[BUG] Cowork VM creates new OAuth token on every session (token accumulation)

Resolved 💬 5 comments Opened Feb 24, 2026 by variuse Closed Apr 8, 2026

Summary

The Claude Cowork desktop app mints a new OAuth token every time a Cowork session starts, causing unbounded token accumulation in Settings -> Claude Code -> Authorization Tokens. After ~5 weeks of normal use: 40+ tokens, no bulk-revoke, broken UI.

Root Cause (confirmed via filesystem inspection)

Two separate Claude Code binaries exist on disk:

  • ~/Library/Application Support/Claude/claude-code/2.1.49/claude (regular CLI)
  • ~/Library/Application Support/Claude/claude-code-vm/2.1.49/claude (Cowork VM binary)

The claude-code-vm binary runs inside an ephemeral Linux sandbox. The VM home has no .claude/ directory and no access to the macOS Keychain. On every session start, it finds no credentials, re-authenticates, and mints a new token. Nothing in local config causes this - it is a product design gap.

Secondary Issue

The token management UI at claude.ai/settings/claude-code does not refresh after revocation and offers no bulk-revoke or "keep only current" option. With 40+ tokens, manual cleanup is effectively unusable.

Expected Behavior

The Cowork VM should either:

  • Receive/reuse the authenticated token from the desktop app on session start, or
  • Persist its credential to the mounted user directory so it survives VM resets

Environment

  • macOS
  • Claude Desktop App v2.1.49
  • Both claude-code and claude-code-vm binaries present at v2.1.49
  • Apple subscription plan

Related Issues

  • #20016 (Cowork tab stuck on sending request)
  • #18474 (Cowork stuck on sending request)
  • #24317 (OAuth refresh race condition with multiple sessions)

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗