v0.5.2: OAuth endpoint migration — console.anthropic.com → platform.claude.com

Root cause of every prior 'rate_limit_error' on OAuth login: Anthropic migrated all the Claude-subscription OAuth endpoints from console.anthropic.com / claude.ai to platform.claude.com / claude.com. The old endpoints aren't 404 — they accept the POST and return a generic 'rate_limit_error' for every request, which is what mis-led both me and several public community implementations. Confirmed against two current working clients (droidrun/mobilerun and motiful/cc-gateway, both using the same Claude Code public client_id): AUTHORIZE_URL: claude.ai/oauth/authorize → claude.com/cai/oauth/authorize TOKEN_URL: console.anthropic.com/v1/oauth/token → platform.claude.com/v1/oauth/token REDIRECT_URI: console.anthropic.com/oauth/code/callback → platform.claude.com/oauth/code/callback SCOPE: org:create_api_key user:profile user:inference → ...plus user:sessions:claude_code user:mcp_servers user:file_upload Also updated the error-hint text to mention the misleading-rate-limit pattern for both 'malformed code' AND 'dead endpoint' cases, and to cite the current TOKEN_URL — so if/when these move again, the next person hitting the same trap finds the answer in the script's own output. The CODE#STATE parsing from 0.5.0 was correct and stays. State IS sent in the token-exchange body (verified against droidrun's working flow). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 09:13:47 -07:00 · 2026-05-27 09:13:47 -07:00 · c42fd92292
commit c42fd92292
parent 9b198f4e50
3 changed files with 23 additions and 15 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0.5.1
+0.5.2
--- a/larry.sh
+++ b/larry.sh
@ -36,7 +36,7 @@ set -o pipefail
 # ─────────────────────────────────────────────────────────────────────────────
 # Config
 # ─────────────────────────────────────────────────────────────────────────────
-LARRY_VERSION="0.5.1"
+LARRY_VERSION="0.5.2"
 LARRY_HOME="${LARRY_HOME:-$HOME/.larry}"
 LARRY_BASE_URL="${LARRY_BASE_URL:-https://raw.githubusercontent.com/bojj27/cloverleaf-larry/main}"
 LARRY_UPDATE_URL="${LARRY_UPDATE_URL:-${LARRY_BASE_URL}/larry.sh}"
--- a/lib/oauth.sh
+++ b/lib/oauth.sh
@ -25,12 +25,19 @@ LARRY_HOME="${LARRY_HOME:-$HOME/.larry}"
 OAUTH_FILE="$LARRY_HOME/.oauth.json"
 # Anthropic Claude Code's publicly-visible OAuth client_id. Used by claude-code
-# and several community CLI tools.
+# and several community CLI tools (droidrun/mobilerun, motiful/cc-gateway, ...).
 #
 # Endpoints migrated 2025: claude.ai/oauth/authorize → claude.com/cai/oauth/authorize,
 # console.anthropic.com/v1/oauth/token → platform.claude.com/v1/oauth/token,
 # console.anthropic.com/oauth/code/callback → platform.claude.com/oauth/code/callback.
 # The OLD endpoints return a misleading "rate_limit_error" for any request.
 # Scopes also expanded with user:sessions:claude_code, user:mcp_servers,
 # user:file_upload — required by the new flow.
 CLIENT_ID="${LARRY_OAUTH_CLIENT_ID:-9d1c250a-e61b-44d9-88ed-5944d1962f5e}"
-AUTHORIZE_URL="${LARRY_OAUTH_AUTHORIZE_URL:-https://claude.ai/oauth/authorize}"
+AUTHORIZE_URL="${LARRY_OAUTH_AUTHORIZE_URL:-https://claude.com/cai/oauth/authorize}"
-TOKEN_URL="${LARRY_OAUTH_TOKEN_URL:-https://console.anthropic.com/v1/oauth/token}"
+TOKEN_URL="${LARRY_OAUTH_TOKEN_URL:-https://platform.claude.com/v1/oauth/token}"
-REDIRECT_URI="${LARRY_OAUTH_REDIRECT_URI:-https://console.anthropic.com/oauth/code/callback}"
+REDIRECT_URI="${LARRY_OAUTH_REDIRECT_URI:-https://platform.claude.com/oauth/code/callback}"
-SCOPE="${LARRY_OAUTH_SCOPE:-org:create_api_key user:profile user:inference}"
+SCOPE="${LARRY_OAUTH_SCOPE:-org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload}"
 die() { printf 'oauth: %s\n' "$*" >&2; exit 1; }
@ -130,16 +137,17 @@ EOF
    cat >&2 <<EOF
 Hints:
-  - Anthropic's callback delivers the code as CODE#STATE (fragment, not query).
+  - The callback delivers the code as CODE#STATE (fragment, not query).
-    Paste the WHOLE string including '#'. Just CODE alone will also work, but
+    Paste the WHOLE string including '#'. Just CODE alone also works.
    if you pasted CODE#STATE#... or trimmed wrong, the token endpoint will
    return 'rate_limit_error' (misleading — it actually means malformed/used
    code, not a real rate limit).
  - The code is single-use; if you used it already (even on a failed attempt),
    run 'larry-auth.sh login' again to get a fresh URL.
-  - If the OAuth endpoint has genuinely changed, you can fall back to the API
+  - 'rate_limit_error' on a fresh code is the server's misleading mask for
-    key by deleting any oauth file and creating $LARRY_HOME/.env with
+    'malformed/used code' OR 'dead endpoint'. If you JUST upgraded and saw
-    ANTHROPIC_API_KEY=sk-ant-...
+    that error, double-check TOKEN_URL points at platform.claude.com — old
    console.anthropic.com URLs return rate_limit_error for everything.
    Current (as of 2026-05): https://platform.claude.com/v1/oauth/token
  - If OAuth is genuinely broken, fall back to the API key by deleting any
    oauth file and creating $LARRY_HOME/.env with ANTHROPIC_API_KEY=sk-ant-...
 EOF
    exit 1
  fi