The title is misleading if you don’t read the whole text: Anthropic is not blocking OpenCode from the API that they sell.
They’ve blocked OpenCode from accessing the private Claude Code endpoints. These were not advertised or sold as usable with anything else. OpenCode reverse engineered the API and was trying to use it.
The private API isn’t intended for use with other tools. Any tool that used it would get blocked.
The gist showsmthat the first line ofmthe system prompt must be "You are Claude Code, Anthropic's official CLI for Claude."
That’s a reasonable attempt to enforce the ToS. For OpenCode, they also take the next step of additionally blocking a second line of “You are OpenCode.”
There might be more thorough ways to effect a block (e.g. requiring signed system prompts), but Anthropic is clearly making its preferences known here.
But we're against that, right? Or do we want a world where other companies' ToS also forbid open source software use if you use their product? After all, "it's their product", so if they want to say that you aren't allowed to use open source software, "they can enforce their ToS however they like". Or is it only Anthropic where we are OK with them forbidding open source software use with their product?
What we want is a world where there are enough options out there that if one doesn't like the ToS or even the name of an option, then it's trivial to select another option. No need for anyone to constrain anyone else.
What we want is a world where there are enough options out there that of one doesn't like the ToS or even the name of an option, then it's trivial to select another option. No need for anyone to constrain anyone else.
What do you mean by "not all"? They aren't obligated to block every tool/project trying to use the private API all the way to a lone coder making their own closed-source tool. That's just not feasible. Or did you have a way to do that?
> The gist shows that only certain tools are block, not all.
Are those other phrases actually used by any tools? I thought they were just putting phrases into the LLM arbitrarily. Any misuse of the endpoint is detected at scale they probably add more triggers for that abuse.
Expecting it to magically block different phrases is kind of silly.
> They're selectively enforcing their ToS.
Do you have anything to support that? Not a gist of someone putting arbitrary text into the API, but links to another large scale tool that gets away with using the private API?
Seems pretty obvious that they’re just adding triggers for known abusers as they come up.
The only difference is the auth method - OAuth bearer token (sk-ant-oat01-...) vs API key (sk-ant-api03-...). The "blocking" is request body fingerprinting on the server side.
Here's what a working Claude Code request looks like:
{
"model": "claude-sonnet-4-20250514",
"max_tokens": 32000,
"stream": true,
"metadata": {
"user_id": "user_<sha256>_account_<uuid>_session_<uuid>"
},
"system": [
{"type": "text", "text": "You are a Claude agent, built on Anthropic's Claude Agent SDK."},
{"type": "text", "text": "<~12KB of instructions>"}
],
"tools": [
{"name": "Task", ...},
{"name": "Bash", ...},
// 17 tools total, PascalCase names
],
"messages": [...]
}
And here's what OpenCode sends (blocked):
{
"model": "claude-sonnet-4-20250514",
"max_tokens": 16000,
"temperature": 0, // Claude Code doesn't send this
"stream": true,
// no metadata.user_id - required
"system": [
{"type": "text", "text": "You are OpenCode, an interactive CLI..."}
],
"tools": [
{"name": "bash", ...}, // lowercase, wrong schema
{"name": "edit", ...},
// 11 tools total
],
"messages": [...]
}
The API validates at least 5 things:
(1) system prompt must start with "You are a Claude agent, built on Anthropic's Claude Agent SDK."
(2) tools must match Claude Code's exact 17 tool definitions with PascalCase names
(3) headers must include anthropic-beta, x-app: cli, and claude-cli user-agent
(4) metadata.user_id must be present in a specific format
(5) temperature field must be absent.
Fail any of these:
400 | This credential is only authorized for use with Claude Code
and cannot be used for other API requests.
It's bypassable though. I wrote a local proxy that lets OpenCode (and other third-party clients) work with a Max subscription. The approach: run legit Claude Code through the proxy once to capture its exact request format - the full system prompt, all 17 tool schemas, headers. Cache that. Then when OpenCode sends a request, the proxy swaps its templates with Claude Code's cached ones, adds the required headers/metadata, and strips temperature. The OAuth token is already on disk at ~/.claude/.credentials.json (written by "claude login") - the proxy just reads it for each request.
Same endpoint, same request size, just different templates. Returns 200. OpenCode works with Max subscription again.
It's not endpoint separation, it's request body validation. The OAuth token is tied to an expected request format, but the format can be mimicked.
They’ve blocked OpenCode from accessing the private Claude Code endpoints. These were not advertised or sold as usable with anything else. OpenCode reverse engineered the API and was trying to use it.
The private API isn’t intended for use with other tools. Any tool that used it would get blocked.