docs: update README and config for self-managed authentication

README.md

@@ -5,7 +5,6 @@ Reverse proxy that lets OpenCode (and similar tools) use a Claude subscription i
 ## Prerequisites
 
 - Go 1.26+
-- **Claude Code CLI** — installed and logged in (`claude auth login`). The proxy reads the OAuth token from `~/.claude/.credentials.json`.
 
 Optional: [Nix](https://nixos.org/) flake for dev shell (`nix develop`).
 
@@ -17,8 +16,15 @@ cp config.example.yaml config.yaml
 
 Edit `config.yaml`:
 - `api_keys` — key(s) your clients use to authenticate with the proxy
-- `claude_credentials` — path to your Claude credentials file
-- `claude_binary` — path to `claude` binary (used on startup to capture request fingerprint)
+- `claude_binary` — optional path to `claude` binary (used for request fingerprinting via sniff only)
+
+## Authentication
+
+On first run, if no credentials are found at `~/.claude/.credentials.json`, the proxy starts an OAuth login flow in your browser. Credentials are stored at `~/.claude/.credentials.json` (the same file Claude Code CLI uses). On subsequent runs, existing credentials are reused and refreshed automatically.
+
+If running headlessly (SSH/server), the authorization URL is printed to stdout and you can paste the authorization code manually.
+
+If you've already logged in with Claude Code CLI, the proxy will use the same credentials.
 
 ## Build and run
 

config.example.yaml

@@ -1,7 +1,6 @@
 port: 8082
 api_keys:
   - "your-proxy-api-key"
-claude_credentials: "~/.claude/.credentials.json"
 claude_binary: "claude"
 
 sanitize: