[BUG] Claude Code OAuth breaks when workspace setting "Allow creating new API keys in default workspace" is disabled
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
The error message is misleading — user:profile is in the token. The actually-missing scope is org:create_api_key.
Root Cause
Claude Code's authorize URL requests org:create_api_key in its default scope set. This has been reported repeatedly in different forms — #29983, #20325, #10719, #10715 — all closed as duplicate or stale, none consolidated to a canonical issue.
When the workspace policy denies org:create_api_key, the OAuth server still issues a token but silently strips that scope from it. Claude Code's post-first-launch verification then fails when it's missing.
Confirmed by manually editing the authorize URL to remove org%3Acreate_api_key+ from the scope param: the OAuth flow completes, the token is issued without that scope, and Claude Code operates normally on all subsequent launches. So the scope is not actually required for subscription operation — it's just being requested unnecessarily, and its absence is being mishandled.
Token contents from keychain (security find-generic-password -s "Claude Code-credentials" -w) showing the silently-dropped scope:
{
"claudeAiOauth": {
"accessToken": "sk-ant-...",
"refreshToken": "sk-ant-...",
"expiresAt": 1777455728454,
"scopes": [
"user:file_upload",
"user:inference",
"user:mcp_servers",
"user:profile",
"user:sessions:claude_code"
],
"subscriptionType": "team",
"rateLimitTier": "default_claude_max_5x"
}
}
Note org:create_api_key is absent despite being in the authorize request.
Why This Matters
Per Anthropic's own docs (https://support.claude.com/en/articles/11845131): subscription users authenticate via OAuth with no API key required. The "Allow creating new API keys" setting exists specifically so workspaces can prevent member-issued API keys for security/compliance reasons. These two facts should be compatible. Today they are not — turning on a documented security setting Anthropic offers breaks a product Anthropic offers.
For workspaces with security postures that prohibit member API key creation (most enterprise environments), this effectively makes Claude Code unusable.
Workaround
Toggle "Allow creating new API keys" on, run claude auth login, toggle it back off. Existing tokens persist through the toggle since the setting only blocks new key creation, not existing OAuth tokens. Required on every fresh login (new machine, after /logout, after credential corruption).
Requested Fix
Either, or both:
- Remove
org:create_api_keyfrom the default scope set for subscription OAuth. This matches the client-side patch suggested in #29983 (JHA = ["user:profile"]instead ofJHA = [jPK, "user:profile"]incli.js). Subscription users don't need this scope. - Make Claude Code gracefully handle tokens that lack
org:create_api_key. First-launch behavior should not assume the scope was granted. The error message should also accurately identify the missing scope rather than misleadingly pointing atuser:profile.
Related Issues (all closed without consolidation)
- #29983 — closed as duplicate, no canonical linked
- #20325 — stale, headless flow, same scope
- #10719 — stale, Pro subscription, same scope
- #10715 — duplicate, macOS reauth 500, same scope
Environment
- Claude Code: v2.1.122
- OS: macOS
- Plan: Team Premium, Primary Owner
- Org UUID: 5099b77a-cf2d-47bf-ad85-7445bb92319a
- Auth method: Claude account with subscription (OAuth)
What Should Happen?
Disabling "Allow creating new API keys in default workspace" should prevent members from creating API keys (its stated purpose) without breaking Claude Code OAuth login. Subscription-based Claude Code authentication should not depend on org:create_api_key scope, since subscription users don't need API keys to use Claude Code.
Either, or both, of:
- Remove
org:create_api_keyfrom the default scope set for subscription OAuth. This matches the client-side patch suggested in #29983 (JHA = ["user:profile"]instead ofJHA = [jPK, "user:profile"]incli.js). Subscription users don't need this scope. - Make Claude Code gracefully handle tokens that lack
org:create_api_key. First-launch behavior should not assume the scope was granted. The error message should also accurately identify the missing scope rather than misleadingly pointing atuser:profile.
Error Messages/Logs
Unable to verify organization for the current authentication token.
This machine requires organization 5099b77a-cf2d-47bf-ad85-7445bb92319a but the profile could not be fetched.
This may be a network error, or the token may lack the user:profile scope required for
verification (tokens from 'claude setup-token' do not include this scope).
Try again, or obtain a full-scope token via 'claude auth login'.
Steps to Reproduce
- As Primary Owner of a Team Premium workspace, disable "Allow creating new API keys in default workspace" at claude.ai/settings → Workspace → API keys.
- On any developer machine, run
claude auth loginand complete the OAuth flow normally. Login reports success. - First
claudeinvocation succeeds — Claude Code starts and works. - Run
/exit, then runclaudeagain. - Every subsequent
claudeinvocation fails with the verification error (see Error Messages/Logs).
To confirm root cause: run claude auth login again, copy the authorize URL it prints, manually remove org%3Acreate_api_key+ from the scope query parameter, and paste the modified URL into the browser. The OAuth flow completes, a reduced-scope token is stored, and Claude Code works correctly on all subsequent launches.
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.122
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗