[BUG] "Please run /login · API Error: 401 ... token expired" has no recovery path when using Claude Platform for AWS (awsAuthRefresh configured)

Resolved 💬 6 comments Opened Jun 11, 2026 by arcaven Closed Jun 30, 2026

Environment

  • Claude Code 2.1.172
  • macOS (Darwin 25.4.0)
  • Authentication: Claude Platform for AWS via OIDC (no Claude.ai/Anthropic API subscription)
  • ~/.claude/settings.json contains: "awsAuthRefresh": "okta-aws-cli web"

What happens

When the AWS STS session expires mid-session, Claude Code emits:

⏺ Please run /login · API Error: 401 The security token included in the request is expired

Running /login opens the login menu, but the menu's options are for Claude.ai subscription auth and direct Anthropic API key flows — none of them trigger the awsAuthRefresh command configured in settings, which is the only auth method that actually applies here.

Expected behavior

When the expiring credential is the AWS STS token (i.e. awsAuthRefresh is configured), Claude Code should either:

  1. Execute the configured awsAuthRefresh command transparently when it detects the 401, or
  2. Surface a clear prompt with the refresh URL/command from the OIDC flow (e.g. the browser tab that okta-aws-cli web would open), rather than directing the user to /login.

The current "Please run /login" instruction is misleading for Claude Platform for AWS users — /login doesn't help them.

Workaround

Exit Claude Code, manually run the awsAuthRefresh command in a separate terminal, then restart Claude Code.

Related

Filing a companion feature request for a /login menu entry that triggers awsAuthRefresh (link to follow).

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗