URL in my host browser, and authenticate without needing a GUI on the VM - This saves time because the current workaround (installing/removing a full desktop environment) takes 15+ minutes and ~2-3GB of downloads
Additional Context
- Environment: Ubuntu Server 24.04 ARM64 in UTM (macOS, M1 Pro)
- Claude Code (latest at time of testing: v2.1.31), Max subscription
- Affects all headless use cases: VMs, Docker containers, SSH remote dev, cloud instances
- API key users are unaffected since they can set ANTHROPIC_API_KEY
Related issues:
- #7100 — Documents headless auth workarounds, requests CI/CD auth support (12 upvotes)
- #5225 (closed) — Auth not persisting for subscription users over SSH (9 upvotes)
- #1210 (closed) — BROWSER env variable not respected in containers
RFC 8628 (OAuth 2.0 Device Authorization Grant): https://datatracker.ietf.org/doc/html/rfc8628
17 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
This is not a duplicate of the flagged issues. Those are bug reports about existing OAuth failing in remote sessions. This is a feature request for a new authentication method — specifically RFC 8628 (OAuth Device Authorization Grant) — which would eliminate the need for a browser redirect entirely. None of the linked issues propose this.
yes please!
Still relevant — especially with Agent Teams now shipping in Opus 4.6. The docs recommend tmux for split-pane agent workflows, which is the standard setup for headless/SSH environments. But the first barrier for Pro/Max users on headless VMs is still getting authenticated. This needs a proper device-code flow, not workarounds.
Yes this would be much appreciated :)
Please, I need this is Github Codespace... opens in browser proxy... need device code flow
This is a high priority issue for Pro/Max plan subscribers. It renders several of the core use cases for Claude Code impossible.
For my usecase in Codespaces, one workaround I was able to do is capture the redirect URL in my browser, and then run CURL with that in my codespace.
IE:
curl 'http://localhost:46037/callback?code=REDACTED&state=gtpH-REDACTED'I just spent a couple of hours wrangling with this trying to figure out why my claude.ai MCPs weren't working on my headless machine only to find that I was limited to inference using my OAuth token rather than being able to authenticate as a Max subscriber. Especially given the lack of MCP support for Gmail, it's a bummer there isn't a more elegant headless authentication option
Notes on workaround for headless pro/max users:
You can create an OAuth token for your Pro/Max account on another machine with access to a browser, and then pass that to your headless Claude code as an environment variable.
Create token:
Pass it to claude code as
CLAUDE_CODE_OAUTH_TOKENYes, this works, but it doesn't offer the same sort of connective tissue as more typical authentication flows. Claude Code basically doesn't recognize that you're on a subscription, so you can't see usage in a session, nor do you have access to things tied to your account, like claude.ai connectors.
I ran into this now that I've started experimenting with the Discord MCP and headless Claude running in the cloud.
Given how new the Telegram/Discord workflows are I suspect this issue will start getting more attention. I have a hook on my laptop that pushes the claude oauth token into a secrets vault where the Claude instance can "reload" a valid token, but it still takes a HUP and if I'm in the middle of something it will break the session.
Reference implementation: OpenAI Codex just shipped this
For anyone tracking this — OpenAI's Codex CLI merged device-code auth into their app server last week. Their implementation follows the standard RFC 8628 flow and offers a clean protocol-level reference for how Claude Code could implement this.
How their flow works (protocol level)
account/login/startwith{ "type": "chatgptDeviceCode" }{ loginId, verificationUrl, userCode }— no browser redirect neededtokio::select!to race cancellation vs completionaccount/login/completed(success) +account/updatednotifications, persists tokensaccount/login/completed(failure)The device-code login resolves to the same auth state as the browser flow — it's not a new auth mode, just an alternative grant type for obtaining the same tokens.
Key design decisions worth noting
ActiveLoginrefactored to an enum withBrowser(wraps shutdown handle) andDeviceCode(wraps cancellation token) variants — both sharelogin_id()andcancel()methods#[cfg(debug_assertions)]so it only applies in test buildsINVALID_REQUEST) from other failures (INTERNAL_ERROR)Why this matters for Claude Code
With Codex now supporting device-code auth, Claude Code is the only major AI coding CLI that forces subscription users through a browser redirect. This is especially painful given:
setup-token) are fragile and error-proneThe Codex implementation is a good reference — ~170 lines of core server logic, plus protocol schema updates and tests. Claude Code could adopt a similar approach using its existing OAuth infrastructure, adding
--use-device-codeto/loginor auto-detecting headless environments.Happy to help with implementation details if this moves forward.
This issue also affects Anthropic Console account users (e.g.,
claude auth login --consoleover SSH), not just those with a Pro/Max subscription.A workaround is to start Claude Code, type
/login, choose the “Anthropic Console account” auth option, and then it correctly prints “Browser didn't open? Use the url below to sign in (c to copy)”, letting you input the code returned from a browser on the local machine.So the functionality is there, it's just not exposed to this use case.
Just to chime in, for what it is worth Amazon's
kiro-clialso handles login from an ssh machine seemlessly (it does still require opening in a url, but the url is 1.) short enough to cut and paste and 2.) does not require tunnel connection for 8080 to the ssh, which is what the Claude website recommended. Also, immediately after logging in, I was challenged to login again, I poked at it a few times, and couldn't get it to work, but when I canceled the action and asked Claude if I was logged in, it said I was. This just not a good customer experience.❤️ I submitted a feature request to add TOTP to the authentication flow for headless/ssh sessions #74204.
Only thing that worked for me; but considering how primitive this feature is its absolutely insane Claude can't figure it out.