# Claude OAuth Not Working 401 Error - OpenClaw Fix

Fix Claude OAuth Not Working 401 Error in OpenClaw. Check login, callback URL, browser session, tokens, proxy setup, logs, and managed hosting options.

## The Problem

A Claude OAuth 401 error means OpenClaw tried to connect with Claude, but the authorization request was rejected.

In simple terms: OpenClaw asked Claude, "Is this user allowed?" and Claude said, "No proof. Try again."

| Where the 401 Happens | What It Usually Means |
|----------------------|----------------------|
| During Claude login | Wrong account, expired session, or browser issue |
| After OAuth approval | Callback URL or redirect problem |
| When sending a prompt | Expired token or Claude access issue |
| After restarting OpenClaw | Token or config was not saved properly |
| Only on a hosted domain | HTTPS, proxy, domain, or port issue |

A 401 error does not always mean OpenClaw is broken. Most of the time, the problem is OAuth setup, browser state, callback URL, or hosting configuration.

## Common Causes of Claude OAuth 401 Error

### 1. Expired Claude Login Session
OAuth links can expire. If you open the Claude authorization page and wait too long, the session may become invalid.

### 2. Wrong Claude Account
Most common cause. You may be logged into the wrong Claude account or authorizing from the wrong browser profile.

### 3. Broken Browser Cookies or Session
OAuth depends on browser session data. Old cookies, blocked third-party cookies, privacy extensions, or ad blockers can break the flow.

### 4. Callback URL Mismatch

| Issue | Example |
|-------|---------|
| Wrong protocol | `http://` instead of `https://` |
| Wrong host | `localhost` instead of your domain |
| Wrong port | OAuth expects one port, OpenClaw uses another |
| Changed tunnel URL | Old ngrok or Cloudflare Tunnel URL |
| Slash mismatch | `/callback` vs `/callback/` |

### 5. Localhost vs Public URL Conflict
OAuth starts from localhost but the callback returns to a public domain. OAuth wants one clean, consistent URL.

### 6. Expired or Invalid Token
Token may be expired, invalid, missing, or not refreshed correctly.

### 7. Reverse Proxy or HTTPS Problem
OpenClaw runs behind Nginx, Caddy, or Cloudflare but doesn't know its correct public URL.

### 8. Wrong Server Time
OAuth tokens depend on time. Wrong server clock makes valid tokens look expired.

## Fix 1: Start a Fresh Claude OAuth Flow

1. Close the Claude OAuth window
2. Go back to OpenClaw
3. Start the Claude connection again
4. Complete the authorization quickly
5. Do not refresh the callback page manually

## Fix 2: Use the Correct Claude Account

1. Log out of Claude
2. Open Claude in a clean browser profile or incognito window
3. Log in with the correct account
4. Go back to OpenClaw
5. Start Claude OAuth again

## Fix 3: Try Incognito or Another Browser

- Incognito/private mode
- Another browser
- Disabling ad blockers
- Disabling privacy extensions
- Allowing cookies
- Avoiding browser profile switching during OAuth

## Fix 4: Remove the Broken Claude Connection and Reconnect

1. Open OpenClaw settings
2. Find the Claude connection
3. Remove or disconnect it
4. Restart OpenClaw
5. Connect Claude again
6. Approve access
7. Test with one short prompt

## Fix 5: Check the Callback URL

Bad example:

```
http://localhost:3000/callback
```

When your hosted app actually runs on:

```
https://yourdomain.com/callback
```

Use one consistent URL from start to finish.

## Fix 6: Fix Localhost vs Hosted Domain Conflict

- Do not start OAuth from localhost and finish on a public domain
- Do not switch between IP address and domain
- Do not change ngrok or Cloudflare Tunnel URL during OAuth
- Use HTTPS for public deployments
- Restart OpenClaw after changing domain or URL settings

## Fix 7: Restart OpenClaw

```bash
openclaw restart
```

If using systemd:

```bash
sudo systemctl restart openclaw
```

If using Docker:

```bash
docker restart openclaw
```

## Fix 8: Check OpenClaw Logs

```bash
openclaw logs
```

For systemd:

```bash
journalctl -u openclaw -n 100 --no-pager
```

For Docker:

```bash
docker logs openclaw --tail=100
```

| Log Message | Meaning |
|-------------|---------|
| `401 Unauthorized` | Claude rejected the request |
| `invalid_token` | Token expired or rejected |
| `invalid_client` | OAuth client issue |
| `redirect_uri_mismatch` | Callback URL is wrong |
| `access_denied` | Access was denied or blocked |
| `state mismatch` | Browser session or OAuth state broke |
| `callback failed` | OpenClaw could not complete the OAuth return flow |

## Fix 9: Check Server Time

```bash
date
```

On Ubuntu:

```bash
timedatectl status
sudo timedatectl set-ntp true
```

## Fix 10: Check Proxy and HTTPS Setup

Important headers:
- `X-Forwarded-Proto`
- `X-Forwarded-Host`
- `X-Forwarded-For`

Also check:
- Your domain uses HTTPS
- Your public URL is stable
- Your reverse proxy is not rewriting the callback incorrectly
- Your tunnel URL has not changed
- OpenClaw knows the correct public URL

## Diagnose by Error Timing

| Error Timing | What to Check Next |
|--------------|-------------------|
| During login | Claude account, browser cookies, login session |
| After approval | Callback URL, domain, OAuth redirect |
| During prompt | Token, Claude access, saved connection |
| After restart | Token persistence, storage, environment config |
| Only on VPS/domain | HTTPS, proxy, public URL, port |
| Only locally | Localhost callback and browser session |

## What Not to Do

- Do not keep refreshing the callback URL
- Do not switch Claude accounts during OAuth
- Do not change domains or tunnel URLs mid-flow
- Do not delete your whole OpenClaw setup before checking logs
- Do not assume Claude or OpenClaw is broken before checking the exact failure point

## When to Stop Debugging and Use Managed OpenClaw Hosting

If you already checked everything but OAuth still keeps failing, your environment may be the real problem. Self-hosting OpenClaw means you manage server setup, ports, domains, HTTPS, reverse proxy, Docker, restart behavior, uptime, and token persistence. OAuth is sensitive to all of these.

## Easiest Fix: Run OpenClaw on Ampere.sh

Ampere.sh gives you managed OpenClaw hosting. With Ampere.sh, you can deploy OpenClaw faster, avoid manual server setup, reduce hosting and port issues, keep OpenClaw running continuously, and connect models from a cleaner setup flow.

Note: Ampere.sh cannot fix a wrong Claude account, expired Claude login, or denied Claude permission. But it can reduce the hosting and setup issues that often make OAuth harder than it needs to be.

[Run OpenClaw on Ampere.sh](https://www.ampere.sh/setup)

## FAQs

**Why does Claude OAuth show a 401 error in OpenClaw?**
Claude OAuth shows a 401 error when the authorization request is rejected. Common causes include expired login sessions, wrong Claude accounts, invalid tokens, callback URL mismatch, browser cookies, or hosting setup problems.

**Is Claude OAuth 401 always an OpenClaw bug?**
No. The issue can come from Claude login, OAuth session expiry, browser cookies, callback URL mismatch, reverse proxy setup, server time, or an invalid saved token.

**Why does Claude OAuth fail after approval?**
If OAuth fails after approval, the callback URL may be wrong, the domain may have changed, the server may not receive the callback, or a proxy may be changing the request.

**Can browser cookies cause Claude OAuth 401?**
Yes. Broken cookies, old sessions, privacy extensions, blocked popups, or multiple browser profiles can break OAuth. Try incognito or another browser.

**Can Ampere.sh fix Claude OAuth 401 errors?**
Ampere.sh can reduce hosting, deployment, port, uptime, and setup problems that make OAuth fail. It cannot fix wrong Claude login details or account permission issues.