# Authentication

## Overview

OpenClaw supports two authentication methods for model providers: OAuth and API keys. For Anthropic users, an API key is recommended, though Claude subscription users can alternatively use tokens from `claude setup-token`.

## Key Setup Methods

### API Key Approach (Recommended)

Set your Anthropic API key on the gateway host via environment variable or the `~/.openclaw/.env` configuration file, then verify with `openclaw models status`.

### Claude Subscription Token

Users with Claude subscriptions can run `claude setup-token` on the gateway host and import it using `openclaw models auth setup-token --provider anthropic`.

## Credential Management

Users can control which authentication credential is active through:

- Per-session selection via `/model <alias>@<profileId>` commands
- Per-agent configuration using auth profile ordering commands
- Status checks with `openclaw models status` or `openclaw doctor`

## Troubleshooting

Common issues include missing credentials (resolved by rerunning `claude setup-token`) and token expiration (identifiable through status commands). The system provides automation-friendly checks that return specific exit codes for expired or missing credentials.

## Requirements

Users need either a Claude Max or Pro subscription and the Claude Code CLI installed to access setup-token functionality.