Alexander
0df28e9dd8
- Unify duplicate uTLS transports into shared internal/transport package - Extract shared version constant into internal/version - Move LoadDefaultCredentials from config to auth (remove config→auth import) - Deduplicate handler.go: extract telemetry/error helpers (324→268 lines) - Break up main.go::run() into initCredential/initEmbedded - Eliminate logging.Config duplication (use config.LoggingConfig directly) - Extract logWriter to embedded/log.go, SSE fixtures to consts in sniff.go - Use uTLS client for usage polling (consistent TLS fingerprint) - Handle sjson.SetBytes errors in sanitize.go instead of silently swallowing - Document reverse-engineered magic values in billing.go - Unexport Credential.CooldownUntil (internal state) - Replace hardcoded auth bypass paths with map in server.go
anthropic-proxy
Reverse proxy for the Anthropic Messages API that authenticates with a Claude subscription (OAuth) instead of an API key. Lets you use tools like OpenCode through your existing Claude Pro/Team plan.
How it works
Clients send standard Anthropic API requests to the proxy. The proxy authenticates upstream using OAuth credentials from your Claude subscription, forwards the request, and streams the response back. Requests are optionally sanitized (tool name remapping, string replacement) before forwarding and de-sanitized on return.
Features
- OAuth credential management — reuses
~/.claude/.credentials.json, auto-refreshes tokens - Request sanitization — rename tools, replace strings in system prompts and body (configurable, hot-reloadable)
- Rate limit tracking — polls Anthropic usage API and reads response headers to track 5h/7d utilization windows
- OpenTelemetry metrics — request counts, latency, token usage, errors (optional OTLP export)
- Structured logging — zerolog with file rotation via lumberjack
Quick start
cp config.example.yaml config.yaml
# edit config.yaml — set api_keys and optionally claude_binary
go build -o anthropic-proxy .
./anthropic-proxy
On first run, if no credentials exist at ~/.claude/.credentials.json, an OAuth login flow starts in your browser. If running headlessly, the authorization URL is printed to stdout. If you've already logged in with Claude Code CLI, the proxy reuses those credentials.
Nix
nix develop # dev shell with Go
nix build # build the binary
Client configuration
Point any Anthropic-compatible client at the proxy:
export ANTHROPIC_API_KEY=your-proxy-api-key
export ANTHROPIC_BASE_URL=http://localhost:8082
Endpoints
| Method | Path | Description |
|---|---|---|
| POST | /v1/messages |
Anthropic Messages API (proxied) |
| POST | /messages |
Same, without /v1 prefix |
| GET | /healthz |
Health check |
| POST | /reload |
Hot-reload config (sanitize rules + API keys) |
Configuration
See config.example.yaml for all options. Key sections:
api_keys— keys clients use to authenticate with the proxysanitize— tool renames, system prompt replacements, body replacementstelemetry— OTLP endpoint, service name, auth headerslogging— level, file path, rotation settingsclaude_binary— path toclaudeCLI for request fingerprinting (optional)