remote-control rejects valid OAuth token (sk-ant-oat01- prefix false positive)
Description
claude remote-control rejects a valid OAuth token obtained via claude auth login, incorrectly identifying it as a long-lived token.
Steps to Reproduce
- Previously had a token set via
claude setup-token/CLAUDE_CODE_OAUTH_TOKEN - Commented out
CLAUDE_CODE_OAUTH_TOKENfrom.zshrc, ranunset CLAUDE_CODE_OAUTH_TOKEN - Deleted old keychain credential:
security delete-generic-password -s "Claude Code-credentials" - Ran
claude auth login— browser OAuth flow completed successfully claude auth statusconfirms login:
``json``
{
"loggedIn": true,
"authMethod": "oauth_token",
"apiProvider": "firstParty"
}
- Keychain credential has correct OAuth scopes:
``json``
{
"claudeAiOauth": {
"accessToken": "sk-ant-oat01-...",
"refreshToken": "sk-ant-ort01-...",
"scopes": [
"user:file_upload",
"user:inference",
"user:mcp_servers",
"user:profile",
"user:sessions:claude_code"
],
"subscriptionType": "max"
}
}
- Ran
claude remote-control
Expected Behavior
Remote Control starts successfully — the token is a full-scope OAuth token with user:sessions:claude_code.
Actual Behavior
Error: Remote Control requires a full-scope login token. Long-lived tokens (from `claude setup-token` or CLAUDE_CODE_OAUTH_TOKEN) are limited to inference-only for security reasons. Run `claude auth login` to use Remote Control.
Hypothesis
The remote-control command appears to be rejecting the token based on the sk-ant-oat01- prefix pattern, treating it as a long-lived/setup token. However, this is the same prefix used by legitimate OAuth tokens obtained via claude auth login. The check should inspect the auth method or token metadata rather than the prefix.
Environment
- Claude Code version: 2.1.92
- OS: macOS (Darwin 25.3.0)
- Shell: zsh
- Auth method: OAuth (first-party)
- Subscription: Max
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗