MokoConsulting/MokoGitea-APP
1
0
Fork 0
Code Issues 159 Pull Requests Releases 96 Wiki Activity

feat(ai): Authentication model for mokogitea-claude[bot] #369

New Issue
Open
opened 2026-05-31 16:31:36 +00:00 by jmiller · 0 comments
jmiller commented 2026-05-31 16:31:36 +00:00
Owner
Copy Link
Copy Source

Summary

Define how mokogitea-claude[bot] authenticates with Anthropic to use Claude.

Parent Issue

#359

Research Findings (May 2026)

Anthropic banned OAuth for third-party apps as of February 2026. OAuth tokens from Free/Pro/Max plans are exclusively for Claude Code and claude.ai. Using them in any other product violates their Consumer Terms of Service.

This means MokoGitea CANNOT use subscription passthrough OAuth. The bot must use API keys.

References

What Works

Approach Status Notes
OAuth passthrough (subscription in bot) BANNED ToS violation
API key from console.anthropic.com REQUIRED Pay-per-token
Individual devs running Claude Code locally FINE Their own subscription, direct usage
ANTHROPIC_AUTH_TOKEN (enterprise proxy) ALLOWED For routing through internal LLM gateway

Upcoming: Agent SDK Credits (June 15, 2026)

Starting June 15, 2026, Agent SDK and claude -p (headless) usage on subscription plans draws from a new monthly Agent SDK credit, separate from interactive limits. If this applies to CI/bot usage under a Team plan, it could reduce API costs. Worth monitoring.

Implementation Plan

Phase 1: API Key (Now)

  • Org admin enters API key from console.anthropic.com
  • Stored encrypted in ai_org_setting table
  • mokogitea-claude[bot] uses this key for all AI actions in the org
  • Pay-per-token billing to the org's Anthropic account
  • Site admin can set a platform-wide fallback key

Phase 2: Enterprise Auth Token

  • Support ANTHROPIC_AUTH_TOKEN for orgs routing through their own LLM proxy
  • Useful for enterprise clients with centralized AI traffic management
  • Configured at site or org level

Phase 3: Monitor Agent SDK Credits

  • If Anthropic opens up subscription-based headless usage for bots/CI, add support
  • Watch for changes to their ToS and Agent SDK billing model
  • Could allow "Connect your Team plan" without ToS violation

Settings UI

Org Settings > AI Integration:

  • Auth method: [API Key] / [Enterprise Auth Token]
  • API Key: [sk-ant-...] (encrypted, masked after entry)
  • Model: [Claude Sonnet 4.6 v]
  • Monthly budget cap: [$___]
  • Status indicator: key valid/invalid, last used, tokens remaining

Cost Estimates (API pricing)

Action Typical Tokens Est. Cost (Sonnet)
PR Review 10-50k $0.03-0.15
Chat response 5-20k $0.01-0.06
Coding agent 100-500k $0.30-1.50

Orgs can control costs via:

  • Model selection (Haiku for simple reviews, Sonnet for standard, Opus for complex)
  • Rate limits (requests/hour, tokens/month)
  • Budget caps with hard/soft limits

Individual Developer Experience

Developers running Claude Code locally in their repo clones:

  • Use their own Max/Pro subscription (direct usage, totally fine)
  • Read the same .mokogitea/CLAUDE.md the bot reads
  • No additional cost to the org for local usage
  • This is the free path for individual contributors

Dependencies

  • #362 (mokogitea-claude[bot])
  • #364 (AI settings UI)
## Summary Define how mokogitea-claude[bot] authenticates with Anthropic to use Claude. ## Parent Issue #359 ## Research Findings (May 2026) **Anthropic banned OAuth for third-party apps** as of February 2026. OAuth tokens from Free/Pro/Max plans are exclusively for Claude Code and claude.ai. Using them in any other product violates their Consumer Terms of Service. This means MokoGitea CANNOT use subscription passthrough OAuth. The bot must use API keys. ### References - [Anthropic Bans Claude Subscription OAuth in Third-Party Apps](https://winbuzzer.com/2026/02/19/anthropic-bans-claude-subscription-oauth-in-third-party-apps-xcxwbn/) - [Anthropic clarifies ban on third-party tool access](https://www.theregister.com/2026/02/20/anthropic_clarifies_ban_third_party_claude_access/) - [BUG: Anthropic disabled OAuth tokens for third-party apps](https://github.com/anthropics/claude-code/issues/28091) ## What Works | Approach | Status | Notes | |---|---|---| | OAuth passthrough (subscription in bot) | BANNED | ToS violation | | API key from console.anthropic.com | REQUIRED | Pay-per-token | | Individual devs running Claude Code locally | FINE | Their own subscription, direct usage | | ANTHROPIC_AUTH_TOKEN (enterprise proxy) | ALLOWED | For routing through internal LLM gateway | ## Upcoming: Agent SDK Credits (June 15, 2026) Starting June 15, 2026, Agent SDK and `claude -p` (headless) usage on subscription plans draws from a new monthly Agent SDK credit, separate from interactive limits. If this applies to CI/bot usage under a Team plan, it could reduce API costs. Worth monitoring. ## Implementation Plan ### Phase 1: API Key (Now) - Org admin enters API key from console.anthropic.com - Stored encrypted in ai_org_setting table - mokogitea-claude[bot] uses this key for all AI actions in the org - Pay-per-token billing to the org's Anthropic account - Site admin can set a platform-wide fallback key ### Phase 2: Enterprise Auth Token - Support ANTHROPIC_AUTH_TOKEN for orgs routing through their own LLM proxy - Useful for enterprise clients with centralized AI traffic management - Configured at site or org level ### Phase 3: Monitor Agent SDK Credits - If Anthropic opens up subscription-based headless usage for bots/CI, add support - Watch for changes to their ToS and Agent SDK billing model - Could allow "Connect your Team plan" without ToS violation ## Settings UI Org Settings > AI Integration: - Auth method: [API Key] / [Enterprise Auth Token] - API Key: [sk-ant-...] (encrypted, masked after entry) - Model: [Claude Sonnet 4.6 v] - Monthly budget cap: [$___] - Status indicator: key valid/invalid, last used, tokens remaining ## Cost Estimates (API pricing) | Action | Typical Tokens | Est. Cost (Sonnet) | |---|---|---| | PR Review | 10-50k | $0.03-0.15 | | Chat response | 5-20k | $0.01-0.06 | | Coding agent | 100-500k | $0.30-1.50 | Orgs can control costs via: - Model selection (Haiku for simple reviews, Sonnet for standard, Opus for complex) - Rate limits (requests/hour, tokens/month) - Budget caps with hard/soft limits ## Individual Developer Experience Developers running Claude Code locally in their repo clones: - Use their own Max/Pro subscription (direct usage, totally fine) - Read the same .mokogitea/CLAUDE.md the bot reads - No additional cost to the org for local usage - This is the free path for individual contributors ## Dependencies - #362 (mokogitea-claude[bot]) - #364 (AI settings UI)
jmiller changed title from feat(ai): OAuth authentication for Claude Code (subscription-based, no API credits) to feat(ai): Authentication model for mokogitea-claude[bot] 2026-05-31 16:38:40 +00:00
Sign in to join this conversation.
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority Medium
Type Feature
Status
Priority
Type
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#369
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?