[BUG] org:create_api_key scope silently dropped from OAuth grant — Remote Control permanently broken on Max subscription

Resolved 💬 3 comments Opened May 16, 2026 by connecteddale Closed Jun 15, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

/remote-control fails with "Remote Control requires a full-scope login token. Long-lived tokens
(from claude setup-token or CLAUDE_CODE_OAUTH_TOKEN) are limited to inference-only for security
reasons. Run claude auth login to use Remote Control."

This error persists after multiple successful interactive claude auth login completions ("Login
successful.") and full session restarts. Inspecting ~/.claude/.credentials.json after login reveals
the OAuth server granted only 5 of the 6 requested scopes — org:create_api_key is silently absent
from the grant despite being explicitly included in the authorization URL scope parameter.

The error message instructs the user to run claude auth login as the fix, but re-authentication
is structurally incapable of fixing a server-side scope grant problem. This sends users into an
infinite loop.

What Should Happen?

After a successful interactive claude auth login, the granted token should include the
org:create_api_key scope (as requested in the OAuth authorization URL), and /remote-control
should work without error.

Error Messages/Logs

Remote Control requires a full-scope login token. Long-lived tokens (from `claude setup-token`
or CLAUDE_CODE_OAUTH_TOKEN) are limited to inference-only for security reasons.
Run `claude auth login` to use Remote Control.

Credentials file after successful login — scopes granted:
["user:file_upload","user:inference","user:mcp_servers","user:profile","user:sessions:claude_code"]

Scope requested in auth URL but NOT granted: org:create_api_key

Auth status:
{
  "loggedIn": true,
  "authMethod": "claude.ai",
  "apiProvider": "firstParty",
  "subscriptionType": "max",
  "rateLimitTier": "default_claude_max_5x"
}

No ANTHROPIC_API_KEY set. No CLAUDE_CODE_OAUTH_TOKEN set.

Steps to Reproduce

Steps to Reproduce

  1. Ensure no ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN env vars are set
  2. Run: claude auth login
  3. Complete the browser OAuth flow — confirm "Login successful."
  4. Restart Claude Code (fresh process)
  5. Run: /remote-control
  6. Error appears immediately
  7. Inspect ~/.claude/.credentials.json — confirm org:create_api_key is absent from "scopes" array
  8. Note the OAuth authorization URL that claude auth login constructs explicitly includes

org:create_api_key in the scope parameter — the server is dropping it silently

The OAuth authorization URL scope parameter:
scope=org:create_api_key+user:profile+user:inference+user:sessions:claude_code+user:mcp_servers+user:file_upload

Scope actually granted (from credentials file):
["user:file_upload","user:inference","user:mcp_servers","user:profile","user:sessions:claude_code"]

Reproduced across 3+ separate auth login attempts. Related but distinct from #57258.

---
Claude Model: Not sure / Multiple models

Is this a regression? I don't know

Last Working Version: (leave blank)

Claude Code Version: 2.1.143 (Claude Code)

Platform: Anthropic API

Operating System: Ubuntu/Debian Linux

Terminal/Shell: Warp

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.143 (Claude Code)

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Warp

Additional Information

Account org ID: 9d9406c4-8c7a-496f-82bd-26fb7f40f466
Subscription: Max (default_claude_max_5x)
OS: Debian Linux, kernel 6.12.57+deb13-amd64, x86_64
Token expiresAt in credentials: 1778964380693 (~1 year from now — may be relevant to how
the token type is classified internally)

The core question: is org:create_api_key intentionally withheld for Max subscriber accounts,
or is this a backend misconfiguration for this org? Either way, the error message is misleading
— it should not tell users to re-authenticate if the server won't grant the required scope.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗