[BUG] Support JWT tokens in API key validation - Currently rejecting valid Bearer tokens with "Invalid API Key format" error

Resolved 💬 2 comments Opened Sep 16, 2025 by HaithamMaya Closed Sep 17, 2025

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Problem Summary
Claude Code currently rejects JWT tokens when using custom ANTHROPIC_BASE_URL endpoints, throwing a 403 error with the message "Invalid API Key format: Must start with pre-defined prefix". This prevents integration with enterprise SSO systems
that use JWT-based authentication.

Current Behavior

  • Claude Code validates API keys against a predefined format (likely expecting prefixes like sk-, anthropic-, etc.)
  • When using apiKeyHelper that returns Bearer <jwt>, Claude Code rejects the token before even sending the request
  • Error: API Error (403 {"Message":"Invalid API Key format: Must start with pre-defined prefix"})

What Should Happen?

Expected Behavior

  • Claude Code should accept JWT tokens when using custom base URLs
  • JWT validation should be delegated to the custom endpoint rather than client-side validation
  • Allow enterprise authentication flows using OAuth/SSO tokens

Use Case
Enterprise deployment where:

  1. ANTHROPIC_BASE_URL points to internal proxy/gateway (e.g., https://llm-gateway.company.com)
  2. apiKeyHelper returns JWT tokens from corporate SSO (e.g., Bearer <jwt-token>)
  3. Custom endpoint handles JWT validation and user authentication
  4. Requests are proxied to Anthropic with proper API keys server-side

Technical Details

  • Configuration: Custom ANTHROPIC_BASE_URL + apiKeyHelper returning JWT
  • Current validation: Client-side API key format checking
  • Proposed change: Skip format validation for custom base URLs, or allow JWT format
  • Manual verification: Direct curl requests with same JWT work perfectly

Error Messages/Logs

Steps to Reproduce

Manual Test Confirmation
# This works (manual curl):
curl -X POST https://custom-endpoint.com/v1/messages \
-H "Authorization: Bearer <jwt-token>" \
-H "Content-Type: application/json" \
-d '{"model": "claude-3-5-sonnet", "max_tokens": 100, "messages": [{"role": "user", "content": [{"type": "text", "text": "Hello"}]}]}'

# This fails (Claude Code):
# API Error (403 {"Message":"Invalid API Key format: Must start with pre-defined prefix"})

Claude Model

Sonnet (default)

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

1.0.115

Platform

Other

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Suggested Solutions

  1. Skip client-side validation when ANTHROPIC_BASE_URL is set to non-Anthropic domains
  2. Allow JWT format in addition to traditional API key formats
  3. Add configuration option to disable API key format validation
  4. Pattern matching: Recognize Bearer <jwt> as valid format alongside sk-* patterns

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗