Summary
Surfaces Anthropic's authentication policy and adds a fully-supported alternative auth path for operators whose use case doesn't fit "ordinary individual use of Claude Code by the subscriber."
CLAUDE_CODE_OAUTH_TOKEN(subscription OAuth fromclaude setup-token) remains the default for personal/internal automation.ANTHROPIC_API_KEYis now first-class for automation, products, and multi-user scenarios — fully supported by Anthropic's terms.
If your install routes requests on behalf of teammates, customers, or anyone other than yourself, switch to Option B. The README's new Authentication and cost section walks through the trade-off and the policy risk in detail.
What's new
ANTHROPIC_API_KEYaccepted bylistener/src/runner.tswith precedence overCLAUDE_CODE_OAUTH_TOKENwhen both are setsetupskill now branches on the auth choice with the policy disclosure inline- New
Authentication and costsection in README + matching section on the website scripts/doctor.sh,listener/src/watcher-checks.ts, doctor + setup-watcher skills all gate token-age behavior on Option A (API keys don't expire on a fixed schedule).env.example,docker/entrypoint.mjs,CLAUDE.md,ARCHITECTURE.mdall updated to document both modes
No breaking changes
Existing installs on Option A keep working with no action required. To switch:
```bash
generate a key at console.anthropic.com → API Keys → Create Key
then in .env:
ANTHROPIC_API_KEY=sk-ant-...
CLAUDE_CODE_OAUTH_TOKEN= # clear or leave; API key wins when both set
then:
pm2 restart ginnie-agents-listener
```
See CHANGELOG.md for the full entry.