API Keys vs OAuth — Inference-Only vs Identity+Session Layer
An API key and an OAuth token are not interchangeable credentials. They operate at different layers of a system: one authorises a request, the other establishes an identity.
Core Idea
An API key is inference-only: it proves that a request is billable to a specific account, and nothing more. An OAuth token (from a proper auth login flow) establishes a full identity and session: it ties a request to a specific human user with a subscription, a registered device, and a persistent session on the provider’s servers.
Features that depend on the identity layer — session registration, device routing, push notifications, subscription verification — cannot be unlocked with an API key because those features are architecturally downstream of the identity layer, not the billing layer.
Key Points
- API key → proves “this request is billable to account X”; grants model access only
- OAuth → proves “this is human user Y with a subscription, a phone, and a registered session”; grants identity-dependent features
- The two are architecturally distinct: API keys work at the inference layer, OAuth works at the session/identity layer
- Pointing an API key at a local proxy (LiteLLM, DeepSeek) keeps the key in the inference layer; it does not “upgrade” to identity-level access even if the underlying Anthropic key is valid
- To use identity-dependent features (e.g. Claude Code Remote Control, Channels, push notifications) alongside a local proxy: authenticate via OAuth for session registration, and accept that identity-layer traffic routes through the provider’s real servers
Practical Corollary for Claude Code
| Capability | API key (incl. proxy) | claude.ai OAuth |
|---|---|---|
| Call the model | ✅ | ✅ |
| Register a Remote Control session | ❌ | ✅ |
| Route messages between devices | ❌ | ✅ |
| Push notifications | ❌ | ✅ |
| Subscription/identity verification | ❌ | ✅ |
Week of 2026-W22
Surfaced while clarifying why Claude Code Remote Control doesn’t work with a local LiteLLM/DeepSeek proxy even when the API key is valid. The confusion arose from treating the API key as a general-purpose credential; the real constraint is that session registration is an identity-layer operation that must go through claude.ai, not the inference endpoint.
Source
Journal dates: 2026-05-26 Reference note: claude-code-remote-control (Updates — 2026-05-26)