Auto-commit

Author: milos85vasic

CLAUDE.md

@@ -255,11 +255,26 @@ Environment variables in `.env.example`:
 - OAuth2: `CLAUDE_CODE_USE_OAUTH_CREDENTIALS`, `QWEN_CODE_USE_OAUTH_CREDENTIALS`
 - Cognee: `COGNEE_AUTH_EMAIL`, `COGNEE_AUTH_PASSWORD` (form-encoded OAuth2 auth)
 
-### OAuth2 Authentication
+### OAuth2 Authentication (Limitations)
 
-Claude and Qwen support OAuth2 via their CLI tools:
-- Claude: `claude auth login` creates `~/.claude/.credentials.json`
-- Qwen: creates `~/.qwen/oauth_creds.json`
+**IMPORTANT: OAuth tokens from CLI tools are product-restricted and cannot be used for general API calls.**
+
+| Provider | Token Source | API Access |
+|----------|--------------|------------|
+| **Claude** | `~/.claude/.credentials.json` (from `claude auth login`) | ❌ **Restricted to Claude Code only** - cannot use for general API |
+| **Qwen** | `~/.qwen/oauth_creds.json` (from Qwen CLI login) | ❌ **For Qwen Portal only** - DashScope API requires separate API key |
+
+**What works:**
+- HelixAgent successfully reads OAuth tokens from both credential files
+- Tokens are valid and non-expired
+
+**What doesn't work:**
+- Using Claude OAuth tokens for general API requests returns: _"This credential is only authorized for use with Claude Code and cannot be used for other API requests."_
+- Using Qwen OAuth tokens for DashScope API returns: _"invalid_api_key"_ (tokens are for `portal.qwen.ai`)
+
+**Solution:**
+- **Claude**: Get an API key from https://console.anthropic.com/
+- **Qwen**: Get a DashScope API key from https://dashscope.aliyuncs.com/
 
 Key files: `internal/auth/oauth_credentials/`
 

internal/auth/oauth_credentials/token_refresh.go

@@ -21,10 +21,13 @@ const (
 	RefreshThreshold = 10 * time.Minute
 
 	// Claude OAuth endpoints
-	ClaudeTokenEndpoint = "https://claude.ai/api/auth/oauth/token"
+	ClaudeTokenEndpoint = "https://console.anthropic.com/v1/oauth/token"
 
-	// Qwen OAuth endpoints (Alibaba Cloud)
-	QwenTokenEndpoint = "https://oauth.aliyun.com/v1/token"
+	// Qwen OAuth endpoints (Qwen Code / Tongyi Lingma)
+	QwenTokenEndpoint = "https://chat.qwen.ai/api/v1/oauth2/token"
+
+	// Qwen OAuth client ID (public client, used with PKCE)
+	QwenOAuthClientID = "f0304373b74a44d2b584a3fb70ca9e56"
 
 	// HTTP client timeout for token refresh
 	RefreshTimeout = 30 * time.Second
@@ -149,19 +152,15 @@ func (tr *TokenRefresher) RefreshQwenToken(refreshToken string, resourceURL stri
 		return nil, fmt.Errorf("no refresh token available")
 	}
 
-	// Determine token endpoint
+	// Use the standard Qwen OAuth endpoint
+	// Note: resourceURL is used by Qwen for the DashScope API, not for token refresh
 	tokenEndpoint := QwenTokenEndpoint
-	if resourceURL != "" {
-		// Use resource-specific endpoint if available
-		if u, err := url.Parse(resourceURL); err == nil {
-			tokenEndpoint = fmt.Sprintf("%s://%s/oauth/token", u.Scheme, u.Host)
-		}
-	}
 
-	// Prepare refresh request
+	// Prepare refresh request - Qwen requires client_id for token refresh
 	data := url.Values{}
 	data.Set("grant_type", "refresh_token")
 	data.Set("refresh_token", refreshToken)
+	data.Set("client_id", QwenOAuthClientID)
 
 	req, err := http.NewRequest("POST", tokenEndpoint, strings.NewReader(data.Encode()))
 	if err != nil {
@@ -182,6 +181,11 @@ func (tr *TokenRefresher) RefreshQwenToken(refreshToken string, resourceURL stri
 		return nil, fmt.Errorf("failed to read refresh response: %w", err)
 	}
 
+	// Handle HTTP 400 specifically - indicates refresh token is expired/invalid
+	if resp.StatusCode == http.StatusBadRequest {
+		return nil, fmt.Errorf("refresh token expired or invalid (HTTP 400): re-authentication required via Qwen Code CLI")
+	}
+
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("refresh failed with status %d: %s", resp.StatusCode, string(body))
 	}

internal/llm/providers/claude/claude.go

@@ -214,12 +214,9 @@ func (p *ClaudeProvider) getAuthHeader() (string, string, error) {
 		if err != nil {
 			return "", "", fmt.Errorf("failed to get OAuth token: %w", err)
 		}
-		// Claude OAuth tokens (sk-ant-oat01-*) from Claude Code CLI
-		// NOTE: These tokens are designed for Claude Code infrastructure, not the public API.
-		// The public api.anthropic.com does not accept OAuth tokens.
-		// We use x-api-key header for compatibility, but this may fail for OAuth tokens.
-		// When OAuth fails, the system falls back to other verified providers.
-		return "x-api-key", token, nil
+		// Claude OAuth tokens (sk-ant-oat01-*) use Bearer authentication
+		// Required headers: Authorization: Bearer <token>, anthropic-beta: oauth-2025-04-20
+		return "Authorization", "Bearer " + token, nil
 	default:
 		// Regular API keys use x-api-key header
 		return "x-api-key", p.apiKey, nil
@@ -576,6 +573,12 @@ func (p *ClaudeProvider) makeAPICallWithAuthRetry(ctx context.Context, req Claud
 		httpReq.Header.Set("anthropic-version", "2023-06-01")
 		httpReq.Header.Set("User-Agent", "HelixAgent/1.0")
 
+		// Add OAuth-specific headers for Claude Code OAuth tokens
+		if p.authType == AuthTypeOAuth {
+			httpReq.Header.Set("anthropic-beta", "oauth-2025-04-20")
+			httpReq.Header.Set("anthropic-product", "claude-code")
+		}
+
 		// Make request
 		resp, err := p.httpClient.Do(httpReq)
 		if err != nil {
@@ -745,6 +748,12 @@ func (p *ClaudeProvider) HealthCheck() error {
 	req.Header.Set(authHeaderName, authHeaderValue)
 	req.Header.Set("anthropic-version", "2023-06-01")
 
+	// Add OAuth-specific headers for Claude Code OAuth tokens
+	if p.authType == AuthTypeOAuth {
+		req.Header.Set("anthropic-beta", "oauth-2025-04-20")
+		req.Header.Set("anthropic-product", "claude-code")
+	}
+
 	resp, err := p.httpClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("health check request failed: %w", err)
@@ -753,6 +762,10 @@ func (p *ClaudeProvider) HealthCheck() error {
 
 	// Claude API returns 400 for GET requests to messages endpoint (expected)
 	// We just check that the API is reachable and returns a response
+	// For OAuth tokens, 401 means the token is invalid/expired
+	if resp.StatusCode == http.StatusUnauthorized {
+		return fmt.Errorf("health check failed: unauthorized (token may be expired or invalid)")
+	}
 	if resp.StatusCode >= 500 {
 		return fmt.Errorf("health check failed with server error: %d", resp.StatusCode)
 	}