[FEATURE] Make OAuth/admin base URL configurable like ANTHROPIC_BASE_URL
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
ANTHROPIC_BASE_URL correctly routes inference calls through custom endpoints, but ~30 OAuth and admin endpoints (/api/oauth/*, /api/claude_code/*, /v1/sessions/*, /v1/mcp_servers, event logging, etc.) use a hardcoded BASE_API_URL (https://api.anthropic.com) that ignores any configured base URL. API key authentication already works cleanly, ANTHROPIC_BASE_URL is respected across the board, but the OAuth path lacks the same configurability.
Proposed Solution
Remove the allowlist restriction on CLAUDE_CODE_CUSTOM_OAUTH_URL so it accepts arbitrary URLs, bringing OAuth endpoint routing to parity with how ANTHROPIC_BASE_URL already works for inference.
Alternative Solutions
- Add a new env var (e.g.
ANTHROPIC_OAUTH_BASE_URL) specifically for non-inference endpoints. - The recent addition of custom TLS certificate support makes MITM approaches easier, but delegating authentication to a gateway that injects credentials without breaking the in-container chain of trust is a cleaner solution than TLS interception.
Priority
Medium - Would be very helpful
Feature Category
Configuration and settings
Use Case Example
We run interactive containerized Claude Code agents (like a secure sandbox for your personal AI coding agent on your own dev machine - similar to Docker Sandboxes, but based on podman) with a host-side credential gateway that swaps phantom tokens for real credentials (terok-sandbox). This works perfectly for API key auth via ANTHROPIC_BASE_URL, for OAuth, the credential gateway can even correctly request and obtain OAuth key refreshes adn route the inference path from the container to the Anthropic servers without revealing the real credentials inside the container, but the hardcoded OAuth endpoints bypass it, breaking subscription features (usage, profile, settings, connectors).
Additional Context
CLAUDE_CODE_CUSTOM_OAUTH_URLexists but is restricted to an internal allowlist of Anthropic-owned URLs.- #22992 — device-code auth for headless environments (different approach, same audience — multiple commenters noted that
CLAUDE_CODE_OAUTH_TOKENworkaround loses subscription features like usage display and connectors) - PR #5490 — containerized Claude Code with host credential delegation (discussion touched on dynamic credential replacement in the forwarding layer)
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗