[BUG] OAuth authentication succeeds but `claude auth status` shows "Invalid API key" error

Resolved 💬 9 comments Opened Sep 22, 2025 by DAESA24 Closed Jan 9, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

claude auth status shows "Invalid API key · Fix external API key" despite having valid CloudMax OAuth tokens and fully functional Claude Code operations.

What Should Happen?

claude auth status should display authenticated status when valid OAuth tokens exist in ~/.claude/.credentials.json.

Error Messages/Logs

$ claude auth status
  Invalid API key · Fix external API key

Steps to Reproduce

  1. Have valid CloudMax subscription with OAuth tokens in ~/.claude/.credentials.json
  2. Verify Claude Code functionality works (file operations, web search, etc.)
  3. Run claude auth status
  4. Observe incorrect "Invalid API key" error despite working authentication

Claude Model

Sonnet (default)

Is this a regression?

Yes, this worked in a previous version

Last Working Version

Not a regression - long-standing issue

Claude Code Version

1.0.120 (Claude Code)

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

VS Code integrated terminal

Additional Information

  • CloudMax tokens are valid: {"claudeAiOauth":{"accessToken":"sk-ant-oat01-...","subscriptionType":"max"}}
  • All functionality works normally (no API charges, using subscription correctly)
  • Similar to issues #1484, #5244 but inverse problem - tokens work but status display incorrect
  • Issue persists after complete authentication resets and directory deletions

Impact: Critical authentication management bug that prevents normal logout functionality. Users cannot log out through CLI commands (claude auth logout fails with "Invalid API key" error), forcing manual deletion of authentication files and directories. This creates significant operational problems:

  1. No clean logout mechanism - Users stuck in authentication limbo
  2. Forced manual file deletion - Risk of accidentally deleting important system files
  3. Authentication state corruption - Cannot reset authentication through normal means
  4. Security implications - Cannot properly clear credentials when needed
  5. Operational friction - Simple logout requires complex manual intervention

This fundamentally breaks the authentication lifecycle and forces users into risky manual file management procedures that should never be necessary for basic CLI operations.

View original on GitHub ↗

This issue has 9 comments on GitHub. Read the full discussion on GitHub ↗