ultraworkers · bloodf · May 1, 2026
diff --git a/rust/Cargo.lock b/rust/Cargo.lock
diff --git a/rust/crates/api/src/client.rs b/rust/crates/api/src/client.rs
@@ -41,7 +41,14 @@ impl ProviderClient {
                     }
                     _ => OpenAiCompatConfig::openai(),
                 };
-                Ok(Self::OpenAi(OpenAiCompatClient::from_env(config)?))
+                // Try OAuth for OpenAI if env var is not set
+                if config.provider_name == "OpenAI" {
+                    Ok(Self::OpenAi(OpenAiCompatClient::from_env_or_oauth(
+                        config, "openai",
+                    )?))
+                } else {
+                    Ok(Self::OpenAi(OpenAiCompatClient::from_env(config)?))
+                }
             }
         }
     }

diff --git a/rust/crates/api/src/lib.rs b/rust/crates/api/src/lib.rs
@@ -18,9 +18,9 @@ pub use prompt_cache::{
     CacheBreakEvent, PromptCache, PromptCacheConfig, PromptCachePaths, PromptCacheRecord,
     PromptCacheStats,
 };
-pub use providers::anthropic::{AnthropicClient, AnthropicClient as ApiClient, AuthSource};
+pub use providers::anthropic::{has_auth_from_env_or_saved as anthropic_has_auth, AnthropicClient, AnthropicClient as ApiClient, AuthSource};
 pub use providers::openai_compat::{
-    build_chat_completion_request, flatten_tool_result_content, is_reasoning_model,
+    build_chat_completion_request, flatten_tool_result_content, has_api_key, is_reasoning_model,
     model_rejects_is_error_field, translate_message, OpenAiCompatClient, OpenAiCompatConfig,
 };
 pub use providers::{

diff --git a/rust/crates/api/src/providers/openai_compat.rs b/rust/crates/api/src/providers/openai_compat.rs
@@ -139,6 +139,31 @@ impl OpenAiCompatClient {
         Ok(Self::new(api_key, config))
     }
 
+    /// Create a client using an OAuth access token instead of an API key.
+    /// The token is sent as `Authorization: Bearer {token}`.
+    #[must_use]
+    pub fn from_oauth_token(token: impl Into<String>, config: OpenAiCompatConfig) -> Self {
+        Self::new(token, config)
+    }
+
+    /// Try env var first, then fall back to saved OAuth token for the provider.
+    /// `provider_id` is the key used in `~/.claw/credentials.json` under `oauth_providers`.
+    pub fn from_env_or_oauth(
+        config: OpenAiCompatConfig,
+        provider_id: &str,
+    ) -> Result<Self, ApiError> {
+        if let Some(api_key) = read_env_non_empty(config.api_key_env)? {
+            return Ok(Self::new(api_key, config));
+        }
+        if let Ok(Some(token_set)) = runtime::load_provider_oauth(provider_id) {
+            return Ok(Self::from_oauth_token(token_set.access_token, config));
+        }
+        Err(ApiError::missing_credentials(
+            config.provider_name,
+            config.credential_env_vars(),
+        ))
+    }
+
     #[must_use]
     pub fn with_base_url(mut self, base_url: impl Into<String>) -> Self {
         self.base_url = base_url.into();

diff --git a/rust/crates/runtime/Cargo.toml b/rust/crates/runtime/Cargo.toml
@@ -10,6 +10,7 @@ sha2 = "0.10"
 glob = "0.3"
 plugins = { path = "../plugins" }
 regex = "1"
+reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 serde = { version = "1", features = ["derive"] }
 serde_json.workspace = true
 telemetry = { path = "../telemetry" }

diff --git a/rust/crates/runtime/src/lib.rs b/rust/crates/runtime/src/lib.rs
@@ -112,11 +112,13 @@ pub use mcp_stdio::{
     UnsupportedMcpServer,
 };
 pub use oauth::{
-    clear_oauth_credentials, code_challenge_s256, credentials_path, generate_pkce_pair,
-    generate_state, load_oauth_credentials, loopback_redirect_uri, parse_oauth_callback_query,
-    parse_oauth_callback_request_target, save_oauth_credentials, OAuthAuthorizationRequest,
-    OAuthCallbackParams, OAuthRefreshRequest, OAuthTokenExchangeRequest, OAuthTokenSet,
-    PkceChallengeMethod, PkceCodePair,
+    clear_oauth_credentials, clear_provider_oauth, code_challenge_s256, credentials_path,
+    generate_pkce_pair, generate_state, load_oauth_credentials, load_provider_oauth,
+    loopback_redirect_uri, open_browser, parse_oauth_callback_query,
+    parse_oauth_callback_request_target, poll_device_token, run_oauth_callback_server,
+    save_oauth_credentials, save_provider_oauth, DeviceAuthRequest, DeviceAuthResponse,
+    OAuthAuthorizationRequest, OAuthCallbackParams, OAuthCallbackResult, OAuthRefreshRequest,
+    OAuthTokenExchangeRequest, OAuthTokenSet, PkceChallengeMethod, PkceCodePair,
 };
 pub use permissions::{
     PermissionContext, PermissionMode, PermissionOutcome, PermissionOverride, PermissionPolicy,