Anthropic API proxy with OAuth credential rotation and Claude Code fingerprinting

Sniffs a real Claude Code request on startup to capture exact HTTP headers,
then replays them for all proxied requests. Injects the billing header with
per-request SHA256 fingerprint into the system prompt. Uses utls with Chrome
TLS fingerprint to pass Cloudflare's bot detection on api.anthropic.com.

Supports both streaming (SSE) and non-streaming modes, round-robin credential
selection with automatic failover, and loading OAuth tokens from both
cli-proxy-api auth files and native ~/.claude/.credentials.json.

internal/auth/types.go

@@ -0,0 +1,46 @@
+package auth
+
+import (
+	"sync"
+	"time"
+)
+
+// Credential represents an Anthropic API credential loaded from a JSON file.
+type Credential struct {
+	ID            string
+	Email         string
+	AccessToken   string
+	RefreshToken  string
+	ExpiresAt     time.Time
+	FilePath      string
+	CooldownUntil time.Time
+	mu            sync.Mutex
+}
+
+// IsExpired returns true if the credential's access token has expired.
+func (c *Credential) IsExpired() bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return time.Now().After(c.ExpiresAt)
+}
+
+// IsOnCooldown returns true if the credential is currently on cooldown.
+func (c *Credential) IsOnCooldown() bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return time.Now().Before(c.CooldownUntil)
+}
+
+// SetCooldown puts the credential on cooldown for the given duration.
+func (c *Credential) SetCooldown(duration time.Duration) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.CooldownUntil = time.Now().Add(duration)
+}
+
+// Token returns the current access token.
+func (c *Credential) Token() string {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	return c.AccessToken
+}