feat(OAuth):Add Claude subscription OAuth provider#59
Open
S-Foxx wants to merge 1 commit intoagent0ai:mainfrom
Open
feat(OAuth):Add Claude subscription OAuth provider#59S-Foxx wants to merge 1 commit intoagent0ai:mainfrom
S-Foxx wants to merge 1 commit intoagent0ai:mainfrom
Conversation
Add an optional third LLM provider for the admin and onscreen agents that authenticates with Anthropic via the user's Claude subscription instead of an API key. The browser owns the connect flow and a reusable settings-dialog block; the server owns the OAuth state cache, the encrypted token store under L2/<user>/meta/anthropic_oauth.json, silent refresh, and a dedicated streaming completions endpoint that translates between OpenAI chat-completions shape and Anthropic Messages API shape so the existing browser fetch readers stay unchanged. - New `_core/anthropic_oauth/` browser module with a connect block, request hook, and per-surface extensions for the admin and onscreen prepareXxxApiRequest seams. Subscription mode redirects API-mode requests to /api/anthropic_subscription_completions and strips the Authorization header so the bearer token never reaches the browser. - Five new server endpoints: oauth_anthropic_authorize, _callback (GET for redirect mode + POST for paste mode), _status, _disconnect, and anthropic_subscription_completions. Tokens are sealed with AES-256-GCM using a sub-key derived from the existing password seal key; refresh tokens are auto-rotated 60s before access-token expiry and on upstream 401. - Provider enums extended with `subscription` for both admin and onscreen agents; existing api/local paths and validation are untouched. The settings dialog gains a third segmented tab with a curated Claude model dropdown (Opus 4.7, Sonnet 4.6, Haiku 4.5), hides the params field for subscription mode (Anthropic's subscription tier rejects user-supplied temperature on newer models), and embeds the connect block. - Default flow mode is the manual code-paste flow because the public Claude Code OAuth client does not allowlist arbitrary localhost callbacks. Redirect mode is opt-in via ANTHROPIC_OAUTH_FLOW_MODE for deployments that ship their own registered Anthropic OAuth client. - Six new runtime params (ANTHROPIC_OAUTH_ALLOWED, _CLIENT_ID, _AUTHORIZE_URL, _TOKEN_URL, _REDIRECT_URI, _FLOW_MODE, ANTHROPIC_API_BASE_URL) with safe public defaults so the feature works out of the box; existing user secret model is reused. - meta/anthropic_oauth.json added to the L2 git-history ignore list so refresh-token rotation does not churn local-history commits. - Shared visual primitive .field now styles `select` consistently with `input` and `textarea` so future dialog selects match without per-feature CSS. - Documentation updated across AGENTS.md (root, app, server/api, server/lib/auth, admin/views/agent, onscreen_agent, visual) plus a new anthropic_oauth/AGENTS.md for the module contract. Ten focused unit tests cover endpoint defaults, runtime-param overrides, PKCE authorize URL composition, both flow modes, and the sealed-record status round trip.
S-Foxx
changed the title
This was referenced May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a third optional LLM provider for the admin and onscreen agents that signs users in with their Claude subscription instead of an API key. Several users (and the author) have asked for this; the goal is to let people use Space Agent against the model their Claude subscription already pays for, without pasting raw API keys.
The default API-key flow and the local Hugging Face flow are completely untouched. Subscription mode is opt-in per surface, gated by
ANTHROPIC_OAUTH_ALLOWED(default true).What it does
How it works
_core/anthropic_oauth/owns the connect block, the request-hook extension that redirects subscription-mode requests to a dedicated server endpoint, and a smallclient.jsaround the four OAuth endpoints_core/auth/anthropic_oauth.jsowns PKCE, AES-256-GCM token sealing, encrypted persistence atL2/<user>/meta/anthropic_oauth.json, lazy refresh, and the read-only status helperserver/api/:oauth_anthropic_authorize(POST)oauth_anthropic_callback(GET for redirect mode, POST for paste mode)oauth_anthropic_status(GET)oauth_anthropic_disconnect(POST)anthropic_subscription_completions(POST) — translates OpenAI chat-completions to Anthropic Messages API and back, so the existing fetch readers in the agents stay unchangedANTHROPIC_OAUTH_FLOW_MODE=redirectis available as opt-in for deployments that register their own Anthropic OAuth client (overrideANTHROPIC_OAUTH_CLIENT_IDto use it)anthropic-beta: oauth-2025-04-20andanthropic-versionheaders when streaming toapi.anthropic.com/v1/messagesRuntime params (all with sensible public defaults)
ANTHROPIC_OAUTH_ALLOWEDtrueANTHROPIC_OAUTH_CLIENT_IDANTHROPIC_OAUTH_AUTHORIZE_URLhttps://claude.ai/oauth/authorizeANTHROPIC_OAUTH_TOKEN_URLhttps://console.anthropic.com/v1/oauth/tokenANTHROPIC_OAUTH_REDIRECT_URIANTHROPIC_OAUTH_FLOW_MODEauto(resolves to paste)redirectif you have a registered clientANTHROPIC_API_BASE_URLhttps://api.anthropic.comDocumentation
Updated in the same commit:
/AGENTS.mdruntime params + module index/app/AGENTS.mdmodule index + module description/server/api/AGENTS.mdnew endpoint family/server/lib/auth/AGENTS.mdnew owned file + storage contract/app/L0/_all/mod/_core/admin/views/agent/AGENTS.md/app/L0/_all/mod/_core/onscreen_agent/AGENTS.md/app/L0/_all/mod/_core/visual/AGENTS.md(.field selectshared contract)/app/L0/_all/mod/_core/anthropic_oauth/AGENTS.mdTests
tests/anthropic_oauth_test.mjs— 10 focused tests:autoresolves to paste on local and non-local hostsredirectopt-in produces a local callback URL$ node --test tests/anthropic_oauth_test.mjs
Total tests: 10
Tests passed: 10
Test failed: 10
Test plan
/api/anthropic_subscription_completionscarries noAuthorization)Backwards compatibility
llm_provider: subscriptionvalue is forward-only; older Space Agent versions that read this YAML will fall through to the API normalizer (paste-safe)password_seal_keyso it inherits the existing rotation policy