Ampere
Ampere.sh

Claude OAuth Not Working - 401 Error - OpenClaw Fix

Seeing Claude OAuth Not Working 401 Error in OpenClaw? This usually means Claude rejected the OAuth request because of a login, token, callback URL, browser, or setup issue. Here's how to fix it.

Try OpenClaw Free

The Problem

A Claude OAuth 401 error means OpenClaw tried to connect with Claude, but the authorization request was rejected.

In simple terms: OpenClaw asked Claude, "Is this user allowed?" and Claude said, "No proof. Try again."

This can happen during:

Where the 401 HappensWhat It Usually Means
During Claude loginWrong account, expired session, or browser issue
After OAuth approvalCallback URL or redirect problem
When sending a promptExpired token or Claude access issue
After restarting OpenClawToken or config was not saved properly
Only on a hosted domainHTTPS, proxy, domain, or port issue

A 401 error does not always mean OpenClaw is broken. Most of the time, the problem is OAuth setup, browser state, callback URL, or hosting configuration. For other OAuth issues, see our OAuth error guide.

Quick Diagnosis (Try This First)

Before reading through every cause and fix, check these 5 things. They catch 80% of 401 errors:

  1. Are you signed into the right Claude account? Open claude.ai in a new tab and verify the account matches what you want OpenClaw to use.
  2. Is your callback URL consistent? Check that the URL where OAuth starts is the same one Claude redirects back to. No localhost-vs-domain switching mid-flow.
  3. Did you wait too long on the approval page? If yes, close it and start a fresh OAuth flow.
  4. Is your server clock correct? Run date on your server. If it's off, tokens will look expired.
  5. Try incognito mode. Eliminates cookies, extensions, and browser profile conflicts in one move.

If any of these don't check out, jump straight to the matching fix below.

Common Causes of Claude OAuth 401 Error

Eight causes, grouped by where the problem actually lives:

Account & Login Issues

1. Expired Claude Login Session

OAuth links can expire. If you open the Claude authorization page and wait too long, the session may become invalid. Signs: OAuth page opens but fails after approval, login worked once but fails on retry, refreshing the callback page shows an error.

2. Wrong Claude Account

One of the most common causes. You may be logged into the wrong Claude account, using a different email in Claude and OpenClaw, authorizing from the wrong browser profile, or switching between Google accounts during OAuth. If you're trying API-based Claude access instead of OAuth, see our Claude API connection guide.

3. Broken Browser Cookies or Session

OAuth depends on browser session data. Old Claude cookies, blocked third-party cookies, privacy extensions, ad blockers, pop-up blockers, or browser profile conflicts can all break the flow.

URL & Callback Issues

4. Callback URL Mismatch

OAuth needs the callback URL to match correctly. Common mismatches:

IssueExample
Wrong protocolhttp:// instead of https://
Wrong hostlocalhost instead of your domain
Wrong portOAuth expects one port, OpenClaw uses another
Changed tunnel URLOld ngrok or Cloudflare Tunnel URL
Slash mismatch/callback vs /callback/

If you've recently changed ports, see our port change guide.

5. Localhost vs Public URL Conflict

This happens when OpenClaw starts OAuth from localhost but the callback returns to a public domain, tunnel, or VPS URL. Example: OAuth starts from http://localhost:3000 but callback returns to https://yourdomain.com/callback. OAuth wants one clean, consistent URL.

Server & Hosting Issues

6. Expired or Invalid Token

Claude OAuth may fail if the saved token is expired, invalid, missing, or not refreshed correctly. This often happens when the first OAuth attempt failed, the saved Claude connection is broken, OpenClaw restarted and lost connection state, or token storage is not persistent.

7. Reverse Proxy or HTTPS Problem

If OpenClaw runs behind Nginx, Caddy, Cloudflare, or another proxy, OAuth may fail if the app does not know its correct public URL. HTTPS works in the browser but OpenClaw thinks it's HTTP, the proxy doesn't forward the original host, callback URL is generated incorrectly, or the tunnel URL changed after setup.

8. Wrong Server Time

OAuth tokens depend on time. If your VPS or container clock is wrong, valid tokens can look expired. Rare but real.

Fix 1: Start a Fresh Claude OAuth Flow

Use this when the error happens during login or approval.

  1. Close the Claude OAuth window
  2. Go back to OpenClaw
  3. Start the Claude connection again
  4. Complete the authorization quickly
  5. Do not refresh the callback page manually

This fixes expired OAuth sessions and broken login attempts.

Fix 2: Use the Correct Claude Account

Use this if you have multiple Claude, Google, or email accounts.

  1. Log out of Claude
  2. Open Claude in a clean browser profile or incognito window
  3. Log in with the correct account
  4. Go back to OpenClaw
  5. Start Claude OAuth again

Make sure the Claude account you approve is the same one you want OpenClaw to use.

Fix 3: Try Incognito or Another Browser

Use this when OAuth keeps looping, failing, or showing a 401 after approval. Try:

  • Incognito/private mode
  • Another browser
  • Disabling ad blockers
  • Disabling privacy extensions
  • Allowing cookies
  • Avoiding browser profile switching during OAuth

This helps remove old cookies and broken session data from the flow. For browser-extension specific issues, see our browser extension relay guide.

Fix 4: Remove the Broken Claude Connection and Reconnect

Use this if the first OAuth attempt failed and every retry keeps failing.

  1. Open OpenClaw settings
  2. Find the Claude connection
  3. Remove or disconnect it
  4. Restart OpenClaw
  5. Connect Claude again
  6. Approve access
  7. Test with one short prompt

A broken saved connection can keep causing the same 401 error.

Tired of debugging OAuth flows?

Ampere.sh handles Claude integration in the dashboard. Sign in once, OAuth is configured for you - no callback URLs, no proxy headers to wrestle with.

Try Managed OpenClaw - 7 Days Free

Where to Find Your Callback URL

Before fixing it, you need to know what callback URL OpenClaw is actually using. Three ways to find it:

1. From the OpenClaw config:

openclaw config get gateway.publicUrl openclaw config get integrations.claude.callbackUrl

2. From the dashboard: Open the OpenClaw dashboard (default http://127.0.0.1:18789), go to Integrations, select Claude, and check the displayed callback URL.

3. From the OAuth error page: If you got redirect_uri_mismatch in the URL bar, the URL Claude received is in that error message. Compare it to what your Claude app config expects.

Once you know the URL, the next fix tells you what to check.

Fix 5: Check the Callback URL

Use this when OAuth fails after Claude approval or redirects to an error page.

Check that OpenClaw is using the correct callback URL. Look for:

  • Correct domain
  • Correct protocol: https:// for public setups
  • Correct port
  • No old tunnel URL
  • No mismatch between localhost, IP address, and domain

Bad example:

http://localhost:3000/callback

When your hosted app actually runs on:

https://yourdomain.com/callback

Use one consistent URL from start to finish.

Fix 6: Fix Localhost vs Hosted Domain Conflict

Use this if OpenClaw is running on a VPS, tunnel, or reverse proxy. Do this:

  • Do not start OAuth from localhost and finish on a public domain
  • Do not switch between IP address and domain
  • Do not change ngrok or Cloudflare Tunnel URL during OAuth
  • Use HTTPS for public deployments
  • Restart OpenClaw after changing domain or URL settings

Fix 7: Restart OpenClaw

Use this after changing OAuth settings, callback URL, proxy setup, or environment variables.

openclaw restart

If using systemd:

sudo systemctl restart openclaw

If using Docker:

docker restart openclaw

Use the command that matches your setup. See our Docker setup guide if you're not sure which one you're using.

Fix 8: Check OpenClaw Logs

Use this when you need the real reason behind the 401 error.

openclaw logs

For systemd:

journalctl -u openclaw -n 100 --no-pager

For Docker:

docker logs openclaw --tail=100

Look for messages like:

Log MessageMeaning
401 UnauthorizedClaude rejected the request
invalid_tokenToken expired or rejected
invalid_clientOAuth client issue
redirect_uri_mismatchCallback URL is wrong
access_deniedAccess was denied or blocked
state mismatchBrowser session or OAuth state broke
callback failedOpenClaw could not complete the OAuth return flow

The logs usually tell you whether the problem is account, token, callback, browser, or hosting related.

Fix 9: Check Server Time

Use this if tokens fail even after reconnecting Claude.

Check server time:

date

On Ubuntu, check time sync:

timedatectl status

Enable time sync:

sudo timedatectl set-ntp true

If the server time is wrong, OAuth tokens may fail because Claude sees them as expired or invalid.

Fix 10: Check Proxy and HTTPS Setup

Use this if Claude OAuth works locally but fails on your domain.

Check that your proxy forwards the correct protocol and host. Important headers:

  • X-Forwarded-Proto
  • X-Forwarded-Host
  • X-Forwarded-For

Also check:

  • Your domain uses HTTPS
  • Your public URL is stable
  • Your reverse proxy is not rewriting the callback incorrectly
  • Your tunnel URL has not changed
  • OpenClaw knows the correct public URL

This matters most for Nginx, Caddy, Cloudflare Tunnel, ngrok, and VPS setups. See our VPS install guide for full proxy configuration.

Nginx example:

location / { proxy_pass http://127.0.0.1:18789; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; }

Caddy example:

yourdomain.com { reverse_proxy 127.0.0.1:18789 { header_up X-Forwarded-Proto https header_up X-Forwarded-Host {host} } }

After updating the proxy config, restart it and restart OpenClaw so the new headers take effect.

Diagnose by Error Timing

Error TimingWhat to Check Next
During loginClaude account, browser cookies, login session
After approvalCallback URL, domain, OAuth redirect
During promptToken, Claude access, saved connection
After restartToken persistence, storage, environment config
Only on VPS/domainHTTPS, proxy, public URL, port
Only locallyLocalhost callback and browser session

What Not to Do

Avoid these:

  • Do not keep refreshing the callback URL
  • Do not switch Claude accounts during OAuth
  • Do not change domains or tunnel URLs mid-flow
  • Do not delete your whole OpenClaw setup before checking logs
  • Do not assume Claude or OpenClaw is broken before checking the exact failure point

When to Stop Debugging and Use Managed OpenClaw Hosting

If you already checked the Claude account, browser session, callback URL, logs, server time, HTTPS, and proxy setup, but OAuth still keeps failing, your environment may be the real problem.

Self-hosting OpenClaw gives you control, but it also means you manage:

  • Server setup
  • Ports
  • Domains
  • HTTPS
  • Reverse proxy
  • Docker or system services
  • Restart behavior
  • Uptime
  • Token persistence

OAuth is sensitive to all of these. One wrong URL, proxy header, or tunnel change can break the entire flow. See our managed vs self-hosted comparison if you're weighing the tradeoffs.

Easiest Fix: Run OpenClaw on Ampere.sh

The easiest way to avoid many OpenClaw setup problems is to run OpenClaw on Ampere.sh.

Ampere.sh gives you managed OpenClaw hosting so you can spend less time dealing with servers, ports, Docker, uptime, and deployment setup. With Ampere.sh, you can:

  • Deploy OpenClaw faster
  • Avoid manual server setup
  • Reduce hosting and port issues
  • Keep OpenClaw running continuously
  • Connect models and tools from a cleaner setup flow
  • Focus on workflows instead of server debugging

Important: Ampere.sh cannot fix a wrong Claude account, expired Claude login, or denied Claude permission. But it can reduce the hosting and setup issues that often make OAuth harder than it needs to be.

Run OpenClaw on Ampere.sh

Frequently Asked Questions

Why does Claude OAuth show a 401 error in OpenClaw?
Claude OAuth shows a 401 error when the authorization request is rejected. Common causes include expired login sessions, wrong Claude accounts, invalid tokens, callback URL mismatch, browser cookies, or hosting setup problems.
Is Claude OAuth 401 always an OpenClaw bug?
No. The issue can come from Claude login, OAuth session expiry, browser cookies, callback URL mismatch, reverse proxy setup, server time, or an invalid saved token.
Why does Claude OAuth fail after approval?
If OAuth fails after approval, the callback URL may be wrong, the domain may have changed, the server may not receive the callback, or a proxy may be changing the request.
Can browser cookies cause Claude OAuth 401?
Yes. Broken cookies, old sessions, privacy extensions, blocked popups, or multiple browser profiles can break OAuth. Try incognito or another browser.
Can Ampere.sh fix Claude OAuth 401 errors?
Ampere.sh can reduce hosting, deployment, port, uptime, and setup problems that make OAuth fail. It cannot fix wrong Claude login details or account permission issues.
How do I know if my callback URL is wrong?
OpenClaw logs will show a redirect_uri_mismatch error. Also compare the URL OpenClaw is using against what your Claude integration expects - same protocol (http vs https), same host, same port, same path with no trailing slash differences.
What if my OAuth works locally but fails on my domain?
This usually means your reverse proxy is not forwarding the correct protocol or host headers, so OpenClaw thinks it's running on http://localhost instead of https://yourdomain.com. Set X-Forwarded-Proto and X-Forwarded-Host correctly in Nginx, Caddy, or Cloudflare.

Also Read

Fix OpenClaw OAuth Error: Antigravity Auth Guide
Troubleshooting

Fix OpenClaw OAuth Error: Antigravity Auth Guide

How to Use Claude API With OpenClaw
Integration

How to Use Claude API With OpenClaw

10 minMay 21, 2026
OpenClaw Bot Not Responding? Fix API Key & Gateway Issues
Guide

OpenClaw Bot Not Responding? Fix API Key & Gateway Issues

Michael Park

Written by

Michael Park

Senior Technical Writer & DevRel

Michael creates comprehensive installation and setup guides for developers and system administrators. With experience across Linux, macOS, Windows, and embedded systems, he has written over 200 technical tutorials used by millions of developers. He focuses on clear, step-by-step instructions that work the first time, covering everything from Raspberry Pi to enterprise servers.

Skip the OAuth debugging

Ampere.sh handles Claude integration and hosting setup. Less server wrestling, more workflow building. 7-day free trial.

Start Free Trial