[FEATURE] Auto-cleanup / bulk-revoke for Claude Code OAuth tokens in claude.ai Settings
Open 💬 2 comments Opened May 15, 2026 by tbastos
Problem
OAuth authorization tokens accumulate unboundedly in claude.ai → Settings → Claude Code. Users who enable remoteControlAtStartup: true (a recommended workflow for scheduled agents and remote control) mint a new token on every interactive session. After weeks of normal usage, the list grows to hundreds of stale tokens with no way to clean them up except clicking "revoke" one by one.
This was reported in #38074 (and #28214), both closed as "not planned." Respectfully, this should be reconsidered — the problem affects every power user running Claude Code daily, and the lack of cleanup is both a UX and security concern:
- UX: The Settings page becomes unusable with hundreds of entries and no bulk action.
- Security: Stale tokens linger indefinitely. Per #43801, even explicit revocation doesn't always invalidate them.
- No workaround: There is no API, CLI command, or bulk-revoke option. The only alternative is disabling remote control, which defeats the purpose.
Requested
Any of these would resolve it (ideally all):
- Auto-expiration: Tokens for ended sessions should be cleaned up automatically (server-side TTL or revoke-on-disconnect).
- "Revoke all" button: A single action to clear stale tokens from the Settings UI.
- API endpoint: Allow programmatic token management (list/revoke) so users can script cleanup.
Related
- #38074 — OAuth tokens from ccr_inference accumulate without cleanup (closed, not planned)
- #28214 — New OAuth token on every Cowork session (closed, not planned)
- #34198 — Server-side revoke on logout (open)
- #43801 — Revocation doesn't invalidate tokens (open, security)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗