[BUG] forceLoginOrgUUID is incompatible with setup-token OAuth tokens — breaks all unattended/CI usage
Resolved 💬 4 comments Opened May 7, 2026 by chkp-roniz Closed Jun 4, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Summary
When forceLoginOrgUUID is set in managed-settings.json, any machine authenticated with a token from claude setup-token is hard-blocked at startup with no path to recovery. This makes the two features mutually exclusive in practice and breaks the documented CI/CD authentication flow whenever an enterprise wants to enforce org binding.
Impact
This is a real foot-gun for any enterprise rolling out Claude Code at scale:
- Enterprises naturally want
forceLoginOrgUUIDenforced as a defence-in-depth control on engineer workstations. - The same
managed-settings.jsonis typically distributed via configuration management (MDM, ansible, base images) to all hosts including CI runners. - The result is a production outage of every Claude-Code-powered workflow the moment the setting is published, with no warning and no migration path documented.
- The error message points users at
claude auth login, which is the wrong answer for CI — it ties workflows to a single human's OAuth credentials, which is a governance regression.
Root cause
claude setup-tokenrequests onlyuser:inferencescope (intentional — narrow scope for unattended use).forceLoginOrgUUIDenforcement calls the profile endpoint, which requiresuser:profile.- Re-running
setup-tokencannot resolve this; the scope is fixed in the CLI's OAuth authorization URL. See #22450 for the related scope-narrowing issue. - The only way to obtain a
user:profile-scoped token isclaude auth login, which is interactive, tied to a human identity, and refresh-rotating — unusable in GitHub Actions, GitLab CI, Jenkins, or any other unattended runner.
What Should Happen?
Expected behaviour
One of the following:
- Preferred:
forceLoginOrgUUIDenforcement should be skipped or use an alternative verification path for tokens minted bysetup-token. The org identity of a setup-token is already determinable server-side from the token itself — nouser:profileround-trip should be required. - Alternative:
claude setup-tokenshould optionally requestuser:profilescope (e.g.claude setup-token --scope user:profileor a separatesetup-ci-tokencommand) so enterprise admins can mint tokens that satisfyforceLoginOrgUUID.
Error Messages/Logs
Unable to verify organization for the current authentication token.
This machine requires organization <uuid> but the profile could not be fetched.
This may be a network error, or the token may lack the user:profile scope required for
verification (tokens from 'claude setup-token' do not include this scope).
Try again, or obtain a full-scope token via 'claude auth login'.
Steps to Reproduce
Steps to reproduce
- On any machine, deploy
managed-settings.jsoncontaining:
``json``
{ "forceLoginOrgUUID": "<your-org-uuid>" }
- Authenticate using
claude setup-token(or setCLAUDE_CODE_OAUTH_TOKENfrom a previously generated setup-token). - Run any
claudecommand, or trigger theanthropics/claude-code-action@v1GitHub Action withclaude_code_oauth_tokenas input. - Observe the verification failure above. The CLI exits without performing the requested operation.
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.129 (Claude Code)
Platform
Other
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Non-interactive/CI environment
Additional Information
- #22450 —
claude usagefails with sameuser:profilescope mismatch from setup-token - #23703 — setup-token scope narrowing breaks external use cases
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗