[BUG] Cowork VM creates new OAuth token on every session (token accumulation)
Summary
The Claude Cowork desktop app mints a new OAuth token every time a Cowork session starts, causing unbounded token accumulation in Settings -> Claude Code -> Authorization Tokens. After ~5 weeks of normal use: 40+ tokens, no bulk-revoke, broken UI.
Root Cause (confirmed via filesystem inspection)
Two separate Claude Code binaries exist on disk:
~/Library/Application Support/Claude/claude-code/2.1.49/claude(regular CLI)~/Library/Application Support/Claude/claude-code-vm/2.1.49/claude(Cowork VM binary)
The claude-code-vm binary runs inside an ephemeral Linux sandbox. The VM home has no .claude/ directory and no access to the macOS Keychain. On every session start, it finds no credentials, re-authenticates, and mints a new token. Nothing in local config causes this - it is a product design gap.
Secondary Issue
The token management UI at claude.ai/settings/claude-code does not refresh after revocation and offers no bulk-revoke or "keep only current" option. With 40+ tokens, manual cleanup is effectively unusable.
Expected Behavior
The Cowork VM should either:
- Receive/reuse the authenticated token from the desktop app on session start, or
- Persist its credential to the mounted user directory so it survives VM resets
Environment
- macOS
- Claude Desktop App v2.1.49
- Both
claude-codeandclaude-code-vmbinaries present at v2.1.49 - Apple subscription plan
Related Issues
- #20016 (Cowork tab stuck on sending request)
- #18474 (Cowork stuck on sending request)
- #24317 (OAuth refresh race condition with multiple sessions)
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗