[BUG] OAuth authentication succeeds but `claude auth status` shows "Invalid API key" error
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
claude auth status shows "Invalid API key · Fix external API key" despite having valid CloudMax OAuth tokens and fully functional Claude Code operations.
What Should Happen?
claude auth status should display authenticated status when valid OAuth tokens exist in ~/.claude/.credentials.json.
Error Messages/Logs
$ claude auth status
Invalid API key · Fix external API key
Steps to Reproduce
- Have valid CloudMax subscription with OAuth tokens in ~/.claude/.credentials.json
- Verify Claude Code functionality works (file operations, web search, etc.)
- Run claude auth status
- Observe incorrect "Invalid API key" error despite working authentication
Claude Model
Sonnet (default)
Is this a regression?
Yes, this worked in a previous version
Last Working Version
Not a regression - long-standing issue
Claude Code Version
1.0.120 (Claude Code)
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
VS Code integrated terminal
Additional Information
- CloudMax tokens are valid: {"claudeAiOauth":{"accessToken":"sk-ant-oat01-...","subscriptionType":"max"}}
- All functionality works normally (no API charges, using subscription correctly)
- Similar to issues #1484, #5244 but inverse problem - tokens work but status display incorrect
- Issue persists after complete authentication resets and directory deletions
Impact: Critical authentication management bug that prevents normal logout functionality. Users cannot log out through CLI commands (claude auth logout fails with "Invalid API key" error), forcing manual deletion of authentication files and directories. This creates significant operational problems:
- No clean logout mechanism - Users stuck in authentication limbo
- Forced manual file deletion - Risk of accidentally deleting important system files
- Authentication state corruption - Cannot reset authentication through normal means
- Security implications - Cannot properly clear credentials when needed
- Operational friction - Simple logout requires complex manual intervention
This fundamentally breaks the authentication lifecycle and forces users into risky manual file management procedures that should never be necessary for basic CLI operations.
This issue has 9 comments on GitHub. Read the full discussion on GitHub ↗