# P2 Auth Diff Investigation — Why /v1/code/triggers works but agents/vaults/memory_stores 401 **Date**: 2026-04-30 **Source**: Reverse-engineering `C:\Users\12180\.local\bin\claude.exe` v2.1.123 (253MB Bun-compiled binary) **Investigator**: claude-code-bast-autofix-pr fork ## Endpoint reality matrix in official binary | Endpoint | Has actual code? | URL builder | Method | beta header | Extra X- headers | Auth scheme | |---|---|---|---|---|---|---| | `/v1/code/triggers` | **YES** | `${BASE_API_URL}/v1/code/triggers` (template literal) | GET/POST | `ccr-triggers-2026-01-30` (`OS9`) | `x-organization-uuid` | `Authorization: Bearer ` | | `/v1/agents` | **NO** | only in `managed-agents-onboarding.md` documentation strings | — | — | — | — | | `/v1/vaults` | **NO** | only in API reference markdown tables | — | — | — | — | | `/v1/memory_stores` | **NO** | only in API reference markdown tables | — | — | — | — | | `/v1/skills` | yes (different path) | `this._client.post("/v1/skills?beta=true", …)` via Anthropic SDK | GET/POST | `skills-2025-10-02` | none beyond SDK defaults | SDK auth (workspace API key) — **NOT subscription** | ## Decisive evidence ### 1. Only triggers + skills + sessions + ultrareview/preflight + mcp_servers + environment_providers are actually called ```text $ grep "BASE_API_URL.{0,3}/v1/" claude.exe | sort -u BASE_API_URL}/v1/code/github/import-token BASE_API_URL}/v1/code/sessions BASE_API_URL}/v1/code/triggers BASE_API_URL}/v1/environment_providers BASE_API_URL}/v1/environment_providers/cloud/create BASE_API_URL}/v1/mcp_servers BASE_API_URL}/v1/session_ingress/session/ BASE_API_URL}/v1/sessions BASE_API_URL}/v1/ultrareview/preflight ``` `agents`, `vaults`, `memory_stores` are **completely absent** from any call site. They only appear as text in documentation pages (`managed-agents-api-reference`, `managed-agents-overview`). ### 2. Triggers actual request build (decompiled) ```js let _ = `${f$().BASE_API_URL}/v1/code/triggers`, A = { Authorization: `Bearer ${$}`, "Content-Type": "application/json", "anthropic-version": "2023-06-01", "anthropic-beta": OS9, // = "ccr-triggers-2026-01-30" "x-organization-uuid": K }; ``` Beta is `ccr-triggers-2026-01-30`, **not** `managed-agents-2026-04-01`. ### 3. Skills uses Anthropic SDK client (different auth surface) ```js this._client.post("/v1/skills?beta=true", qNH({…, headers:[{"anthropic-beta":[...$??[], "skills-2025-10-02"]…}] ``` Mandatory `?beta=true` query. Auth comes from SDK `_client` (workspace API key path), not subscription OAuth bearer. ### 4. Beta inventory (full sweep) 35 dated beta tokens exist; relevant ones: `ccr-triggers-2026-01-30`, `skills-2025-10-02`, `managed-agents-2026-04-01` (only used in docs prose), `oidc-federation-2026-04-01`, `environments-2025-11-01`. **No** `vaults-*`, `memory-stores-*`, or `agents-2026-*` beta token exists. ## Root cause of fork 401s `/v1/agents`, `/v1/vaults`, `/v1/memory_stores` are **not consumer endpoints** of the subscription bearer-token path. Anthropic's official CLI never calls them; they live behind the workspace/team API plane (workspace API key + different auth & scope). 401 with subscription bearer is the **expected** server response — no header tweak makes it 200. `/v1/skills` is callable but only via the SDK `_client` (workspace API key), and requires `?beta=true` query — fork's subscription-bearer + missing `?beta=true` is double-broken. ## Fix recommendations | Fork API client | Action | |---|---| | `triggersApi.ts` | Already correct. Switch beta from `managed-agents-2026-04-01` → `ccr-triggers-2026-01-30`. | | `agentsApi.ts` | **Drop** the command. `/v1/agents` is workspace-API-key-only; subscription bearer is wrong auth plane. Mark `/agents-platform` as workspace-only or remove. | | `vaultsApi.ts` | **Drop**. Same reason. Recommend local file-based credential store instead. | | `memoryStoresApi.ts` | **Drop**. Same reason. Local memory files (`~/.claude/memory/`) already cover the use case. | | `skillsApi.ts` | Keep, but: (1) require `ANTHROPIC_API_KEY` (workspace key), not subscription bearer; (2) append `?beta=true` to every URL; (3) use `anthropic-beta: skills-2025-10-02`. | ## Conclusion This is **not a header-config bug** in fork's `buildHeaders`. Three of the four endpoints (`agents`, `vaults`, `memory_stores`) are not reachable at all from a subscription OAuth token — Anthropic's official binary never calls them. The fork should: 1. Fix triggers beta header value (`ccr-triggers-2026-01-30`). 2. Disable or repurpose agents/vaults/memory_stores commands — they require workspace API keys, not subscription tokens. 3. For skills, switch to workspace API key auth + `?beta=true` query + `skills-2025-10-02` beta.