[BUG] Support JWT tokens in API key validation - Currently rejecting valid Bearer tokens with "Invalid API Key format" error
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Problem Summary
Claude Code currently rejects JWT tokens when using custom ANTHROPIC_BASE_URL endpoints, throwing a 403 error with the message "Invalid API Key format: Must start with pre-defined prefix". This prevents integration with enterprise SSO systems
that use JWT-based authentication.
Current Behavior
- Claude Code validates API keys against a predefined format (likely expecting prefixes like sk-, anthropic-, etc.)
- When using apiKeyHelper that returns Bearer <jwt>, Claude Code rejects the token before even sending the request
- Error: API Error (403 {"Message":"Invalid API Key format: Must start with pre-defined prefix"})
What Should Happen?
Expected Behavior
- Claude Code should accept JWT tokens when using custom base URLs
- JWT validation should be delegated to the custom endpoint rather than client-side validation
- Allow enterprise authentication flows using OAuth/SSO tokens
Use Case
Enterprise deployment where:
- ANTHROPIC_BASE_URL points to internal proxy/gateway (e.g., https://llm-gateway.company.com)
- apiKeyHelper returns JWT tokens from corporate SSO (e.g., Bearer <jwt-token>)
- Custom endpoint handles JWT validation and user authentication
- Requests are proxied to Anthropic with proper API keys server-side
Technical Details
- Configuration: Custom ANTHROPIC_BASE_URL + apiKeyHelper returning JWT
- Current validation: Client-side API key format checking
- Proposed change: Skip format validation for custom base URLs, or allow JWT format
- Manual verification: Direct curl requests with same JWT work perfectly
Error Messages/Logs
Steps to Reproduce
Manual Test Confirmation
# This works (manual curl):
curl -X POST https://custom-endpoint.com/v1/messages \
-H "Authorization: Bearer <jwt-token>" \
-H "Content-Type: application/json" \
-d '{"model": "claude-3-5-sonnet", "max_tokens": 100, "messages": [{"role": "user", "content": [{"type": "text", "text": "Hello"}]}]}'
# This fails (Claude Code):
# API Error (403 {"Message":"Invalid API Key format: Must start with pre-defined prefix"})
Claude Model
Sonnet (default)
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
1.0.115
Platform
Other
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Suggested Solutions
- Skip client-side validation when ANTHROPIC_BASE_URL is set to non-Anthropic domains
- Allow JWT format in addition to traditional API key formats
- Add configuration option to disable API key format validation
- Pattern matching: Recognize Bearer <jwt> as valid format alongside sk-* patterns
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗