[Bug] v2.1.37 regression: OAuth authentication fails in sdk-cli/headless mode on macOS (cron-spawned processes)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
After upgrading from v2.1.34 to v2.1.37, Claude Code processes spawned from cron via claude -p "..." --dangerously-skip-permissions fail to authenticate with:
Error: Could not resolve authentication method. Expected either apiKey or authToken to be set.
This worked perfectly on v2.1.34 using the same subscription (Max plan) and the same cron setup. The regression was introduced somewhere between v2.1.34 and v2.1.37.
Environment
- Claude Code version: 2.1.37 (built 2026-02-07)
- Previous working version: 2.1.34
- OS: macOS (Darwin 25.2.0, Apple Silicon)
- Auth method: Claude Code subscription (OAuth), no API key
- Entry point: sdk-cli (spawned via
Process.spawnfrom a Ruby orchestrator running in cron)
Steps to Reproduce
- Have a working Claude Code subscription authenticated via
/login - Set up a cron job that spawns
claude -p "some prompt" --dangerously-skip-permissions - On v2.1.34: works fine, OAuth token is read from keychain and refreshed
- Upgrade to v2.1.37
- Same cron job now fails with auth error on every API call
Debug Log Comparison
Working (v2.1.34) — OAuth check takes ~1.6s, token is refreshed and written to disk:
[API:request] Creating client, ANTHROPIC_CUSTOM_HEADERS present: false, has Authorization header: false
[API:auth] OAuth token check starting
... (reads keychain, refreshes token, writes to ~/.claude.json, ~1600ms) ...
[API:auth] OAuth token check complete
Stream started - received first chunk
Broken (v2.1.37) — OAuth check completes instantly (0ms), returns null:
[API:request] Creating client, ANTHROPIC_CUSTOM_HEADERS present: false, has Authorization header: false
[API:auth] OAuth token check starting
[API:auth] OAuth token check complete
Error: Could not resolve authentication method. Expected either apiKey or authToken to be set.
The 0ms completion time suggests the keychain/credential lookup code path is being skipped entirely in sdk-cli mode on v2.1.37, rather than failing — it's not even attempting to read credentials.
Attribution Header Difference
- v2.1.34:
cc_version=2.1.34.95b; cc_entrypoint=sdk-cli; - v2.1.37:
cc_version=2.1.37.fbe; cc_entrypoint=sdk-cli; cch=00000;
The new cch=00000 field may be related to a credential chain mechanism that isn't functioning in headless mode.
Related Issues
- #1154 — Same root problem (non-interactive macOS context can't access keychain), was auto-closed
- #24317 — OAuth refresh token race condition in v2.1.37
- #9403 — Keychain OAuth persistence issues on macOS
Expected Behavior
claude -p with --dangerously-skip-permissions should resolve OAuth credentials from the macOS keychain in sdk-cli/headless mode, as it did in v2.1.34.
Workaround
Setting CLAUDE_CODE_OAUTH_TOKEN env var bypasses the broken keychain path, but the token expires every 8-12 hours and requires manual refresh — not viable for automated setups.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗