Sources

### Token leakage The leakage threat is covered in RFCs related to OAuth. For example, the open redirect vulnerability was mentioned many times, even in the first OAuth 2.0 RFC [6749]. So basically, **when you follow the standard, you significantly reduce the risk**. Of course, the truth is that if something is prohibited in the standard it does not mean it will not happen and we should strive to create recommendations as secure as possible, minimizing the risk. Actually, that was the motivation of the published draft. On the other hand, if you do not follow the standard properly, you are always at higher risk. Futhermore, the history shows that bugs in software beyond the reach of OAuth server’s and client’s developers (like the one in Chromium) introduce new vectors for token leakage such as beforementioned leakage via referer header or browser history. That is another motivation to adjust standards to the current situation. … This threat is also related to the fact that **OAuth framework must not be used for authentication**. The OAuth 2.0 RFC stays as follows: > Authenticating resource owners to clients is out of scope for this specification. Any specification that uses the authorization process as a form of delegated end-user authentication to the client (e.g., third-party sign-in service) MUST NOT use the implicit flow without additional security mechanisms that would enable the client to determine if the access token was issued for its use (e.g., audience- restricting the access token). … ### Using OAuth 2.0 for authentication is really, really a bad idea… Problems arising from the use of OAuth 2.0 for authentication does not refer only to the *implicit * grant type, but also other types, including *authorization code* type. Lately, I have found an interesting vulnerability in Single Sign-On (SSO) authentication mechanism based on OAuth 2.0. It allowed to log in using accounts from Active Directory. … The clients that accepted Google account either verified whether the logged in e-mail address is accepted (there was a list of accepted Google e-mail addresses) or simply allowed anyone (any Google e-mail address) to have a valid account. Unfortunately, the other group of clients were not aware of the fact that users can log in to SSO also with Google accounts and additionaly, they did not verify whether the authorization *code*, that was returned to them with redirection, came from the login process initiated by them. They just used the *code* to get the access token.

All the hard fought compromises on the mailing list, in meetings, in special design committees, and in back channels resulted in a specification that fails to deliver its two main goals – security and interoperability. In fact, one of the compromises was to rename it from a protocol to a framework, and another to add a disclaimer that warns that the specification is unlike to produce interoperable implementations. When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure. To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations. … The resulting specification is a **designed-by-committee** patchwork of compromises that serves mostly the enterprise. To be accurate, it doesn’t actually give the enterprise all of what they asked for directly, but it does provide for practically unlimited extensibility. It is this extensibility and required flexibility that destroyed the protocol. **With very little effort, pretty much anything can be called OAuth 2.0 compliant.** … - **Unbounded tokens** – In 1.0, the client has to present two sets of credentials on each protected resource request, the token credentials and the client credentials. In 2.0, the client credentials are no longer used. This means that tokens are no longer bound to any particular client type or instance. This has introduced limits on the usefulness of access tokens as a form of authentication and increased the likelihood of security issues. - **Bearer tokens** – 2.0 got rid of all signatures and cryptography at the protocol level. Instead it relies solely on TLS. This means that 2.0 tokens are inherently less secure as specified. Any improvement in token security requires additional specifications and as the current proposals demonstrate, the group is solely focused on enterprise use cases. - **Expiring tokens** – 2.0 tokens can expire and must be refreshed. This is the most significant change for client developers from 1.0 as they now need to implement token state management. The reason for token expiration is to accommodate self-encoded tokens – encrypted tokens which can be authenticated by the server without a database look-up. Because such tokens are self-encoded, they cannot be revoked and therefore must be short-lived to reduce their exposure. Whatever is gained from the removal of the signature is lost twice in the introduction of the token state management requirement. … On the other hand, 2.0 defines 4 new registries for extensions, along with additional extension points via URIs. The result is a flood of proposed extensions. But the real issues is that the working group could not define the real security properties of the protocol. This is clearly reflected in the security consideration section which is largely an exercise of hand waving. It is barely useful to security experts as a bullet point of things to pay attention to.

When Claude Code launched for real in June 2025, usage of the Anthropic models was included in the Pro and Max plans, for a flat monthly or annual subscription. These plans quickly became very popular when users realised that the effective cost per token was much lower compared to Anthropic's API pricing. ... In contrast, other coding agents such as Amp only provided the ability to connect to Claude models via the much more expensive pay-per-token API. It turns out that logging into third-party coding agents with an Anthropic OAuth token was a bit of a loophole. This was evident from the fact that it would only work if the client-supplied system prompt contained a specific phrase identifying itself as Claude Code. Nevertheless, many (presumably) unsuspecting Anthropic customers used OpenCode in this way; from their perspective, they were simply using the same service that they were already paying for, just in the comfort of their preferred coding harness. However, Anthropic clearly didn't see it this way. On 9 January 2026, Anthropic unceremoniously closed the loophole, changing their API to detect and reject requests from third-party clients. The renowned vibe-coder Peter Steinberger soon posted about it on the website formerly known as Twitter, and disgruntled Anthropic customers expressed their discontent in a GitHub issue, requesting the decision to be reversed, many threatening to cancel their Claude subscription otherwise. It's notable that Anthropic has not formally announced this change in ToS enforcement, neither ahead of time nor after the fact. The only quasi-announcement of this change was this thread, posted by an Anthropic employee on their personal account the day after the changes took effect, presumably in response to customer complaints. The stated motivation for the change was the allegation that "third-party harnesses using Claude subscriptions create problems for users and generate unusual traffic patterns [...] making it really hard for us to help debug when they have questions about rate limit usage or account bans and they don’t have any other avenue for this support." … Which brings us to the final point: without anticipating it, Anthropic just found itself in a classic prisoner's dilemma with OpenAI -- and OpenAI just defected. Not only are they officially supporting OpenCode users to use their Codex subscriptions and usage limits in OpenCode, they are extending the same support to other open-source coding harnesses such as OpenHands, RooCode, and Pi. And it's not just a theoretical announcement either: support for connecting ChatGPT Pro/Plus subscriptions with OpenCode has already shipped.

Anthropic's recent decision to restrict Claude API access to third party tools using their subscription has left OpenCode users scrambling. If you're paying for a Claude subscription hoping to power OpenCode or similar CLI assistants, you're out of luck. Anthropic has effectively killed third-party terminal integrations. In this video, I break down exactly what changed, why Anthropic made this move, and most importantly, what it means for the future of AI coding tools. This is the wake-up call every OpenCode user needs. … {ts:74} alone. And there are multiple ways to download it. So, I'm sure those stats are really high as well. But what makes {ts:79} this worse for Anthropic is that it seems like on Twitter anyway, that people actually prefer using open code {ts:85} with clawed models than using clawed code. … But essentially, Anthropic are taking a huge hit from users that aren't in their {ts:131} ecosystem. It's kind of like Spotify allowing you to use their subscription with Apple Music or Amazon Music. It {ts:137} just doesn't make business sense. What does make more sense is if a user is locked into Claude Code and they use its … {ts:215} interested. ... I'm 100% certain Anthropic will find a way around this. They'll {ts:221} find some kind of key or some technique to prevent users from doing this, patch it in to their API, and this will happen {ts:227} again and again until the Claude subscription is not used in any other tools apart from clawed code because it … Until then, I'll stick with open code, use clawed models, do the subscription {ts:262} for as long as I can, but then move to API pricing and use them a lot less in favor of other models. I really like {ts:268} using the open code 2y and I can't imagine moving all of that to clawed code.

**Real example:** I fed it a 180-page API documentation PDF and asked it to generate TypeScript types for all endpoints. It caught edge cases the documentation barely mentioned. … **What just happened:** - `max_tokens` is required (unlike OpenAI) - Messages format is similar but not identical to OpenAI - Response structure differs (it’s `content[0].text`, not `choices[0].message.content`) … **Where it struggles:** Handwriting recognition, low-quality images, and precise coordinate identification. … ## Common Mistakes to Avoid ### Sending Unnecessary Context Just because you have 200K tokens doesn’t mean every request needs them. I’ve seen developers send entire conversation history for simple queries, inflating costs 10x. **Fix:** Maintain a sliding context window. Keep recent messages plus essential context, not everything. ### Ignoring Max Tokens Unlike OpenAI, Claude requires `max_tokens`. Forgetting it throws an error. Setting it too low truncates responses mid-sentence. **Fix:** Default to 4096 for most tasks. Adjust based on expected response length. ### Not Handling Rate Limits Claude’s rate limits are reasonable but not published clearly. You’ll hit them during batch processing. **Fix:** Implement exponential backoff: ``` import time from anthropic import RateLimitError def call_with_retry(client, **kwargs): for attempt in range(5): try: return client.messages.create(**kwargs) except RateLimitError: wait_time = 2 ** attempt time.sleep(wait_time) raise Exception("Max retries exceeded") ``` … ## What Claude Can’t Do (Honest Limitations) **No image generation.** Claude analyzes images but doesn’t create them. You’ll need DALL-E or Midjourney. **No fine-tuning.** You can’t train custom Claude models on your data. OpenAI and open-source models win here. **Limited integrations.** The ecosystem is smaller. Fewer libraries, tools, and tutorials. You’ll solve problems yourself that are documented for OpenAI.

Building production-ready applications with the Anthropic API requires careful attention to reliability, performance, and cost management. Based on recommendations from Zuplo's integration guide and Anthropic's best practices, here are the key patterns to follow. ### Rate Limiting and Retry Logic The Anthropic API enforces rate limits that vary by model and account tier. Claude 3.5 Haiku, for example, supports up to 25,000 tokens per minute (TPM), with different models having different RPM (requests per minute), TPM, and tokens-per-day allowances ( Zuplo). Implement retry logic with exponential backoff to handle rate limit errors gracefully, and use circuit breakers to prevent cascading failures. … - **Subscription wins for heavy daily use:** For developers who interact with Claude throughout the day, the Pro subscription provides much better value. One analysis found that heavy API usage equivalent to daily Pro-level interaction could cost 36x more via the API. - **Prompt caching is underused:** Community members frequently point out that many developers overlook prompt caching, which can dramatically reduce costs for repetitive workflows. Caching system prompts alone can cut input costs by 90%. - **Cost tracking is essential:** Multiple community members emphasize setting up usage monitoring from day one. Anthropic's console provides usage dashboards, but developers recommend also implementing application-level tracking to understand per-feature and per-user costs. - **Start with the API to learn:** A recurring piece of advice is that even developers who eventually switch to a subscription should start with the API to understand token-level costs, experiment with different models, and learn prompt engineering fundamentals before committing to a fixed monthly cost.

##### 6. Limitations and Considerations Despite its strengths, Claude still has limitations: - **No plug-and-play vision model** as of Q2 2025 (compared to GPT-4V). - **Model weights are not open-source**, limiting on-premise deployment. - **Fine-tuning is not developer-facing**, unlike some open models like Mistral or LLaMA 3. - **Latency** for Opus can spike under load, especially with 200K context inputs.

When working with the Anthropic API, you’ll occasionally run into HTTP errors. Some are simple, like a bad request or an expired API key. Others can be trickier-rate limits, malformed prompts, or server-side issues. This guide explains the most common Anthropic API HTTP errors, their root causes, how to fix them, and how to prevent them. You’ll also find simplified Python examples to help you build a resilient integration. ... Understanding Anthropic API Error Categories** Anthropic API errors generally fall into two buckets: **4xx Errors – Client Mistakes** These usually mean *your request had a problem*: - malformed JSON - wrong parameters - missing/invalid API key - too many requests - unauthenticated access **5xx Errors – Server or System Issues** Your request was fine, but Anthropic couldn’t process it due to an internal issue or overload. See Anthropic’s official docs for reference: https://docs.anthropic.com/en/docs/errors **2. The Most Common Anthropic HTTP Errors (Explained)** Below you’ll find a breakdown of each major error, why it happens, how to fix it, and prevention tips. ### 🔸 **400 – Bad Request** #### What it means Your request is invalid-wrong schema, unsupported parameters, malformed fields. #### Common Causes - Invalid JSON - Too many parameters - Wrong field names - Sending unsupported types (e.g., numbers instead of strings) #### How to Fix - Validate JSON - Double-check API reference - Log request bodies for debugging … ### 🔸 **401 – Unauthorized** #### What it means Your API key is missing, invalid, or expired. #### Fix - Set the correct `ANTHROPIC_API_KEY`environment variable - Rotate key if compromised #### Prevention - Avoid hardcoding keys - Use secrets manager ``` import os from anthropic import Anthropic client = Anthropic(api_key=os.getenv("ANTHROPIC_API_KEY")) ``` ### 🔸 **403 – Forbidden** You don’t have permission to perform the action. #### Causes - Using a restricted API feature - Key lacks proper scope - Billing disabled #### Fix - Check account permissions - Ensure your API plan allows the request ### 🔸 **404 – Not Found** The endpoint or resource doesn’t exist. #### Fix - Check URLs and model names carefully - Ensure you’re using a supported model name (e.g. `"claude-3-sonnet"`) … ### 🔸 **422 – Unprocessable Entity** The server understood the request but can’t process it. #### Causes - Improper prompt formatting - Invalid tool schema - File upload inconsistencies #### Python Example ``` from anthropic import Anthropic client = Anthropic() try: client.messages.create( model="claude-3-sonnet", messages=[{"role": "user", "content": "test"}], max_tokens="invalid", # <-- should be int except Exception as e: print("Fix parameter types:", e) ``` ### 🔸 **429 – Too Many Requests (Rate Limit)** Anthropic rate-limits requests based on: - TPM (tokens per minute) - RPM (requests per minute) #### Fix - Slow down - Use retry logic - Cache repeated responses … |409|Conflict|Duplicate or invalid state|Retry with new data| |422|Unprocessable|Wrong parameter types|Check schemas| |429|Rate Limit|Too many requests|Add retries/backoff| |500/502/503|Server issues|Anthropic internal|Retry & log| **4. Best Practices for Stable Anthropic API Integrations** ### ✔ Validate inputs before sending Ensure data types match Anthropic’s schema. ### ✔ Implement retry logic with backoff Especially for 429 & 5xx errors. ### ✔ Cache repeated responses Reduces both cost and rate-limit pressure. ### ✔ Log errors with request context Essential for debugging.

To be clear, since this confuses a lot of people in every thread: Anthropic will let you use their API with any coding tools you want. You just have to go through the public API and pay the same rate as everyone else. They have not "blocked" or "banned" any coding tools from using their API, even though a lot of the clickbait headlines have tried to insinuate as much. … Some of the open source tools reverse engineered the protocol (which wasn't hard) and people started using the plans with other tools. This situation went on for a while without enforcement until it got too big to ignore, and they began protecting the private endpoints explicitly. The subscription plans were never sold as a way to use the API with other programs, but I think they let it slide for a while because it was only a small number of people doing it. ... I've tried explaining the implementation word and word and it still prefers to create a whole new implementation reimplementing some parts instead of just doing what I tell it to. The only time it works is if I actually give it the code but at that point there's no reason to use it. There's nothing wrong with this approach if it actually had guarantees, but current models are an extremely bad fit for it. For actual work that I bill for, I go in with intructions to do minimal changes, and then I carefully review/edit everything. ... … What I find most frustrating is that I am not sure if it is even actual model quality that is the blocker with other models. Gemini just goes off the rails sometimes with strange bugs like writing random text continuously and burning output tokens, Grok seems to have system prompts that result in odd behaviour...no bugs just doing weird things, Gemini Flash models seem to output massive quantities of text for no reason...it is often feels like very stupid things. … I did nothing even remotely suspicious with my Anthropic subscription so I am reasonably sure this mirroring is what got me banned. ... … What Anthropic blocked is using OpenCode with the Claude "individual plans" (like the $20/month Pro or $100/month Max plan), which Anthropic intends to be used only with the Claude Code client. OpenCode had implemented some basic client spoofing so that this was working, but Anthropic updated to a more sophisticated client fingerprinting scheme which blocked OpenCode from using this individual plans.

## What changed in policy (late 2025) For consumer products (Claude Free, Pro, and Max, including Claude Code when used with those accounts), Anthropic introduced a **model-improvement setting** that controls whether chats and coding sessions can be used to improve Claude. If you enable that setting, Anthropic may retain your data (de-identified) **for up to 5 years** in training pipelines. Otherwise, deleted conversations are removed from backend systems within **30 days**. This applies to **new or resumed chats** after the setting is enabled; incognito chats are not used for model training. … ## What got blocked (Jan 2026 enforcement) Anthropic confirmed it tightened technical safeguards to prevent third-party tools from **spoofing the Claude Code client**. This severed access for tools that used consumer OAuth tokens outside official interfaces (e.g., OpenCode and similar “harnesses”). Anthropic also acknowledged some **false positives** that led to account bans, which it said were being reversed. ### The economic tension: Subscription arbitrage The enforcement action targets a fundamental economic mismatch. Anthropic’s $200/month Max subscription provides unlimited tokens through Claude Code, while the same usage via API would cost **$1,000+ per month** for heavy users. Third-party harnesses like OpenCode removed Claude Code’s artificial speed limits, enabling autonomous agents to execute high-intensity loops—coding, testing, and fixing errors overnight—that would be cost-prohibitive on metered plans. As one developer noted: “In a month of Claude Code, it’s easy to use so many LLM tokens that it would have cost you more than $1,000 if you’d paid via the API.” By blocking these harnesses, Anthropic forces high-volume automation toward metered API pricing or their controlled Claude Code environment. ### Precedent: This continues a pattern January 2026’s enforcement wasn’t isolated. Anthropic had previously blocked competitors from accessing Claude through similar technical and contractual means: **August 2025:**Anthropic revoked OpenAI’s access to the Claude API for benchmarking and safety testing—practices Anthropic flagged as competitive restrictions under their Terms of Service **June 2025:**Windsurf faced a sudden blackout when Anthropic “cut off nearly all of our first-party capacity” for Claude 3.x models with less than a week’s notice, forcing Windsurf to pivot to a “Bring-Your-Own-Key” model

## ❌ Cons ### No Real-Time Information Access Claude's knowledge cutoff means it cannot access current events, live data, or real-time information without external integrations. This limitation significantly impacts use cases requiring current market data, news analysis, or up-to-date research. Businesses need additional tools or APIs to supplement Claude with current information. ### Conservative Content Policies Anthropic's safety-first approach results in overly cautious responses for creative writing, marketing content, or edgy humor. Users report 23% more declined requests compared to GPT-4 for legitimate creative tasks. This conservative stance can frustrate marketing teams and creative professionals working on boundary-pushing campaigns. ### Limited Multimodal Capabilities While Claude 3.5 Sonnet includes vision, it lacks audio processing, video analysis, and advanced image generation capabilities. Businesses requiring comprehensive multimodal AI need additional tools, increasing complexity and costs compared to more versatile platforms. ### Slower Response Times for Complex Queries Claude 3.5 Sonnet averages 3-5 seconds for complex responses versus GPT-4's 2-3 seconds. For real-time chat applications or high-frequency API calls, this latency difference becomes noticeable and can impact user experience in customer service scenarios.

## Current Limitations Computer Use is in public beta and has notable limitations. Understanding these constraints helps set realistic expectations and plan appropriate use cases. Performance Challenges - **Slow Execution:** Significantly slower than human operation due to screenshot analysis and planning overhead - **Action Errors:** Mistakes are common, requiring error recovery and retries - **UI Navigation Issues:** Complex interfaces with many elements can confuse the model Difficult Actions Anthropic notes that some actions people perform effortlessly present challenges for Claude: - **Scrolling:** Both page scrolling and precise scrollbar manipulation - **Dragging:** Click-and-drag operations, especially over long distances - **Zooming:** Adjusting zoom levels or map navigation **Workaround:** Use keyboard alternatives when available (Page Down, Arrow keys, keyboard shortcuts). … When NOT to Use Computer Use Computer Use is not optimal for: - Tasks with available APIs (use API integration instead) - Real-time or time-sensitive operations - Production environments without supervision - Tasks requiring high precision or zero error tolerance - Systems with sensitive data or credentials Future Improvements Anthropic expects Computer Use capabilities to improve rapidly over time: