[FEATURE] Add env var to force OAuth enablement when using gateway/proxy with custom auth
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Problem
When using Claude Code on a Max plan (OAuth login), it's not possible to route requests through a gateway/proxy that requires its own authentication token.
Setting any external auth source (apiKeyHelper, ANTHROPIC_AUTH_TOKEN, ANTHROPIC_API_KEY, or an Authorization header via ANTHROPIC_CUSTOM_HEADERS) disables OAuth entirely. The auth sources are treated as mutually exclusive.
This means you can't send both:
- The Anthropic OAuth token (for pass-through to the Anthropic API)
- A gateway token (for authenticating with the gateway itself)
Proposed Solution
Add an env var (e.g. CLAUDE_CODE_FORCE_OAUTH) to keep OAuth enabled even when external auth sources are present. This would allow users to configure:
- OAuth login for the Anthropic Authorization header (as normal)
ANTHROPIC_CUSTOM_HEADERSorapiKeyHelperfor the gateway token (in a custom header like X-Gateway-Token or Proxy-Authorization)ANTHROPIC_BASE_URLpointing to the gateway
Alternative Solutions
The only viable workaround is running a transparent local proxy that injects the gateway auth at the network level — which is significantly more complex to set up and maintain.
Priority
Critical - Blocking my work
Feature Category
API and model interactions
Use Case Example
Organizations running a gateway in front of the Anthropic API (for logging, rate limiting, policy enforcement, etc.) where:
- The user authenticates with Anthropic via OAuth (Max plan)
- The gateway requires its own identity token (e.g., OAuth client credentials) that expires and needs periodic refresh
- The gateway forwards the original Anthropic Authorization header upstream
Today there is no way to configure Claude Code to send both tokens. apiKeyHelper would be ideal for refreshing the gateway token, but enabling it disables OAuth.
Additional Context
The gateway requires its own OAuth token that expires periodically and needs refresh. apiKeyHelper with its TTL-based caching would be the natural mechanism for this, but configuring it disables the Anthropic OAuth flow entirely. Using ANTHROPIC_BASE_URL to point to the gateway alongside a Max plan OAuth login.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗