Use Your Claude Max, ChatGPT Plus, or Codex Subscription with OpenClaw
Connect OpenClaw to subscription-backed AI providers via OAuth — Claude Max, Codex, GitHub Copilot — instead of paying separately for API access.
OpenClaw supports OAuth login to subscription-backed AI providers — Claude Max, Codex (ChatGPT Plus/Pro/Team), and GitHub Copilot — so you can use the AI you already pay for instead of buying API credit separately.
This page covers what works, what doesn't, and the gotchas users hit most often.
What's supported (v2026.6.8)
| Provider | OAuth flow | Subscription tier | Notes |
|---|---|---|---|
| Anthropic (Claude Max) | openclaw models auth login --provider anthropic-oauth | Claude Max | Watch for Claude Code-restricted vs Claude Max credentials |
| OpenAI (via Codex) | openclaw models auth login --provider codex | ChatGPT Plus / Pro / Team | Routes through openai-codex/* PI endpoints |
| GitHub Copilot | openclaw models auth login --provider github-copilot | Copilot Pro / Business | Now an install-on-demand plugin (@openclaw/copilot); Claude models keep 1M-context capabilities (v2026.6.1) |
| OpenRouter | openclaw models auth login --provider openrouter --method oauth | OpenRouter credits | PKCE flow that issues an OpenRouter API key; one login unlocks OpenRouter's full multi-model catalog (v2026.6.6+) |
| xAI (Grok) | openclaw models auth login --provider xai-oauth | xAI plan | Device-code flow — works on remote / headless hosts (v2026.5.20+) |
| Anthropic API | API key | N/A | Pay-as-you-go via console.anthropic.com |
| OpenAI API | API key | N/A | Pay-as-you-go via platform.openai.com |
If you're already paying $20+/month for ChatGPT Plus or Claude Max, OAuth is usually cheaper than buying API credits separately. The exception: if your agent burns through tokens fast (long-running cron jobs, multi-agent), subscription rate limits may bite.
Named login profiles (v2026.5.26)
openclaw models auth login supports named login profiles, so you can keep more than one credential per provider (for example, a personal and a work Codex account) and select between them per agent. Supported credentials migrate automatically from older single-profile state for Hermes, OpenCode, and Codex, with explicit opt-out and non-interactive controls for scripted setups. As of v2026.5.28, legacy non-canonical api_key auth profiles are also rewritten to the canonical form on upgrade.
Setup: Claude Max via OAuth
1. Initiate OAuth login
openclaw models auth login --provider anthropic-oauthThis opens a browser to claude.ai, you sign in, and the token is saved to ~/.openclaw/tokens/anthropic-oauth.json.
2. Verify you got Claude Max, not Claude Code
This is the #1 thing users miss:
openclaw models auth listLook for an anthropic-oauth row. If the effective column says claude-code-restricted, you have the limited Claude Code credentials, not full Claude Max access. To get Claude Max credentials, sign out at claude.ai/account first, then re-run the login flow.
3. Configure your agent
{
"agents": {
"default": {
"auth": "anthropic-oauth",
"model": "claude-sonnet-4-5"
}
}
}Restart and test:
openclaw gateway restart
openclaw agent --message "Confirm you're running via my Claude Max subscription"The /models provider header should show the OAuth profile rather than an env-key label as of v2026.5.7.
Setup: Codex (ChatGPT Plus/Pro/Team)
openclaw models auth login --provider codexBrowser flow signs you into chatgpt.com. Token saved to ~/.openclaw/tokens/openai-codex.json.
Configure the agent:
{
"agents": {
"default": {
"auth": "openai-codex",
"model": "gpt-4o"
}
}
}Codex-specific quirks:
- Codex uses its own native approval mode — by default, the pre-guardian
PermissionRequesthook is suppressed so Codex's own reviewer can approve safe commands first. OpenClaw surfaces approval only when Codex doesn't (v2026.5.7+). - Plugin tool auth profiles are preserved when Codex owns model transport — your OpenClaw dynamic tools still resolve provider credentials. Tracked fix in v2026.5.18.
- Native Codex plugins can be managed inline:
/codex plugins list,/codex plugins enable <name>,/codex plugins disable <name>(v2026.5.19+).
Setup: GitHub Copilot
openclaw models auth login --provider github-copilotLimited model set compared to API key access. Native web search support for Copilot GPT models is tracked as an open feature.
Copilot is now an install-on-demand plugin (v2026.6.1)
The GitHub Copilot agent runtime was externalized as the official @openclaw/copilot plugin (added in v2026.5.28, shipped standalone in v2026.6.1). It installs on demand rather than bundling into the core package, and Copilot-hosted Claude models now keep their 1M-context capabilities. If a Copilot-backed agent reports a missing runtime after upgrade, run openclaw doctor — the loader points you at the right plugin install path.
Setup: xAI (Grok)
New in v2026.5.20
xAI now supports a device-code OAuth flow — useful when the machine running OpenClaw can't open a localhost browser callback (VPS, headless server, remote shell).
openclaw models auth login --provider xai-oauthThe CLI prints a short code and a verification URL. Open the URL on any device with a browser (your laptop, phone), paste the code, and approve the request. The token is then saved back to the OpenClaw host at ~/.openclaw/tokens/xai-oauth.json.
Configure the agent:
{
"agents": {
"default": {
"auth": "xai-oauth",
"model": "grok-4"
}
}
}As of v2026.5.22, the same xAI OAuth profile is also reused for Grok's web_search tool — you no longer need a separate API key just to enable web search on a Grok-backed agent.
Setup: OpenRouter (OAuth)
New in v2026.6.6
OpenRouter now supports a PKCE OAuth login. One login gives you OpenRouter's whole multi-model catalog (Claude, Gemini, Llama, DeepSeek, and more) without pasting an API key — the flow issues an OpenRouter key and OpenClaw stores it for you.
openclaw models auth login --provider openrouter --method oauthComplete the browser flow and OpenClaw saves the issued key. During first-time setup you can also pick it from onboarding with openclaw onboard --auth-choice openrouter-oauth. If you'd rather paste a key directly, use --method api-key instead.
OpenRouter bills from prepaid credits (pay-as-you-go), not a flat subscription — useful when you want one account that can route across many providers' models.
Multi-auth: subscription + API key
Run subscription-backed agents and API-key-backed agents side by side:
{
"agents": {
"personal": {
"auth": "anthropic-oauth",
"model": "claude-sonnet-4-5"
},
"cron": {
"auth": "anthropic-api-key",
"model": "claude-haiku-4-5"
}
}
}The personal agent uses your Claude Max subscription for interactive chat. The cron agent uses pay-as-you-go API for scheduled jobs — typically cheaper for short-prompt automations than burning Claude Max rate limits.
Common errors
| Error | Cause | Fix |
|---|---|---|
effective=missing for OAuth marker | Stale local catalog row | openclaw doctor --fix |
| Image input rejected through Codex OAuth | Pre-v2026.5.7 regression | Update to v2026.5.7+ |
| Claude Max returning Claude Code limits | Wrong credentials captured during OAuth | Sign out at claude.ai/account, re-login |
| OpenAI env-key label shown instead of OAuth | Provider header didn't update | Fixed in v2026.5.19 — update if older |
openclaw-codex/* routes broken after upgrade | Stale model rows after rewrite | openclaw doctor --fix preserves Codex OAuth routes (v2026.5.7+) |
If openclaw doctor --fix doesn't resolve it, delete the relevant token file and re-run the OAuth flow:
rm ~/.openclaw/tokens/anthropic-oauth.json
openclaw models auth login --provider anthropic-oauthWhen OAuth isn't worth it
- High-volume cron jobs: subscription rate limits will throttle you. Use a pay-as-you-go API key for cron, OAuth for interactive.
- Specific model needs: subscriptions expose a narrower model set than full API access. If you need a specific model variant (e.g. an embedding model, an older snapshot), use an API key.
- Team usage: subscription tokens are personal. For a shared OpenClaw deployment, use a workspace API key.
→ CLI Cheatsheet — auth commands · Supported AI providers · Pricing comparison
FAQ
- Can I use my Claude Max subscription with OpenClaw instead of an Anthropic API key?
- Yes — Claude Max OAuth is supported. Run `openclaw models auth login --provider anthropic-oauth` and complete the browser flow. Your subscription credentials are saved per-agent under `~/.openclaw/tokens/`. Note: as of v2026.5.7, Anthropic OAuth returns Claude Code-restricted credentials by default; check `openclaw models auth list` to confirm your effective auth profile matches Claude Max, not Claude Code.
- Can I use my ChatGPT Plus subscription with OpenClaw?
- Indirectly, via Codex OAuth. OpenClaw supports OAuth login through the Codex app-server path, which inherits your ChatGPT Plus / Pro / Team subscription entitlements. Run `openclaw models auth login --provider codex` and complete the browser flow. This routes through `openai-codex/*` PI routes rather than the standard OpenAI API.
- Why does my OAuth login show as 'effective=missing'?
- The local model catalog hasn't refreshed its provider config to recognize your OAuth marker. Run `openclaw doctor --fix` to repair stale provider rows. If you previously had an API key for the same provider, `doctor --fix` will preserve the OAuth profile and remove the stale API key reference.
- Does Codex OAuth work for image inputs?
- Yes as of v2026.5.7. Earlier versions blocked image inputs through Codex OAuth — this was a tracked regression. If you're on v2026.5.7+ and still seeing image rejection, run `openclaw doctor` to repair model capability metadata.
- Can I run a Claude Max agent and an API-key agent at the same time?
- Yes — OpenClaw stores auth profiles per agent. Configure two agents in `openclaw.json`, point each at a different auth profile, and they share the same Gateway. Useful for separating high-value subscription usage from low-cost API requests.