OAuth token management: add names, source IPs, and usage tracking

Resolved 💬 3 comments Opened Mar 24, 2026 by henryjindo Closed Mar 27, 2026

Problem

When generating long-lived OAuth tokens via claude setup-token, there is no way to name, label, or distinguish between tokens. The token management page (claude.ai) shows all tokens identically as "Claude Code" with only a vague "Connected X ago" timestamp.

This makes it impossible to:

  • Identify which token belongs to which application or environment
  • Detect unauthorized usage from unexpected locations
  • Audit which tokens are actively being used vs stale
  • Safely revoke a specific token without risking breaking production services

Current Experience

Claude Code — Connected 45 minutes ago
Claude Code — Connected 1 month ago
Claude Code — Connected 1 month ago

Three tokens, no way to tell them apart. In a real scenario with tokens deployed across production EKS, dev EKS, CI/CD pipelines, and local machines — this is a security and operational blind spot.

Requested Features

  1. Custom name/label at creation timeclaude setup-token --name "kibl-agent-prod" so tokens are identifiable on the management page
  2. Source IP tracking — show the IP address of the last connection (and ideally a history)
  3. Last used timestamp — distinct from "last connected", showing when the token was last used for inference
  4. Created date — when the token was generated
  5. Selective revoke — ability to revoke a specific token by name/ID without affecting others

Why This Matters

Every comparable platform provides this level of token management:

  • GitHub — named PATs with last used date, expiry, permissions, selective revoke
  • AWS IAM — access key ID, creation date, last used date + region + service
  • GCP — service account keys with creation date, last used, disable/delete
  • Slack — named app tokens with scopes and usage tracking

For teams running Claude-powered agents in production infrastructure, basic token hygiene requires being able to identify and audit each token independently.

Environment

  • Claude Code CLI
  • claude setup-token generated OAuth tokens (sk-ant-oat01-...)
  • Token management page on claude.ai

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗