Fix: OpenClaw OAuth Tokens Keep Expiring (Claude Code + OpenClaw Together)

TL;DR: Claude Code and OpenClaw are both refreshing the same OAuth token, invalidating each other's sessions. Use a direct API key for OpenClaw instead.

The Error

Error: 401 Unauthorized — token expired or revoked

You might also see:

anthropic: authentication failed — refreshing token...
anthropic: authentication failed — token refresh failed

Error: OAuth token refresh race condition — token was refreshed by another client

The telltale sign: your bot works fine for a while, then randomly stops responding. You restart it, it works again, then Claude Code breaks. You restart Claude Code, and now your bot is broken. Back and forth, all day.

Why This Happens

OAuth tokens have a limited lifetime. When they expire, the client (Claude Code or OpenClaw) uses a refresh token to get a new access token. Here's the problem:

1. Both Claude Code and OpenClaw share the same OAuth credentials (from ~/.claude/oauth.json)
2. Token A expires → OpenClaw refreshes it → gets new Token B
3. Meanwhile, Claude Code still has old Token A → tries to refresh it
4. But Token A's refresh token was already consumed by OpenClaw → Claude Code's refresh fails
5. Or worse: Claude Code's refresh succeeds and invalidates Token B → now OpenClaw is broken

This is a classic token refresh race condition. OAuth refresh tokens are typically single-use — once one client consumes it, the other client's copy is invalid.

(GitHub #8074)

How to Fix It

Option A: Use a direct API key for OpenClaw (recommended)

The simplest fix: stop sharing OAuth tokens entirely. Give OpenClaw its own API key.

1. Go to console.anthropic.com → Settings → API Keys
2. Create a new key (name it something like "openclaw-prod")
3. Configure it in OpenClaw:

{
  "providers": {
    "anthropic": {
      "apiKey": "sk-ant-your-dedicated-key-here"
    }
  }
}

Or via environment variable:

export ANTHROPIC_API_KEY="sk-ant-your-dedicated-key-here"

4. Make sure OpenClaw is NOT reading from oauth.json:

# Check if oauth.json exists
ls -la ~/.claude/oauth.json

# If it does, and you've set an API key, OpenClaw should prefer the API key.
# But to be safe, you can remove it (Claude Code will re-create its own on next login):
rm ~/.claude/oauth.json

5. Restart OpenClaw:

openclaw gateway restart

6. Re-authenticate Claude Code separately:

claude login

Now each tool has its own auth — no more fighting.

Option B: Use separate auth profiles

If you need OAuth for both (e.g., you don't want to pay separately), create isolated auth profiles:

{
  "providers": {
    "anthropic": {
      "authProfile": "openclaw-dedicated",
      "oauthTokenPath": "~/.config/openclaw/oauth-openclaw.json"
    }
  }
}

Then authenticate OpenClaw with its own OAuth flow:

openclaw auth login --provider anthropic --profile openclaw-dedicated

This stores the OAuth token in a separate file that Claude Code won't touch.

Option C: Run Claude Code with its own API key instead

Flip it — keep OpenClaw on OAuth and give Claude Code the API key:

# In your shell profile
export ANTHROPIC_API_KEY="sk-ant-key-for-claude-code"

Claude Code will prefer the API key over OAuth when both are available.

How to Prevent It

• One tool, one credential. Never share OAuth tokens between applications. Each tool should have its own API key or its own OAuth token path.
• Prefer API keys over OAuth for server-side applications like OpenClaw. OAuth was designed for interactive user logins, not daemon processes.
• Monitor your auth. If your bot randomly stops working every few hours, auth race conditions are the first thing to suspect.
• Label your API keys. Name them after the tool using them (openclaw-prod, claude-code-dev) so you know which is which.

The Easy Way

lobsterfarm is a managed hosting service for OpenClaw — deployment, updates, and support handled for you.

Get started with lobsterfarm →