Skip to main content

Crate entelix_auth_claude_code

Crate entelix_auth_claude_code 

Source
Expand description

§entelix-auth-claude-code

Claude Code OAuth credential provider for entelix.

Reuses the Claude.ai access token the claude CLI manages (~/.claude/.credentials.json by default), refreshing through the standard OAuth2 refresh_token grant against https://console.anthropic.com/v1/oauth/token when the access token approaches expiry.

§Why

Operators with a Claude.ai pro / team subscription get to drive entelix without minting a separate Anthropic API key — the same credential their claude CLI uses flows straight into the entelix_core::auth::CredentialProvider chain. Refresh-token rotation is handled automatically and storage stays compatible with the upstream CLI, so both tools share state.

§Layout

ClaudeCodeOAuthProvider          — impl entelix_core::auth::CredentialProvider
  └─ CredentialStore trait       — operator-supplied backend
        └─ FileCredentialStore   — default; reads / writes the on-disk JSON
  └─ ClaudeCodeOAuthConfig       — token URL / client id / refresh timeout
  └─ refresh_access_token        — RFC 6749 §6 grant

CredentialStore is a trait so vault / Keychain / Secret Service backends plug in by implementing it; the default ships only the file backend so the dependency footprint stays minimal.

§Beta capability gate

Claude Code’s OAuth tokens require the claude-code-20250219 anthropic-beta header. The provider deliberately does not inject the header — credentials and codec ext stay independent (single responsibility). Operators wire it through entelix_core::ir::AnthropicExt::with_betas using CLAUDE_CODE_BETA:

use entelix_auth_claude_code::{
    CLAUDE_CODE_BETA, ClaudeCodeOAuthProvider, FileCredentialStore,
};
use entelix_core::ir::{AnthropicExt, ProviderExtensions};

let store = FileCredentialStore::with_path(
    FileCredentialStore::default_claude_path()?,
);
let provider = ClaudeCodeOAuthProvider::new(store);
// Apply the matching beta capability on every outgoing request:
let extensions = ProviderExtensions::default()
    .with_anthropic(AnthropicExt::default().with_betas([CLAUDE_CODE_BETA]));

§Store hygiene

FileCredentialStore reads and writes the credential file on a tokio::task::spawn_blocking worker so the async runtime never stalls on disk IO. Operators that need an in-memory backend (env-var-driven, vault) implement CredentialStore directly without touching the file path.

Structs§

ClaudeCodeOAuthConfig
Configuration for super::ClaudeCodeOAuthProvider.
ClaudeCodeOAuthProvider
Resolve credentials from a CredentialStore backend, refreshing the access token via the Anthropic console token endpoint when expiry is imminent.
CredentialFile
On-disk envelope for the credential file.
FileCredentialStore
File-backed CredentialStore at a caller-supplied path.
OAuthCredential
A refreshable OAuth credential read from / written to the claude CLI’s credential file.

Enums§

ClaudeCodeAuthError
Failure modes specific to Claude Code OAuth credential resolution.

Constants§

CLAUDE_CODE_BETA
Anthropic-beta capability gate the claude CLI sets on every request.
DEFAULT_REFRESH_TIMEOUT
Default refresh-call HTTP timeout.
DEFAULT_TOKEN_URL
Canonical Claude.ai OAuth token endpoint.

Traits§

CredentialStore
Async credential persistence backend.

Type Aliases§

ClaudeCodeAuthResult
Convenience result alias.