From c42fd92292ad2fe8847c7ebd8926e53a0b8be628 Mon Sep 17 00:00:00 2001
From: Bryan Johnson <bojj27@gmail.com>
Date: Wed, 27 May 2026 09:13:47 -0700
Subject: [PATCH] =?UTF-8?q?v0.5.2:=20OAuth=20endpoint=20migration=20?=
 =?UTF-8?q?=E2=80=94=20console.anthropic.com=20=E2=86=92=20platform.claude?=
 =?UTF-8?q?.com?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause of every prior 'rate_limit_error' on OAuth login: Anthropic
migrated all the Claude-subscription OAuth endpoints from
console.anthropic.com / claude.ai to platform.claude.com / claude.com.
The old endpoints aren't 404 — they accept the POST and return a generic
'rate_limit_error' for every request, which is what mis-led both me and
several public community implementations.

Confirmed against two current working clients (droidrun/mobilerun and
motiful/cc-gateway, both using the same Claude Code public client_id):

  AUTHORIZE_URL: claude.ai/oauth/authorize
              → claude.com/cai/oauth/authorize
  TOKEN_URL:     console.anthropic.com/v1/oauth/token
              → platform.claude.com/v1/oauth/token
  REDIRECT_URI:  console.anthropic.com/oauth/code/callback
              → platform.claude.com/oauth/code/callback
  SCOPE:         org:create_api_key user:profile user:inference
              → ...plus user:sessions:claude_code user:mcp_servers user:file_upload

Also updated the error-hint text to mention the misleading-rate-limit
pattern for both 'malformed code' AND 'dead endpoint' cases, and to cite
the current TOKEN_URL — so if/when these move again, the next person
hitting the same trap finds the answer in the script's own output.

The CODE#STATE parsing from 0.5.0 was correct and stays. State IS sent
in the token-exchange body (verified against droidrun's working flow).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 VERSION      |  2 +-
 larry.sh     |  2 +-
 lib/oauth.sh | 34 +++++++++++++++++++++-------------
 3 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/VERSION b/VERSION
index 4b9fcbe..cb0c939 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.5.1
+0.5.2
diff --git a/larry.sh b/larry.sh
index e6ebd74..c5b7ee9 100755
--- a/larry.sh
+++ b/larry.sh
@@ -36,7 +36,7 @@ set -o pipefail
 # ─────────────────────────────────────────────────────────────────────────────
 # Config
 # ─────────────────────────────────────────────────────────────────────────────
-LARRY_VERSION="0.5.1"
+LARRY_VERSION="0.5.2"
 LARRY_HOME="${LARRY_HOME:-$HOME/.larry}"
 LARRY_BASE_URL="${LARRY_BASE_URL:-https://raw.githubusercontent.com/bojj27/cloverleaf-larry/main}"
 LARRY_UPDATE_URL="${LARRY_UPDATE_URL:-${LARRY_BASE_URL}/larry.sh}"
diff --git a/lib/oauth.sh b/lib/oauth.sh
index 52b2c61..bee39db 100755
--- a/lib/oauth.sh
+++ b/lib/oauth.sh
@@ -25,12 +25,19 @@ LARRY_HOME="${LARRY_HOME:-$HOME/.larry}"
 OAUTH_FILE="$LARRY_HOME/.oauth.json"
 
 # Anthropic Claude Code's publicly-visible OAuth client_id. Used by claude-code
-# and several community CLI tools.
+# and several community CLI tools (droidrun/mobilerun, motiful/cc-gateway, ...).
+#
+# Endpoints migrated 2025: claude.ai/oauth/authorize → claude.com/cai/oauth/authorize,
+# console.anthropic.com/v1/oauth/token → platform.claude.com/v1/oauth/token,
+# console.anthropic.com/oauth/code/callback → platform.claude.com/oauth/code/callback.
+# The OLD endpoints return a misleading "rate_limit_error" for any request.
+# Scopes also expanded with user:sessions:claude_code, user:mcp_servers,
+# user:file_upload — required by the new flow.
 CLIENT_ID="${LARRY_OAUTH_CLIENT_ID:-9d1c250a-e61b-44d9-88ed-5944d1962f5e}"
-AUTHORIZE_URL="${LARRY_OAUTH_AUTHORIZE_URL:-https://claude.ai/oauth/authorize}"
-TOKEN_URL="${LARRY_OAUTH_TOKEN_URL:-https://console.anthropic.com/v1/oauth/token}"
-REDIRECT_URI="${LARRY_OAUTH_REDIRECT_URI:-https://console.anthropic.com/oauth/code/callback}"
-SCOPE="${LARRY_OAUTH_SCOPE:-org:create_api_key user:profile user:inference}"
+AUTHORIZE_URL="${LARRY_OAUTH_AUTHORIZE_URL:-https://claude.com/cai/oauth/authorize}"
+TOKEN_URL="${LARRY_OAUTH_TOKEN_URL:-https://platform.claude.com/v1/oauth/token}"
+REDIRECT_URI="${LARRY_OAUTH_REDIRECT_URI:-https://platform.claude.com/oauth/code/callback}"
+SCOPE="${LARRY_OAUTH_SCOPE:-org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload}"
 
 die() { printf 'oauth: %s\n' "$*" >&2; exit 1; }
 
@@ -130,16 +137,17 @@ EOF
     cat >&2 <<EOF
 
 Hints:
-  - Anthropic's callback delivers the code as CODE#STATE (fragment, not query).
-    Paste the WHOLE string including '#'. Just CODE alone will also work, but
-    if you pasted CODE#STATE#... or trimmed wrong, the token endpoint will
-    return 'rate_limit_error' (misleading — it actually means malformed/used
-    code, not a real rate limit).
+  - The callback delivers the code as CODE#STATE (fragment, not query).
+    Paste the WHOLE string including '#'. Just CODE alone also works.
   - The code is single-use; if you used it already (even on a failed attempt),
     run 'larry-auth.sh login' again to get a fresh URL.
-  - If the OAuth endpoint has genuinely changed, you can fall back to the API
-    key by deleting any oauth file and creating $LARRY_HOME/.env with
-    ANTHROPIC_API_KEY=sk-ant-...
+  - 'rate_limit_error' on a fresh code is the server's misleading mask for
+    'malformed/used code' OR 'dead endpoint'. If you JUST upgraded and saw
+    that error, double-check TOKEN_URL points at platform.claude.com — old
+    console.anthropic.com URLs return rate_limit_error for everything.
+    Current (as of 2026-05): https://platform.claude.com/v1/oauth/token
+  - If OAuth is genuinely broken, fall back to the API key by deleting any
+    oauth file and creating $LARRY_HOME/.env with ANTHROPIC_API_KEY=sk-ant-...
 EOF
     exit 1
   fi