Connect Claude Code

Point Claude Code at your tenant’s proxy URL and let the agent-runner-auth helper handle authentication. After the first browser login, sessions run silently.

Install agent-runner-auth

Platform	Install
macOS (Apple Silicon + Intel)	`brew install copebit/tap/agent-runner-auth`
Linux (Debian/Ubuntu)	apt repo: `deb https://apt.agent-runner.io stable main`
Linux (other)	Direct binary download from releases
Windows	`winget install copebit.AgentRunnerAuth`

Authenticate


agent-runner-auth login

A browser opens for the Cognito PKCE flow. Access and refresh tokens are stored in your OS keychain (Keychain on macOS, libsecret/pass on Linux, Credential Manager on Windows).

Configure Claude Code

Add these to ~/.claude/settings.json:


{
  "env": {
    "ANTHROPIC_BASE_URL": "https://<your-slug>.proxy.<domain>/anthropic/v1",
    "CLAUDE_CODE_API_KEY_HELPER_TTL_MS": "3300000"
  },
  "apiKeyHelper": "agent-runner-auth token"
}

CLAUDE_CODE_API_KEY_HELPER_TTL_MS is 55 minutes — just under the one-hour access-token TTL — so Claude Code refreshes proactively and you never hit a mid-session browser popup.

Start working

Run claude. Before each session Claude Code calls agent-runner-auth token, which prints a valid access token to stdout (refreshing silently if needed). All status output goes to stderr.

If ANTHROPIC_API_KEY or ANTHROPIC_AUTH_TOKEN are set in your shell from a prior direct-Anthropic setup, Claude Code uses them instead of apiKeyHelper. Clear them first:


unset ANTHROPIC_API_KEY ANTHROPIC_AUTH_TOKEN

How `agent-runner-auth token` behaves

Case	Condition	Behavior	Wall-clock
Token cached	Valid access token in keychain	Print to stdout, exit 0	~50ms
Silent refresh	Access token expired, refresh token valid	Refresh grant → write new tokens → print	~300ms
Interactive PKCE	No valid tokens, TTY + display	Loopback listener → browser → exchange → print	~15–30s
Non-interactive	No valid tokens, no TTY or `$CI` set	Error to stderr, exit 1	~50ms

See CLI & Auth for the full command reference.