The title is misleading if you don’t read the whole text: Anthropic is not blocking OpenCode from the API that they sell.
They’ve blocked OpenCode from accessing the private Claude Code endpoints. These were not advertised or sold as usable with anything else. OpenCode reverse engineered the API and was trying to use it.
The private API isn’t intended for use with other tools. Any tool that used it would get blocked.
The gist showsmthat the first line ofmthe system prompt must be "You are Claude Code, Anthropic's official CLI for Claude."
That’s a reasonable attempt to enforce the ToS. For OpenCode, they also take the next step of additionally blocking a second line of “You are OpenCode.”
There might be more thorough ways to effect a block (e.g. requiring signed system prompts), but Anthropic is clearly making its preferences known here.
What do you mean by "not all"? They aren't obligated to block every tool/project trying to use the private API all the way to a lone coder making their own closed-source tool. That's just not feasible. Or did you have a way to do that?
> The gist shows that only certain tools are block, not all.
Are those other phrases actually used by any tools? I thought they were just putting phrases into the LLM arbitrarily. Any misuse of the endpoint is detected at scale they probably add more triggers for that abuse.
Expecting it to magically block different phrases is kind of silly.
> They're selectively enforcing their ToS.
Do you have anything to support that? Not a gist of someone putting arbitrary text into the API, but links to another large scale tool that gets away with using the private API?
Seems pretty obvious that they’re just adding triggers for known abusers as they come up.
The only difference is the auth method - OAuth bearer token (sk-ant-oat01-...) vs API key (sk-ant-api03-...). The "blocking" is request body fingerprinting on the server side.
Here's what a working Claude Code request looks like:
{
"model": "claude-sonnet-4-20250514",
"max_tokens": 32000,
"stream": true,
"metadata": {
"user_id": "user_<sha256>_account_<uuid>_session_<uuid>"
},
"system": [
{"type": "text", "text": "You are a Claude agent, built on Anthropic's Claude Agent SDK."},
{"type": "text", "text": "<~12KB of instructions>"}
],
"tools": [
{"name": "Task", ...},
{"name": "Bash", ...},
// 17 tools total, PascalCase names
],
"messages": [...]
}
And here's what OpenCode sends (blocked):
{
"model": "claude-sonnet-4-20250514",
"max_tokens": 16000,
"temperature": 0, // Claude Code doesn't send this
"stream": true,
// no metadata.user_id - required
"system": [
{"type": "text", "text": "You are OpenCode, an interactive CLI..."}
],
"tools": [
{"name": "bash", ...}, // lowercase, wrong schema
{"name": "edit", ...},
// 11 tools total
],
"messages": [...]
}
The API validates at least 5 things:
(1) system prompt must start with "You are a Claude agent, built on Anthropic's Claude Agent SDK."
(2) tools must match Claude Code's exact 17 tool definitions with PascalCase names
(3) headers must include anthropic-beta, x-app: cli, and claude-cli user-agent
(4) metadata.user_id must be present in a specific format
(5) temperature field must be absent.
Fail any of these:
400 | This credential is only authorized for use with Claude Code
and cannot be used for other API requests.
It's bypassable though. I wrote a local proxy that lets OpenCode (and other third-party clients) work with a Max subscription. The approach: run legit Claude Code through the proxy once to capture its exact request format - the full system prompt, all 17 tool schemas, headers. Cache that. Then when OpenCode sends a request, the proxy swaps its templates with Claude Code's cached ones, adds the required headers/metadata, and strips temperature. The OAuth token is already on disk at ~/.claude/.credentials.json (written by "claude login") - the proxy just reads it for each request.
Same endpoint, same request size, just different templates. Returns 200. OpenCode works with Max subscription again.
It's not endpoint separation, it's request body validation. The OAuth token is tied to an expected request format, but the format can be mimicked.
They’re not literally blocking OpenCode. You can use OpenCode with their API like any other tool.
They’ve blocked the workaround OpenCode was using to access a private API that was metered differently.
Any tool that used that private endpoint would be blocked. They’re not pushing an agenda. They’re just enforcing their API terms like they would for any use.
after they exploited us by training without any limits on code without licensing it (including GPLed code) they now scramble to ban and restrict when we want to do the same to them. that's the schadenfreude...
Are you suggesting Anthropic has a “duty to deal” with anyone who is trying to build competitive products to Claude Code, beyond access to their priced API? I don’t think so. Especially not to a product that’s been breaking ToS.
They cannot actually do this as long as they keep Claude code open source. It is always going to be trivial to replicate how it sends requests in a third party tool.
This is the second time this month I've been frustrated with Anthropic's decisions. First, Claude Code after the 2.1.9 update completely broke - it lost context between messages and ignored previous prompts. The quality degraded overnight with no warning.
So I migrated to Open Code while still using Claude as the underlying model since I was comfortable with it. Now they're blocking authorization for third-party clients? Last I checked, my subscription is for Claude, not exclusively for Claude Code.
I really dislike these kinds of moves. Anthropic seems aware they have goodwill in the developer community largely due to good PR and a solid model - though Opus 4.1 was bad enough that I cancelled my subscription for the first time.
If they want to play the corporate lock-in game, that's their choice. But I'm not interested. I just want a stable solution that's properly tested before release - not beta-tested on paying customers.
Open Code works fine as a CLI. Claude Code is heading in the wrong direction with these restrictions. And honestly, Claude doesn't differentiate itself enough from competitors anymore to justify not switching to Codex or Gemini.
For now, I'm done with Claude.
Obviously Anthropic are within their rights to do this, but I don’t think their moat is as big as they think it is. I’ve cancelled my max subscription and have gone over to ChatGPT pro, which is now explicitly supporting this use case.
Is opencode that much better than Codex / Claude Code for cli tooling that people are prepared forsake[1] Sonnet 4.5/Opus 4.5 and switch to GPT 5.2-codex ?
The moat is Sonnet/Opus not Claude Code it can never be a client side app.
Cost arbitrage like this is short lived, until the org changes pricing.
For example Anthropic could release say an ultra plan at $500-$1000 with these restrictions removed/relaxed that reflects the true cost of the consumption, or get cost of inference down enough that even at $200 it is profitable for them and they will stop caring if higher bracket does not sell well, Then $200 is what market is ready to pay, there will be a % of users who will use it more than the rest as is the case in any software.
Either way the only money here i.e. the $200(or more) is only going to Anthropic.
[1] Perceived or real there is huge gulf in how Sonnet 4.5 is seen versus GPT 5.2-codex .
The combination of Claude Code and models could be a moat of its own; they are able to use RL to make their agent better - tool descriptions, reasoning patterns, etc.
Are they doing it? No idea, it sounds ridiculously expensive; but they did buy Bun, maybe to facilitate integrating around CC. Cowork, as an example, uses CC almost as an infrastructure layer, and the Claude Agent SDK is basically LiteLLM for your Max subscription - also built on/wrapping the CC app. So who knows, the juice may be worth the RL squeeze if CC is going to be foundational to some enterprise strategy.
Also IMO OpenCode is not better, just different. I’m getting great results with CC, but if I want to use other models like GLM/Qwen (or the new Nvidia stuff) it’s my tool of choice. I am really surprised to see people cancelling their Max subscriptions; it looks performative and I suspect many are not being honest.
I’ve used both Claude and Codex extensively, and I already preferred Codex the model. I didn’t like the harness, but recently pi got good enough to be my daily driver, and I’ve since found that it’s much better than either CC or Codex CLI. It’s OSS, very simple and hackable, and the extension system is really nice. I wouldn’t want to go back to Claude Code even if I were convinced the model were much better - given that I already preferred the alternative it’s a no-brainer. OpenAI have officially allowed the use of pi with their sub, so at least in the short term the risk of a rug pull seems minimal.
I hope the upcoming DeepSeek coding model puts a dent in Anthropic’s armor.
Claude 4.5 is by far the best/fastest coding model, but the company is just too slimy and burning enough $$$ to guarantee enshitification in the near future.
Honestly, I'm a big Claude Code fan, even despite how bad its CLI application is, because it was so much better than other models. Anthropic's move here pretty much signals to me that the model isn't much better than other models, and that other models are due for a second chance.
If their model was truly ahead of the game, they wouldn't lock down the subsidized API in the same week they ask for 5-year retention on my prompts and permission to use for training. Instead, they would have been focusing on delivering the model more cheaply and broadly, regardless of which client I use to access it.
Everyone goes on and on how "anthtropic has the right to do this", sure, we also have the right to work around these blocks and fight against behavior that uses their position to create a walled garden and vendor lock-in using anti-competitive pricing and temporary monopoly on the 'best' model.
You're not wrong, but most people on this forum are generally positive about companies using private APIs (which this is) for a competitive advantage.
This is pretty undisputed I think... So if we're going to condemn anthropic for it, it'd be pretty one-sided unless we also took it up with any other companies doing so, like Apple, Google, ... And frankly basically all closed source companies.
It's just coincidentally more obvious with this Claude code API because the only difference between it and the public one is the billing situation...
The only basis we'd have to argue otherwise is that the subscription predates Claude code
When using their web UI with Firefox and ublock origin it regularly freezes the tab when the answer is written out. Someone at Anthropic had to create a letter-by-letter typing animation with GIF image and sentry callbacks every five seconds, which ends up in an infinite loop.
I've seen reports about this bug affecting Firefox users since Q3 2025. They were reported over various channels.
Not a fan of them prioritizing the combat against opencode instead of fixing issues that affect paying users.
It also happens with extensions and Firefox adblocker disabled. Might be connected to one of the Firefox anti tracking features, but I was unable to figure it out. The profiler shows an infinite loop.
I've found several reports about this issue. Seems they don't care about Firefox.
This is definitely Barbara Streisanding right now. I had never heard of OpenCode. But I sure have now! Will have to check it out. Doubt I’ll end up immediately canceling Claude Code Max, but we’ll see.
I don’t know if the Streisand Effect is relevant here since Anthropic will block any other uses of their private APIs, not just OpenCode. The private Claude Code API was never advertised nor sold as a general purpose API for use with any tool.
OpenCode is an interesting tool but if this is your first time hearing of it you should probably be aware of their recent unauthenticated RCE issues and the slow response they’ve had to fixing it: https://news.ycombinator.com/item?id=46581095 They say they’re going to do better in the future but it’s currently on my list of projects to keep isolated until their security situation improves.
Imo I don't trust ANY of these tools to run in non-isolated environments.
All of these tools are either
- created by companies powered by VC money that never face consequences for mishandling your data
- community vibecoded with questionable security practices
These tools also need to have a substantial amount of access to be useful so it is really hard to secure even if you try. Constantly prompting for approval leads to alert fatigue and eventually a mistake leading to exfiltration.
I suggest just stick to LXC or VM. Desktop (including linux) userland security is just bad in general. I try to keep most random code I download for one off tasks to containers.
OpenCode is kind of a security disaster though: https://news.ycombinator.com/item?id=46581095. To be clear, I know all software has bugs, including security bugs. But that wasn't an obscure vulnerability, that was "our entire dev team fundamentally has no fucking clue what they're doing, and our security reporting and triage process is nonexistent". No way am I entrusting production code and secrets to that.
So is Claude. They nuked everyone's claude app a few days ago by pushing a shoddy changelog that crashed the app during init. Team literally doesnt understand how to implement try...catch. The thing clearly was vibe coded into existence.
agreed. This is definitely free PR for OpenCode. I didn't try it myself until I heard the kerfuffle around Anthropic enforcing their ToS. It definitely has a much nicer UX than claude-code, so I might give the GPT subscription a shot sometime, given that it's officially supported w/ 3rd party harnesses, and gpt 5.2 doesn't appear to be that far behind Opus (based on what other people say).
Readit News
They’ve blocked OpenCode from accessing the private Claude Code endpoints. These were not advertised or sold as usable with anything else. OpenCode reverse engineered the API and was trying to use it.
The private API isn’t intended for use with other tools. Any tool that used it would get blocked.
Isn't that misleading from Anthropic side? The gist shows that only certain tools are block, not all. They're selectively enforcing their ToS.
That’s a reasonable attempt to enforce the ToS. For OpenCode, they also take the next step of additionally blocking a second line of “You are OpenCode.”
There might be more thorough ways to effect a block (e.g. requiring signed system prompts), but Anthropic is clearly making its preferences known here.
Are those other phrases actually used by any tools? I thought they were just putting phrases into the LLM arbitrarily. Any misuse of the endpoint is detected at scale they probably add more triggers for that abuse.
Expecting it to magically block different phrases is kind of silly.
> They're selectively enforcing their ToS.
Do you have anything to support that? Not a gist of someone putting arbitrary text into the API, but links to another large scale tool that gets away with using the private API?
Seems pretty obvious that they’re just adding triggers for known abusers as they come up.
I reverse engineered this over the past week. Both Claude Code and regular API users hit the same endpoint: https://api.anthropic.com/v1/messages
The only difference is the auth method - OAuth bearer token (sk-ant-oat01-...) vs API key (sk-ant-api03-...). The "blocking" is request body fingerprinting on the server side.
Here's what a working Claude Code request looks like:
And here's what OpenCode sends (blocked): The API validates at least 5 things:(1) system prompt must start with "You are a Claude agent, built on Anthropic's Claude Agent SDK."
(2) tools must match Claude Code's exact 17 tool definitions with PascalCase names
(3) headers must include anthropic-beta, x-app: cli, and claude-cli user-agent
(4) metadata.user_id must be present in a specific format
(5) temperature field must be absent.
Fail any of these:
It's bypassable though. I wrote a local proxy that lets OpenCode (and other third-party clients) work with a Max subscription. The approach: run legit Claude Code through the proxy once to capture its exact request format - the full system prompt, all 17 tool schemas, headers. Cache that. Then when OpenCode sends a request, the proxy swaps its templates with Claude Code's cached ones, adds the required headers/metadata, and strips temperature. The OAuth token is already on disk at ~/.claude/.credentials.json (written by "claude login") - the proxy just reads it for each request.Same endpoint, same request size, just different templates. Returns 200. OpenCode works with Max subscription again.
It's not endpoint separation, it's request body validation. The OAuth token is tied to an expected request format, but the format can be mimicked.
I get it though, Anthropic has to protect their investment in their work. They are in a position to do that, whereas most of us are not.
They’ve blocked the workaround OpenCode was using to access a private API that was metered differently.
Any tool that used that private endpoint would be blocked. They’re not pushing an agenda. They’re just enforcing their API terms like they would for any use.
Deleted Comment
Viewed another way, the preferential pricing they're giving to Claude Code (and only Claude Code) is anticompetitive behavior that may be illegal.
They’re not obligated to give other companies access to their services at a discounted rate.
The moat is Sonnet/Opus not Claude Code it can never be a client side app.
Cost arbitrage like this is short lived, until the org changes pricing.
For example Anthropic could release say an ultra plan at $500-$1000 with these restrictions removed/relaxed that reflects the true cost of the consumption, or get cost of inference down enough that even at $200 it is profitable for them and they will stop caring if higher bracket does not sell well, Then $200 is what market is ready to pay, there will be a % of users who will use it more than the rest as is the case in any software.
Either way the only money here i.e. the $200(or more) is only going to Anthropic.
[1] Perceived or real there is huge gulf in how Sonnet 4.5 is seen versus GPT 5.2-codex .
Are they doing it? No idea, it sounds ridiculously expensive; but they did buy Bun, maybe to facilitate integrating around CC. Cowork, as an example, uses CC almost as an infrastructure layer, and the Claude Agent SDK is basically LiteLLM for your Max subscription - also built on/wrapping the CC app. So who knows, the juice may be worth the RL squeeze if CC is going to be foundational to some enterprise strategy.
Also IMO OpenCode is not better, just different. I’m getting great results with CC, but if I want to use other models like GLM/Qwen (or the new Nvidia stuff) it’s my tool of choice. I am really surprised to see people cancelling their Max subscriptions; it looks performative and I suspect many are not being honest.
If their model was truly ahead of the game, they wouldn't lock down the subsidized API in the same week they ask for 5-year retention on my prompts and permission to use for training. Instead, they would have been focusing on delivering the model more cheaply and broadly, regardless of which client I use to access it.
This is pretty undisputed I think... So if we're going to condemn anthropic for it, it'd be pretty one-sided unless we also took it up with any other companies doing so, like Apple, Google, ... And frankly basically all closed source companies.
It's just coincidentally more obvious with this Claude code API because the only difference between it and the public one is the billing situation...
The only basis we'd have to argue otherwise is that the subscription predates Claude code
https://www.anthropic.com/news/claude-pro (years ago)
But I didn't think we're strangers to companies pivoting the narrative like this
As such, the sentiment in this thread is chilling.
I've seen reports about this bug affecting Firefox users since Q3 2025. They were reported over various channels.
Not a fan of them prioritizing the combat against opencode instead of fixing issues that affect paying users.
I've found several reports about this issue. Seems they don't care about Firefox.
OpenCode is an interesting tool but if this is your first time hearing of it you should probably be aware of their recent unauthenticated RCE issues and the slow response they’ve had to fixing it: https://news.ycombinator.com/item?id=46581095 They say they’re going to do better in the future but it’s currently on my list of projects to keep isolated until their security situation improves.
All of these tools are either
- created by companies powered by VC money that never face consequences for mishandling your data
- community vibecoded with questionable security practices
These tools also need to have a substantial amount of access to be useful so it is really hard to secure even if you try. Constantly prompting for approval leads to alert fatigue and eventually a mistake leading to exfiltration.
I suggest just stick to LXC or VM. Desktop (including linux) userland security is just bad in general. I try to keep most random code I download for one off tasks to containers.
Absolutely all coding agents should be run in sandboxed containers, 24/7, if you do otherwise, please don't cry when you're pwned.
Deleted Comment
Claude Code’s creator has also said that CC is 100% AI generated these days.