Claude Code Auth Login Now Accepts Pasted OAuth Codes in WSL2, SSH, and Containers
Claude CodeClaude Code v2.1.126 fixes a long-standing authentication friction point for developers working in WSL2, SSH sessions, and containers: claude auth login now accepts the OAuth authorization code pasted directly into the terminal when the browser's localhost callback cannot reach the local machine. Previously, these environments were stuck β the browser redirect to localhost silently failed, leaving no path to complete login from the command line. The same release also resolves OAuth failures on slow or proxied connections, IPv6-only devcontainers, and a race condition that could silently clear valid refresh tokens.
Sources & Mentions
4 external resources covering this update
The OAuth Callback Problem in Remote Environments
OAuth login works smoothly when the browser and the CLI share the same machine. The browser opens, the user authenticates, and the browser redirects to localhost β where the CLI is listening. Claude Code receives the token and the session begins.
In WSL2, SSH tunnels, and containerized development environments, this model breaks down. The browser opens on the host machine, but localhost inside WSL2 or a container is a different network namespace. The redirect silently fails. Claude Code receives nothing and the authentication either times out or leaves the user stranded with no clear path forward.
This failure mode generated significant community frustration. Hacker News threads about Claude Code OAuth outages documented users cycling through workarounds β logging out, retrying multiple times, switching to console-based login β with inconsistent results.
The Fix: Paste the OAuth Code into the Terminal
Version 2.1.126 adds a paste-based fallback to claude auth login. When the browser callback cannot reach localhost, Claude Code now accepts the OAuth authorization code pasted directly into the terminal prompt. The flow:
claude auth loginopens the browser for the standard OAuth consent screen- After consenting, the browser displays the authorization code (rather than silently redirecting to a broken localhost)
- The user copies the code from the browser and pastes it into the CLI terminal
- Claude Code exchanges the code for tokens and completes login
This is the same "copy the code" pattern used by Google's gcloud auth login --no-browser and GitHub's device flow β a proven approach for headless or split-network environments.
Additional OAuth Reliability Fixes
The same release addresses several related edge cases:
- Slow or proxied connections β OAuth login previously timed out on high-latency or corporate proxy setups before the callback could complete
- IPv6-only devcontainers β the localhost listener bound only to IPv4, causing failures where
localhostroutes through IPv6 - Credential-write race condition β a rare concurrent write could silently clear a valid OAuth refresh token mid-session
CLAUDE_CODE_OAUTH_TOKENenv var ignored/loginβ sessions launched with this env var previously ignored subsequent/loginattempts; the environment token is now cleared so disk credentials take effect
Who This Affects
- WSL2 users on Windows β the browser always opens on the Windows host while
localhostinside WSL2 is a separate network namespace - Remote SSH development β developers SSH-ing into cloud VMs or home servers to run Claude Code headlessly
- Docker and devcontainer users β containerized environments where
localhostinside the container is isolated from the host browser - Corporate network users β organizations with strict proxies or firewalls that delay or intercept OAuth redirect flows