[BUG] Claude Code OAuth breaks when workspace setting "Allow creating new API keys in default workspace" is disabled

Resolved 💬 2 comments Opened Apr 29, 2026 by jameswinegar Closed May 31, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The error message is misleading — user:profile is in the token. The actually-missing scope is org:create_api_key.

Root Cause

Claude Code's authorize URL requests org:create_api_key in its default scope set. This has been reported repeatedly in different forms — #29983, #20325, #10719, #10715 — all closed as duplicate or stale, none consolidated to a canonical issue.

When the workspace policy denies org:create_api_key, the OAuth server still issues a token but silently strips that scope from it. Claude Code's post-first-launch verification then fails when it's missing.

Confirmed by manually editing the authorize URL to remove org%3Acreate_api_key+ from the scope param: the OAuth flow completes, the token is issued without that scope, and Claude Code operates normally on all subsequent launches. So the scope is not actually required for subscription operation — it's just being requested unnecessarily, and its absence is being mishandled.

Token contents from keychain (security find-generic-password -s "Claude Code-credentials" -w) showing the silently-dropped scope:

{
  "claudeAiOauth": {
    "accessToken": "sk-ant-...",
    "refreshToken": "sk-ant-...",
    "expiresAt": 1777455728454,
    "scopes": [
      "user:file_upload",
      "user:inference",
      "user:mcp_servers",
      "user:profile",
      "user:sessions:claude_code"
    ],
    "subscriptionType": "team",
    "rateLimitTier": "default_claude_max_5x"
  }
}

Note org:create_api_key is absent despite being in the authorize request.

Why This Matters

Per Anthropic's own docs (https://support.claude.com/en/articles/11845131): subscription users authenticate via OAuth with no API key required. The "Allow creating new API keys" setting exists specifically so workspaces can prevent member-issued API keys for security/compliance reasons. These two facts should be compatible. Today they are not — turning on a documented security setting Anthropic offers breaks a product Anthropic offers.

For workspaces with security postures that prohibit member API key creation (most enterprise environments), this effectively makes Claude Code unusable.

Workaround

Toggle "Allow creating new API keys" on, run claude auth login, toggle it back off. Existing tokens persist through the toggle since the setting only blocks new key creation, not existing OAuth tokens. Required on every fresh login (new machine, after /logout, after credential corruption).

Requested Fix

Either, or both:

  1. Remove org:create_api_key from the default scope set for subscription OAuth. This matches the client-side patch suggested in #29983 (JHA = ["user:profile"] instead of JHA = [jPK, "user:profile"] in cli.js). Subscription users don't need this scope.
  2. Make Claude Code gracefully handle tokens that lack org:create_api_key. First-launch behavior should not assume the scope was granted. The error message should also accurately identify the missing scope rather than misleadingly pointing at user:profile.

Related Issues (all closed without consolidation)

  • #29983 — closed as duplicate, no canonical linked
  • #20325 — stale, headless flow, same scope
  • #10719 — stale, Pro subscription, same scope
  • #10715 — duplicate, macOS reauth 500, same scope

Environment

  • Claude Code: v2.1.122
  • OS: macOS
  • Plan: Team Premium, Primary Owner
  • Org UUID: 5099b77a-cf2d-47bf-ad85-7445bb92319a
  • Auth method: Claude account with subscription (OAuth)

What Should Happen?

Disabling "Allow creating new API keys in default workspace" should prevent members from creating API keys (its stated purpose) without breaking Claude Code OAuth login. Subscription-based Claude Code authentication should not depend on org:create_api_key scope, since subscription users don't need API keys to use Claude Code.

Either, or both, of:

  1. Remove org:create_api_key from the default scope set for subscription OAuth. This matches the client-side patch suggested in #29983 (JHA = ["user:profile"] instead of JHA = [jPK, "user:profile"] in cli.js). Subscription users don't need this scope.
  2. Make Claude Code gracefully handle tokens that lack org:create_api_key. First-launch behavior should not assume the scope was granted. The error message should also accurately identify the missing scope rather than misleadingly pointing at user:profile.

Error Messages/Logs

Unable to verify organization for the current authentication token.
This machine requires organization 5099b77a-cf2d-47bf-ad85-7445bb92319a but the profile could not be fetched.
This may be a network error, or the token may lack the user:profile scope required for
verification (tokens from 'claude setup-token' do not include this scope).
Try again, or obtain a full-scope token via 'claude auth login'.

Steps to Reproduce

  1. As Primary Owner of a Team Premium workspace, disable "Allow creating new API keys in default workspace" at claude.ai/settings → Workspace → API keys.
  2. On any developer machine, run claude auth login and complete the OAuth flow normally. Login reports success.
  3. First claude invocation succeeds — Claude Code starts and works.
  4. Run /exit, then run claude again.
  5. Every subsequent claude invocation fails with the verification error (see Error Messages/Logs).

To confirm root cause: run claude auth login again, copy the authorize URL it prints, manually remove org%3Acreate_api_key+ from the scope query parameter, and paste the modified URL into the browser. The OAuth flow completes, a reduced-scope token is stored, and Claude Code works correctly on all subsequent launches.

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.122

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗