Feature request: write rate-limit headers to ~/.claude/rate-limits.json
Problem
Third-party tools that monitor Claude Max/Pro quota (menu bar apps, widgets, dashboards) currently depend on reading the OAuth token from the system Keychain (Claude Code-credentials).
This creates a terrible UX on macOS: every ~8h when Claude Code refreshes the token (via delete+add, likely due to keytar), the Keychain ACL is destroyed and macOS shows a password popup. kSecUseAuthenticationUISkip is unreliable on macOS Sequoia after sleep/wake cycles. See #22144.
Multiple projects in the ecosystem are affected (claude-code-meter, claude-quota, ccburn, claudometer, tokemon, etc. — at least 10+ projects on GitHub).
Proposed solution
After each API response, write the anthropic-ratelimit-unified-* headers to a JSON file:
~/.claude/rate-limits.json
Example content:
{
"updated_at": "2026-03-27T14:30:00Z",
"five_hour": {
"utilization": 0.08,
"resets_at": "2026-03-27T18:00:00Z"
},
"seven_day": {
"utilization": 0.19,
"resets_at": "2026-04-02T14:59:59Z"
},
"seven_day_sonnet": {
"utilization": 0.0,
"resets_at": null
},
"extra_usage": null
}
This is analogous to how stats-cache.json already works — Claude Code writes, third-party tools read via FSEvents. No Keychain access needed, no popups, no OAuth tokens leaving the process.
Alternatives considered
| Alternative | Why insufficient |
|---|---|
| Read OAuth token from Keychain | Popup every ~8h (ACL destroyed on token refresh) |
| Own OAuth flow (PKCE) | Prohibited by ToS for third-party apps (Feb 2026) |
| WebView scraping claude.ai | Blocked by Cloudflare managed challenge |
| Estimate from local JSONL | ~5% error, no ground truth for window utilization |
| API keys | Don't reflect Max/Pro subscription quota |
Impact
This single file would:
- Eliminate Keychain popups for the entire ecosystem
- Remove the need for third-party apps to handle OAuth tokens
- Provide exact quota data without network requests
- Work within macOS sandbox (file read only, no Keychain)
- Be trivial to implement (Claude Code already parses these headers internally)
References
- #22144 — Keychain popup every ~8h
- #28091 — OAuth tokens banned for third-party apps
- #31637 — /api/oauth/usage aggressive rate limiting
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗