feat: OAuth Enhancements - Multi-Account, YOLO Mode, Auto-Relogin

[mguttmann]

Summary

Combined PR for three OAuth/authentication enhancements for power users:

• Multi-Account OAuth Rotation - Use multiple Claude Max accounts with auto-rotation on rate limits
• YOLO Mode - Skip all permission prompts for trusted workflows
• Auto-Relogin Browser Sessions - Automatic token refresh via Puppeteer

Closes #9971

Features

1. Multi-Account OAuth Rotation

• Providers tab in Settings with full account management UI
• Display Anthropic rate limits (5-hour, 7-day, Sonnet) with real-time updates
• Click to switch accounts, auto-rotate on rate limits
• CLI: opencode auth usage

2. YOLO Mode

• Skip ALL permission prompts (respects explicit deny rules)
• Session-only or persistent mode
• Settings > General > YOLO Mode section
• CLI: opencode --yolo or OPENCODE_YOLO=true

3. Auto-Relogin Browser Sessions

• Puppeteer-based with stealth plugin (bypasses Cloudflare)
• Isolated browser profiles per account
• Automatic headless token refresh on 401 errors
• CLI: opencode auth browser setup/status/refresh/remove

Changed Files

App (Frontend)

• dialog-settings.tsx - Add Providers tab
• settings-providers.tsx - New provider management UI
• settings-general.tsx - Add YOLO Mode section
• session-context-tab.tsx - Add rate limit display and account switching

OpenCode (Backend)

• auth/index.ts - Multi-account support, usage API, token management
• auth/browser.ts - Puppeteer browser session management
• auth/context.ts - Auth context utilities
• yolo/index.ts - YOLO mode state management
• config/config.ts - Add yolo config field
• flag/flag.ts - Add OPENCODE_YOLO flag
• permission/next.ts - YOLO auto-approve integration
• project/bootstrap.ts - Initialize YOLO on startup
• server/routes/config.ts - YOLO API endpoints
• server/routes/provider.ts - Browser session endpoints
• server/server.ts - Auth usage and active account endpoints

SDK

• Regenerated with new auth endpoints

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

Potential Duplicate PRs Found

Based on my search, I found several related PRs that may be addressing similar or overlapping functionality:

1. PR feat(auth): OAuth Marathon - multi-account credential rotation #8590 - feat(auth): OAuth Marathon - multi-account credential rotation

   • Directly related to multi-account OAuth rotation feature

2. PR feat(openai-oauth) OpenAI OAuth multi account support #8536 - feat(openai-oauth) OpenAI OAuth multi account support

   • Multi-account OAuth support (though for OpenAI specifically)

3. PR feat(usage): unified usage tracking with auth refresh (#9281) #9545 - feat(usage): unified usage tracking with Copilot/Claude auth refresh

   • Related to auth refresh and usage tracking capabilities

4. PR feat(tui): add /usage command and sidebar usage section #9301 - feat(tui): add /usage command and sidebar usage section

   • Related to the opencode auth usage CLI command mentioned in your PR

These PRs appear to overlap with the OAuth Enhancements PR #9972, particularly around multi-account rotation, usage tracking, and authentication refresh functionality.

[mguttmann]

Thanks for flagging the potential duplicates! Let me clarify the relationship:

Relationship to existing PRs

• feat(auth): OAuth Marathon - multi-account credential rotation #8590 (OAuth Marathon) - This PR builds on top of the multi-account foundation from that work. The core rotation logic is shared, but this PR adds:

  • Desktop Settings UI for account management
  • Real-time rate limit display with account switching
  • Integration with YOLO mode and Auto-Relogin

• feat(openai-oauth) OpenAI OAuth multi account support #8536 (OpenAI OAuth) - Different provider focus. This PR is primarily for Anthropic/Claude Max users.

• feat(usage): unified usage tracking with auth refresh (#9281) #9545 (Unified usage tracking) - Complementary. This PR focuses on the user-facing UI and account switching, while feat(usage): unified usage tracking with auth refresh (#9281) #9545 handles backend tracking.

• feat(tui): add /usage command and sidebar usage section #9301 (/usage command) - The CLI command in this PR (opencode auth usage) may overlap. Happy to coordinate or defer to that implementation.

Unique features in this PR

1. YOLO Mode - Entirely new feature, not covered by any existing PR
2. Auto-Relogin Browser Sessions - Puppeteer-based token refresh, not covered elsewhere
3. Settings UI - Providers tab with full account management (screenshots attached to issue feat: OAuth Enhancements - Multi-Account, YOLO Mode, Auto-Relogin #9971)

Screenshots

See the attached screenshots in issue #9971 showing:

• Providers tab with rate limit bars
• Account switching with instant updates
• YOLO Mode settings section

Happy to adjust scope or coordinate with maintainers on any overlapping functionality!

[mguttmann]

Update - January 24, 2025

Branch rebased and updated to latest dev (v1.1.34). All features tested and working.

Latest Fixes

• Auth.set() bug fixed: Adding a second OAuth account now correctly creates a new account instead of overwriting the first one
• Auto-Relogin labels: Renamed account labels now properly display in the Auto-Relogin section
• Nested button fix: Removed invalid HTML (button inside button) that could cause UI crashes
• Timeout fixes: Added proper timeout cleanup in finally blocks

All Features Working

• Multi-account OAuth with auto-rotation on rate limits
• Account rename (inline UI + CLI)
• Browser session rebind
• Auto-relogin with Puppeteer
• YOLO mode

Ready for review.

[vanyauhalin]

+4,803 −159

Poor Adam...

[mguttmann]

Update: Multi-Language Fix

Added a fix for browser session refresh that now works regardless of Claude.ai language setting.

Commit: c687571 - fix(auth): make browser session refresh language-agnostic

Changes:

• Auto-dismiss cookie banners before clicking authorize button
• Find authorize button by visual style (solid background = primary button) instead of text
• Works with German ("Autorisieren"), French, English, and any other language

This was causing issues when Claude.ai was set to a non-English language - the "Authorize" button wasn't being clicked because the code was looking for the English text.

[mguttmann]

@vanyauhalin I promise most of those lines are just me being thorough... and definitely not because I kept finding "one more small thing" to add 😅

Adam, if you're reading this: I brought coffee ☕ (virtually). Also, the multi-language fix alone should earn me some karma points - debugging Puppeteer clicking German buttons at midnight wasn't on my bingo card.

But hey, at least it's not a mass-rename refactor! 🙈

[kfiramar]

What about OpenAI? (Antigravity could be a bonus)

[mguttmann]

@kfiramar I don't use OpenAI, so no idea honestly - I'm a pure Claude user 🤷‍♂️

The multi-account rotation technically works for any OAuth provider, but the main use case (and the auto-relogin browser sessions) is specifically built around Claude Max subscriptions.

[mguttmann]

Fix: Removed duplicate providers menu entry

Commit: 907a28b

After merging the latest upstream, the settings dialog had two "Providers" entries - our old hardcoded English one and the new upstream i18n-aware one (which shows "Anbieter" in German, "Providers" in English, etc.).

Removed our duplicate entry since upstream now handles this properly with localization support.

[mguttmann]

Rebased on latest dev branch.

Changes made during rebase:

• Resolved all merge conflicts with upstream changes
• Fixed duplicate deep-link declarations in desktop/index.tsx
• Fixed import path for openai-compatible SDK (was ./sdk/openai-compatible/src, now ./sdk/copilot)
• Regenerated SDK types
• All TypeScript checks pass

[mguttmann]

CI Status Update

• ✅ typecheck - passing
• ✅ check-standards - passing
• ⚠️ test (linux) - E2E tests interrupted (flaky)
• ⏳ test (windows) - pending

Note on test failures:
The Linux E2E tests are experiencing intermittent failures due to test interruptions (SIGINT/timeout), not code issues:

• 22 tests passed
• 1 test failed (prompt test)
• 3 tests interrupted

All unit tests pass, including the new auth/oauth tests. The same E2E tests pass on the dev branch, suggesting this is a CI resource/timing issue rather than a code problem.

Changes since last update:

• Fixed TypeScript errors for optional puppeteer-extra imports (added @ts-ignore for runtime-installed modules)

Ready for review. The E2E flakiness appears to be unrelated to the OAuth changes.

[mguttmann]

Update – February 2, 2026

Rebased on latest dev and fixed all CI failures. All checks passing (typecheck, test linux, test windows, check-standards).

Bugs fixed in this update

1. Route ordering bug – DELETE /auth/account was unreachable because DELETE /auth/:providerID (wildcard) was registered first in the Hono chain, causing "account" to be treated as a providerID. Moved the literal route before the wildcard so it takes precedence. This was preventing users from deleting OAuth accounts.

2. Provider source precedence – Custom loaders were unconditionally setting source: "custom", overwriting source: "env" for environment-loaded providers. Restored the upstream conditional logic: only set source: "custom" when the provider isn't already loaded. Fixed the provider loaded from env variable unit test.

3. Settings dialog tabs – Restored the Providers and Models tab triggers in dialog-settings.tsx that were lost during a previous rebase. Aligned structure with upstream (Desktop + Server sections).

4. Custom provider section – Added data-component="custom-provider-section" to settings-providers.tsx for E2E test compatibility. Our multi-account UI now includes the custom provider form entry point that the existing E2E tests expect.

CI Status

• ✅ typecheck
• ✅ test (linux) – 840 pass, 0 fail
• ✅ test (windows) – all E2E tests passing
• ✅ check-standards

[mguttmann]

Closing this PR — splitting into two separate, focused PRs: one for Multi-Account + Auto-Relogin, and one for YOLO Mode. New PRs will be linked here once created.