[BUG] org:create_api_key scope silently dropped from OAuth grant — Remote Control permanently broken on Max subscription
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
/remote-control fails with "Remote Control requires a full-scope login token. Long-lived tokens
(from claude setup-token or CLAUDE_CODE_OAUTH_TOKEN) are limited to inference-only for security
reasons. Run claude auth login to use Remote Control."
This error persists after multiple successful interactive claude auth login completions ("Login
successful.") and full session restarts. Inspecting ~/.claude/.credentials.json after login reveals
the OAuth server granted only 5 of the 6 requested scopes — org:create_api_key is silently absent
from the grant despite being explicitly included in the authorization URL scope parameter.
The error message instructs the user to run claude auth login as the fix, but re-authentication
is structurally incapable of fixing a server-side scope grant problem. This sends users into an
infinite loop.
What Should Happen?
After a successful interactive claude auth login, the granted token should include the
org:create_api_key scope (as requested in the OAuth authorization URL), and /remote-control
should work without error.
Error Messages/Logs
Remote Control requires a full-scope login token. Long-lived tokens (from `claude setup-token`
or CLAUDE_CODE_OAUTH_TOKEN) are limited to inference-only for security reasons.
Run `claude auth login` to use Remote Control.
Credentials file after successful login — scopes granted:
["user:file_upload","user:inference","user:mcp_servers","user:profile","user:sessions:claude_code"]
Scope requested in auth URL but NOT granted: org:create_api_key
Auth status:
{
"loggedIn": true,
"authMethod": "claude.ai",
"apiProvider": "firstParty",
"subscriptionType": "max",
"rateLimitTier": "default_claude_max_5x"
}
No ANTHROPIC_API_KEY set. No CLAUDE_CODE_OAUTH_TOKEN set.
Steps to Reproduce
Steps to Reproduce
- Ensure no ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN env vars are set
- Run: claude auth login
- Complete the browser OAuth flow — confirm "Login successful."
- Restart Claude Code (fresh process)
- Run: /remote-control
- Error appears immediately
- Inspect ~/.claude/.credentials.json — confirm org:create_api_key is absent from "scopes" array
- Note the OAuth authorization URL that claude auth login constructs explicitly includes
org:create_api_key in the scope parameter — the server is dropping it silently
The OAuth authorization URL scope parameter:
scope=org:create_api_key+user:profile+user:inference+user:sessions:claude_code+user:mcp_servers+user:file_upload
Scope actually granted (from credentials file):
["user:file_upload","user:inference","user:mcp_servers","user:profile","user:sessions:claude_code"]
Reproduced across 3+ separate auth login attempts. Related but distinct from #57258.
---
Claude Model: Not sure / Multiple models
Is this a regression? I don't know
Last Working Version: (leave blank)
Claude Code Version: 2.1.143 (Claude Code)
Platform: Anthropic API
Operating System: Ubuntu/Debian Linux
Terminal/Shell: Warp
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.143 (Claude Code)
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Warp
Additional Information
Account org ID: 9d9406c4-8c7a-496f-82bd-26fb7f40f466
Subscription: Max (default_claude_max_5x)
OS: Debian Linux, kernel 6.12.57+deb13-amd64, x86_64
Token expiresAt in credentials: 1778964380693 (~1 year from now — may be relevant to how
the token type is classified internally)
The core question: is org:create_api_key intentionally withheld for Max subscriber accounts,
or is this a backend misconfiguration for this org? Either way, the error message is misleading
— it should not tell users to re-authenticate if the server won't grant the required scope.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗