Skip to content
InnovateTechie
Claude Code

How to Authenticate Claude Code in the Terminal

InnovateTechieBy InnovateTechie10 min read
Share
How to authenticate Claude Code in the terminal — the /login OAuth browser handshake and the ANTHROPIC_API_KEY alternative

Part ofWhat Is Claude Code? The Complete Guide

Authenticate Claude Code in the terminal: the /login browser handshake, the API-key route, headless CI tokens and fixes for auth failures.

To authenticate Claude Code in the terminal, run claude and type /login: a browser tab opens, you sign in with your Claude.ai account, and the CLI stores the OAuth token. No browser? Set ANTHROPIC_API_KEY or run claude setup-token for a long-lived credential. Subscription login bills your plan; the key bills per token.

We sign in to Claude Code several times a week — new laptops, CI runners, a VPS, the occasional stubborn WSL2 setup — so this guide is the checklist we actually use, not a paraphrase of the docs. If you're still deciding whether the tool is for you at all, start with our pillar guide, What Is Claude Code? — everything below assumes the CLI is installed (if it isn't, our guide to the Node.js version Claude Code needs covers the prerequisites first) and you just need to authenticate Claude Code in the terminal.

How to authenticate Claude Code in the terminal with OAuth

The default Claude Code login is an OAuth handshake between your terminal and your browser. Anthropic's authentication documentation lists every supported method, but the browser flow is the one nine out of ten people need. The whole sequence:

  1. Run claude in any project directory. The terminal prompts you to authenticate Claude Code on first run and asks which login method you want.
  2. Pick your account type. "Claude account with subscription" bills your existing Pro or Max plan. "Claude Console account" authenticates against Anthropic's developer console and bills API credits instead.
  3. Approve in the browser. A tab opens, you sign in, you click Authorize, and the token lands back in the terminal on its own. Done.
  4. No browser opened? Press c to copy the login URL, then paste it into any browser yourself. Same result.
  5. Browser showed a code instead of redirecting? Copy it and paste it at the terminal's "Paste code here if prompted" prompt. That's the designed fallback in WSL2, SSH sessions, and containers — not a bug.

Already inside a session? Type /login to re-run the flow without restarting; that's also the account-switching command we'll come back to. The credential persists — macOS stores it in the Keychain, Linux and Windows keep it under ~/.claude — so you authenticate Claude Code in the terminal once per machine, not once per day. For everything /login sits alongside, our Claude Code CLI documentation guide maps the full slash-command set.

Here are all four supported methods at a glance:

MethodHow it worksBills againstBest for
Claude.ai account (OAuth)/login → browser → authorizePro or Max subscriptionDaily interactive coding
Claude Console account (OAuth)Same flow, Console credentialsAPI credits, per tokenTeams billing through Console
ANTHROPIC_API_KEYEnvironment variable, no browserAPI credits, per tokenScripts, servers, CI
claude setup-tokenOne browser login → year-long tokenPro or Max subscriptionHeadless machines, pipelines

Claude Code terminal OAuth login flow — the /login command opening a browser handshake to authenticate Claude Code

Claude Code API key setup: the ANTHROPIC_API_KEY route

You can also authenticate Claude Code in the terminal without any browser involvement: generate a key at Anthropic's developer console (platform.claude.com), export it, and the CLI picks it up silently.

export ANTHROPIC_API_KEY=sk-ant-...        # macOS / Linux
$env:ANTHROPIC_API_KEY = "sk-ant-..."      # Windows PowerShell

Three things to know before committing to this Claude Code API key setup:

  1. The key wins every conflict. If ANTHROPIC_API_KEY is set, Claude Code uses it — even while you're logged in with a subscription, and even after /logout. This is the single most common billing surprise we see.
  2. Billing is metered per token, at standard Anthropic API rates, with no monthly ceiling. A heavy refactoring day can cost more than a month of the Pro plan.
  3. Keys belong in secret managers, not in dotfiles committed to git. Treat one like a password, because functionally it is one.

Subscription or API key: which should you choose?

This is really a billing decision wearing an authentication costume — how you authenticate Claude Code in the terminal decides which meter runs. We use both: subscription login on our laptops, an API key inside automation.

Subscription login (OAuth)API key (ANTHROPIC_API_KEY)
Cost modelFlat monthly: Pro $20, Max 5x $100, Max 20x $200Per million tokens: Claude Sonnet 4.6 $3/$15, Claude Opus 4.8 $5/$25, Claude Haiku 4.5 $1/$5
PredictabilityFixed bill; usage limits reset in 5-hour windowsBill scales with usage; no session caps
Setup effort/login, browser, thirty secondsConsole account, key creation, env var
Best forIndividuals coding dailyCI pipelines, scripts, bursty team workloads

The crossover math is short: if you'd burn more than $20 a month at per-token rates — most daily users clear that in a week — a subscription wins. Our Claude Max breakdown covers when the 5x and 20x tiers pay off, and the full per-model rate card lives in our Anthropic Claude API pricing guide. Lighter users are often fine on the Claude Pro plan; heavy Claude Opus 4.8 users should run the numbers twice.

Switching accounts and logging out

Switching between a work and personal Claude Code login takes two commands inside any session. /logout clears the stored token; /login lets you authenticate Claude Code in the terminal again, restarting the browser handshake where you pick the other account. Then run /status and read what it reports — active account, auth method, and whether anything is overriding them.

That last check matters because of a trap that catches nearly everyone once: /logout clears your OAuth token but leaves ANTHROPIC_API_KEY untouched. If the variable is exported, Claude Code keeps working after logout and quietly bills the API instead of asking you to sign in. Run unset ANTHROPIC_API_KEY, remove the line from your shell profile, and you can authenticate Claude Code in the terminal with the account you actually meant to use.

Headless, SSH, and CI: terminal-only authentication

Servers, containers, and pipelines can't pop a browser tab, and in our experience this is where most Claude Code authentication questions actually come from. You can still authenticate Claude Code in a terminal-only environment three ways — each is a different answer to how you sign in to Claude Code from the terminal:

  1. claude setup-token for subscription billing. Run it once on a machine that has a browser, complete the OAuth login, and it prints a long-lived token — valid for about a year — tied to your subscription. Export it as CLAUDE_CODE_OAUTH_TOKEN on the headless box or in CI secrets, and every non-interactive run authenticates without prompting.
  2. ANTHROPIC_API_KEY as a CI secret. The right call when the pipeline should bill a shared team account rather than one engineer's plan. Store it in GitHub Actions secrets or your CI's equivalent, never in the repository.
  3. The paste-code fallback over SSH. Run /login in the SSH session, press c to copy the URL, open it in your local browser, and paste the resulting code back into the remote terminal. One macOS-remote gotcha: the Keychain must be unlocked in that SSH session (security unlock-keychain), or the token can't be saved and the CLI re-prompts forever.

Claude Code headless authentication — claude setup-token generating a long-lived CLAUDE_CODE_OAUTH_TOKEN for CI pipelines

Common authentication failures and the quick fixes

Failed attempts to authenticate Claude Code in the terminal cluster into a handful of repeating patterns. Anthropic's installation and authentication troubleshooting guide has the official steps; this is the field version, ordered by how often each one has bitten us:

SymptomLikely causeQuick fix
OAuth error: Request failed with status code 500Server-side fault mid-handshakeCheck status.claude.com, retry, clear the ~/.claude cache — full walkthrough in our OAuth 500 guide
"Authorization failed" / internal server errorAuth server incident or stale local stateUpdate the CLI, re-run /login — steps in our authorization failed fix
Asked to log in every single dayKeychain access denied, or corrupted cacheGrant your terminal Keychain access; delete stale state under ~/.claude
Can't paste the auth codeTerminal intercepting the paste shortcutUse right-click paste or the terminal's Edit menu, then retry /login
Logged out, still billed API ratesANTHROPIC_API_KEY still exportedunset ANTHROPIC_API_KEY, restart the session
Browser shows a code, terminal keeps waitingNo callback path (WSL2, SSH, container)Paste the code at the prompt — that's the intended flow

One habit saves more time than any table: when login misbehaves, run /status before touching configuration. It tells you which credential Claude Code is actually using, and nine times out of ten the "mystery" is an environment variable somebody exported months ago. Get that reflex down and you can authenticate Claude Code in the terminal — or un-stick it — in under a minute.

Claude pricing at a glance

PlanPrice
Free$0
Pro$20 / month
Maxfrom $100 / month
APIPay per token

For the full breakdown of every plan, see our how much Claude costs guide.

Frequently Asked Questions

Your subscription is enough. Choose "Claude account" during /login, sign in with your Claude.ai credentials, and usage bills against your Pro or Max plan — no API key required. Keys are only necessary for pay-per-token billing or automation. Claude Code has no free tier either way; see [Is Claude Code Free?](/is-claude-code-free)

Daily re-login usually means Claude Code cannot persist its token. On macOS, grant the terminal Keychain access; corrupted state in ~/.claude is the next suspect, so clear the cache and log in once more. Also check for a stray ANTHROPICAPIKEY or an expired setup-token in your shell profile.

Run claude setup-token on any machine with a browser, then export the result as CLAUDECODEOAUTHTOKEN on the headless box — the token lasts about a year and bills your subscription. Alternatively, set ANTHROPICAPIKEY for pay-per-token billing. Over SSH, the paste-code fallback during /login also works.

Yes. When that environment variable is set, Claude Code uses it and bills API credits per token — even if you logged in with a subscription, and even after /logout. If you meant to use your plan, unset the variable, remove it from your shell profile, and restart the session.

On macOS, tokens go into the system Keychain; on Linux and Windows they live in your Claude Code configuration under ~/.claude. That's why keychain permission prompts matter — deny one and the token can't persist. Deleting the stored credential file logs you out completely, same as running /logout.

Run /status inside a session. It reports the active account, the authentication method in use, and — most useful of all — whether an API key is overriding your subscription login. We check it whenever billing looks wrong, because the answer is usually an environment variable nobody remembers exporting three months ago.

Yes. Claude Code supports enterprise authentication through Amazon Bedrock and Google Vertex AI, using your cloud provider's IAM credentials rather than an Anthropic login. You enable it with environment variables such as CLAUDECODEUSEBEDROCK=1. Billing then flows through your AWS or Google Cloud account, not Anthropic.
InnovateTechie

Written by

InnovateTechie

Writing about Claude and the Anthropic toolkit — models, Claude Code, pricing, features, and fixes, in clear, practical, hands-on guides tested by daily use.

View all posts →