[BUG] "Please run /login · API Error: 401 ... token expired" has no recovery path when using Claude Platform for AWS (awsAuthRefresh configured)
Environment
- Claude Code 2.1.172
- macOS (Darwin 25.4.0)
- Authentication: Claude Platform for AWS via OIDC (no Claude.ai/Anthropic API subscription)
~/.claude/settings.jsoncontains:"awsAuthRefresh": "okta-aws-cli web"
What happens
When the AWS STS session expires mid-session, Claude Code emits:
⏺ Please run /login · API Error: 401 The security token included in the request is expired
Running /login opens the login menu, but the menu's options are for Claude.ai subscription auth and direct Anthropic API key flows — none of them trigger the awsAuthRefresh command configured in settings, which is the only auth method that actually applies here.
Expected behavior
When the expiring credential is the AWS STS token (i.e. awsAuthRefresh is configured), Claude Code should either:
- Execute the configured
awsAuthRefreshcommand transparently when it detects the 401, or - Surface a clear prompt with the refresh URL/command from the OIDC flow (e.g. the browser tab that
okta-aws-cli webwould open), rather than directing the user to/login.
The current "Please run /login" instruction is misleading for Claude Platform for AWS users — /login doesn't help them.
Workaround
Exit Claude Code, manually run the awsAuthRefresh command in a separate terminal, then restart Claude Code.
Related
Filing a companion feature request for a /login menu entry that triggers awsAuthRefresh (link to follow).
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗