MokoConsulting/MokoGitea
1
0
Fork 0
Code Issues 163 Pull Requests Actions Packages Licenses 2 Releases 68 Wiki Activity

feat(ai): Authentication model for mokogitea-claude[bot] #369

New Issue
Open
opened 2026-05-31 16:31:36 +00:00 by jmiller · 0 comments
jmiller commented 2026-05-31 16:31:36 +00:00
Owner
Copy Link
Copy Source

Summary

Define how mokogitea-claude[bot] authenticates with Anthropic to use Claude.

Parent Issue

#359

Research Findings (May 2026)

Anthropic banned OAuth for third-party apps as of February 2026. OAuth tokens from Free/Pro/Max plans are exclusively for Claude Code and claude.ai. Using them in any other product violates their Consumer Terms of Service.

This means MokoGitea CANNOT use subscription passthrough OAuth. The bot must use API keys.

References

What Works

Approach Status Notes
OAuth passthrough (subscription in bot) BANNED ToS violation
API key from console.anthropic.com REQUIRED Pay-per-token
Individual devs running Claude Code locally FINE Their own subscription, direct usage
ANTHROPIC_AUTH_TOKEN (enterprise proxy) ALLOWED For routing through internal LLM gateway

Upcoming: Agent SDK Credits (June 15, 2026)

Starting June 15, 2026, Agent SDK and claude -p (headless) usage on subscription plans draws from a new monthly Agent SDK credit, separate from interactive limits. If this applies to CI/bot usage under a Team plan, it could reduce API costs. Worth monitoring.

Implementation Plan

Phase 1: API Key (Now)

  • Org admin enters API key from console.anthropic.com
  • Stored encrypted in ai_org_setting table
  • mokogitea-claude[bot] uses this key for all AI actions in the org
  • Pay-per-token billing to the org's Anthropic account
  • Site admin can set a platform-wide fallback key

Phase 2: Enterprise Auth Token

  • Support ANTHROPIC_AUTH_TOKEN for orgs routing through their own LLM proxy
  • Useful for enterprise clients with centralized AI traffic management
  • Configured at site or org level

Phase 3: Monitor Agent SDK Credits

  • If Anthropic opens up subscription-based headless usage for bots/CI, add support
  • Watch for changes to their ToS and Agent SDK billing model
  • Could allow "Connect your Team plan" without ToS violation

Settings UI

Org Settings > AI Integration:

  • Auth method: [API Key] / [Enterprise Auth Token]
  • API Key: [sk-ant-...] (encrypted, masked after entry)
  • Model: [Claude Sonnet 4.6 v]
  • Monthly budget cap: [$___]
  • Status indicator: key valid/invalid, last used, tokens remaining

Cost Estimates (API pricing)

Action Typical Tokens Est. Cost (Sonnet)
PR Review 10-50k $0.03-0.15
Chat response 5-20k $0.01-0.06
Coding agent 100-500k $0.30-1.50

Orgs can control costs via:

  • Model selection (Haiku for simple reviews, Sonnet for standard, Opus for complex)
  • Rate limits (requests/hour, tokens/month)
  • Budget caps with hard/soft limits

Individual Developer Experience

Developers running Claude Code locally in their repo clones:

  • Use their own Max/Pro subscription (direct usage, totally fine)
  • Read the same .mokogitea/CLAUDE.md the bot reads
  • No additional cost to the org for local usage
  • This is the free path for individual contributors

Dependencies

  • #362 (mokogitea-claude[bot])
  • #364 (AI settings UI)
## Summary Define how mokogitea-claude[bot] authenticates with Anthropic to use Claude. ## Parent Issue #359 ## Research Findings (May 2026) **Anthropic banned OAuth for third-party apps** as of February 2026. OAuth tokens from Free/Pro/Max plans are exclusively for Claude Code and claude.ai. Using them in any other product violates their Consumer Terms of Service. This means MokoGitea CANNOT use subscription passthrough OAuth. The bot must use API keys. ### References - [Anthropic Bans Claude Subscription OAuth in Third-Party Apps](https://winbuzzer.com/2026/02/19/anthropic-bans-claude-subscription-oauth-in-third-party-apps-xcxwbn/) - [Anthropic clarifies ban on third-party tool access](https://www.theregister.com/2026/02/20/anthropic_clarifies_ban_third_party_claude_access/) - [BUG: Anthropic disabled OAuth tokens for third-party apps](https://github.com/anthropics/claude-code/issues/28091) ## What Works | Approach | Status | Notes | |---|---|---| | OAuth passthrough (subscription in bot) | BANNED | ToS violation | | API key from console.anthropic.com | REQUIRED | Pay-per-token | | Individual devs running Claude Code locally | FINE | Their own subscription, direct usage | | ANTHROPIC_AUTH_TOKEN (enterprise proxy) | ALLOWED | For routing through internal LLM gateway | ## Upcoming: Agent SDK Credits (June 15, 2026) Starting June 15, 2026, Agent SDK and `claude -p` (headless) usage on subscription plans draws from a new monthly Agent SDK credit, separate from interactive limits. If this applies to CI/bot usage under a Team plan, it could reduce API costs. Worth monitoring. ## Implementation Plan ### Phase 1: API Key (Now) - Org admin enters API key from console.anthropic.com - Stored encrypted in ai_org_setting table - mokogitea-claude[bot] uses this key for all AI actions in the org - Pay-per-token billing to the org's Anthropic account - Site admin can set a platform-wide fallback key ### Phase 2: Enterprise Auth Token - Support ANTHROPIC_AUTH_TOKEN for orgs routing through their own LLM proxy - Useful for enterprise clients with centralized AI traffic management - Configured at site or org level ### Phase 3: Monitor Agent SDK Credits - If Anthropic opens up subscription-based headless usage for bots/CI, add support - Watch for changes to their ToS and Agent SDK billing model - Could allow "Connect your Team plan" without ToS violation ## Settings UI Org Settings > AI Integration: - Auth method: [API Key] / [Enterprise Auth Token] - API Key: [sk-ant-...] (encrypted, masked after entry) - Model: [Claude Sonnet 4.6 v] - Monthly budget cap: [$___] - Status indicator: key valid/invalid, last used, tokens remaining ## Cost Estimates (API pricing) | Action | Typical Tokens | Est. Cost (Sonnet) | |---|---|---| | PR Review | 10-50k | $0.03-0.15 | | Chat response | 5-20k | $0.01-0.06 | | Coding agent | 100-500k | $0.30-1.50 | Orgs can control costs via: - Model selection (Haiku for simple reviews, Sonnet for standard, Opus for complex) - Rate limits (requests/hour, tokens/month) - Budget caps with hard/soft limits ## Individual Developer Experience Developers running Claude Code locally in their repo clones: - Use their own Max/Pro subscription (direct usage, totally fine) - Read the same .mokogitea/CLAUDE.md the bot reads - No additional cost to the org for local usage - This is the free path for individual contributors ## Dependencies - #362 (mokogitea-claude[bot]) - #364 (AI settings UI)
jmiller changed title from feat(ai): OAuth authentication for Claude Code (subscription-based, no API credits) to feat(ai): Authentication model for mokogitea-claude[bot] 2026-05-31 16:38:40 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 pending: testing
Feature implemented but not yet tested with documented proof
 priority: critical
Must fix immediately
 priority: high
Important, fix soon
 priority: low
Nice to have
 priority: medium
Normal priority
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 status: blocked
Blocked by dependency or decision
 status: in-progress
Actively being worked on
 status: needs-review
Awaiting code review
 status: on-hold
Paused intentionally
 status: wontfix
Will not be addressed
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 type: bug
Something isn't working
 type: bug
type: chore
Maintenance, dependencies, cleanup
 type: enhancement
Improvement to existing feature
 type: feature
New functionality
 type: refactor
Code restructuring without behavior change
 type: version
Version bump or release
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
bug
Something is not working
 chore
Maintenance and housekeeping
 documentation
Documentation improvements
 enhancement
Improvement to existing functionality
 feature
New feature or request
 pending: dependency
Blocked by another issue or external dependency
 pending: deployment
Tested and approved, awaiting deployment to production
 pending: design
Needs UI/UX or architecture design before implementation
 pending: documentation
Feature works, needs documentation/wiki update
 pending: feedback
Awaiting feedback or decision from stakeholder
 pending: review
Implementation complete, awaiting code review
 pending: testing
Feature implemented but not yet tested
 priority: critical
Must fix immediately
 priority: high
Should fix soon
 priority: low
Nice to have
 priority: medium
Fix when convenient
 refactor
Code restructuring without behavior change
 roadmap
Planned feature or enhancement tracked on the roadmap
 scope: client
Client-specific work
 scope: dolibarr
Dolibarr modules and customizations
 scope: infrastructure
Server, CI, backups, monitoring
 scope: joomla
Joomla templates and extensions
 scope: waas
MokoWaaS platform
 security
Security vulnerability or hardening
 status: blocked
Waiting on external dependency
 status: duplicate
Duplicate of another issue
 status: in-progress
Being worked on
 status: needs-review
Ready for review
 status: wontfix
Will not be addressed
No labels
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea#369
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?