Skip to content

Correct stale headroom OAuth-credential claim in ADR-0023#103

Merged
lsfera merged 1 commit into
mainfrom
docs/headroom-oauth-verified
Jul 6, 2026
Merged

Correct stale headroom OAuth-credential claim in ADR-0023#103
lsfera merged 1 commit into
mainfrom
docs/headroom-oauth-verified

Conversation

@lsfera

@lsfera lsfera commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

  • ADR-0023 and a docker-compose.yml comment claimed CLAUDE_CODE_OAUTH_TOKEN doesn't work with the headroom compression proxy and that it needs its own ANTHROPIC_API_KEY. That was true against an earlier design assumption, but the pinned ghcr.io/chopratejas/headroom:latest image (currently v0.27.0) has since added an auth-mode classifier that treats Claude Code's OAuth bearer token as a first-class "SUBSCRIPTION" case and forwards it upstream unchanged — compression runs via a local ONNX model, not a live LLM call, so no proxy-owned credential is needed.
  • Corrected via a dated addendum to ADR-0023 (not rewriting the original text) and a corrected docker-compose.yml comment.

Verification

  • Read the running proxy container's actual source (proxy/auth_mode.py, proxy/handlers/anthropic.py, transforms/compression_policy.py) to confirm the OAuth-passthrough behavior.
  • Live round trip: two POST /v1/messages requests to the proxy authenticated with only CLAUDE_CODE_OAUTH_TOKEN (no ANTHROPIC_API_KEY in the request) — both returned genuine 200s from real Anthropic infra, correctly attributed to the claude-code agent in the proxy's own /stats.
  • Docs-only change — no code paths affected; no test suite changes needed.

🤖 Generated with Claude Code

…compose.yml

ADR-0023 stated CLAUDE_CODE_OAUTH_TOKEN "does NOT work" with the headroom
proxy and that it needs its own ANTHROPIC_API_KEY to perform compression.
That was true for an earlier assumption about the proxy's design, but the
currently pinned ghcr.io/chopratejas/headroom:latest image (v0.27.0) has
since grown an auth-mode classifier that treats Claude Code's OAuth bearer
token as a first-class "SUBSCRIPTION" case, forwards it upstream unchanged,
and compresses via a local ONNX model rather than a live LLM call — so no
proxy-owned credential is needed either way.

Verified via direct source read of the running container
(proxy/auth_mode.py, proxy/handlers/anthropic.py, transforms/
compression_policy.py) plus a live round trip: two POST /v1/messages
requests authenticated with only CLAUDE_CODE_OAUTH_TOKEN (no
ANTHROPIC_API_KEY presented) returned genuine 200 responses from real
Anthropic infra and were correctly attributed to the claude-code agent
in the proxy's own /stats output.

Adds a dated addendum to ADR-0023 rather than rewriting the original
text, and corrects the docker-compose.yml comment to mark
ANTHROPIC_API_KEY as optional for this path.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@lsfera lsfera merged commit 29e98fe into main Jul 6, 2026
3 checks passed
@lsfera lsfera deleted the docs/headroom-oauth-verified branch July 6, 2026 08:54
lsfera added a commit that referenced this pull request Jul 6, 2026
…#104)

Follow-up to #103, which corrected ADR-0023 and the docker-compose.yml
comment but missed the README's user-facing "Context compression
(headroom)" section — the more prominent doc most adopters actually
read. It still claimed ANTHROPIC_API_KEY was required and that OAuth
survival through the proxy was unverified; both are now known false
per ADR-0023's 2026-07-05 addendum (source-verified + live-tested).

Co-authored-by: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant