Bypassing Anthropic's Server-Side Block on Third-Party Clients: Technical Breakdown
Anthropic has rolled out server-side checks on API request sources. Requests from official Claude Code and Cowork clients are covered by Pro subscriptions. Third-party tools like OpenClaw get routed to Extra Usage mode with per-token API billing, jacking up costs significantly. Simple HTTP requests with spoofed headers don't cut it—the server digs into the request body.
Goal: Make requests indistinguishable from official clients while keeping OpenClaw's 17-tool functionality intact.
Request Structure Analysis
Anthropic API requests are JSON payloads with system prompts, message history, metadata, and a tools list. Testing revealed:
- System prompts and history pass muster.
- Adding tools triggers detection.
Breaking down tools by group pinpointed the culprits:
- read, edit, write — pass.
- exec, process — pass.
- sessions_list, sessions_history, sessions_send — pass.
- web_search, web_fetch — pass.
- image, memory_search, memory_get — pass.
- subagents — blocked.
- session_status — blocked.
Anthropic's server scans for tool names absent from Claude Code. Just two of the 17 tools are enough to trigger Extra Usage.
Proxy Chain Architecture
Solution: A two-tier proxy setup between OpenClaw and api.anthropic.com.
- CLIProxyAPI (Go, 23k GitHub stars): Mimics Claude Code headers (user-agent, billing header, client_id). OAuth auth—proxy generates a URL, you log in via browser, and refresh_token is stored locally.
- Replace-proxy (Node.js, 133 lines, no dependencies): Intercepts JSON in both directions.
- Outbound: subagents → sub_dispatch, session_status → check_status, OpenClaw → Assistant.
- Inbound: Reverse swaps line-by-line for streaming.
Chain: OpenClaw (port 8318) → replace-proxy → CLIProxyAPI (8317) → api.anthropic.com.
Replace-proxy runs as a systemd service with auto-restart.
Setting Up Replace-Proxy
The proxy code is lean: HTTP server parses bodies, applies regex swaps, and buffers streaming events.
// Sample snippet: Handling outbound requests
const replaceMap = {
'subagents': 'sub_dispatch',
'session_status': 'check_status',
'OpenClaw': 'Assistant'
};
// JSON.parse(body).tools.forEach(tool => {
// if (replaceMap[tool.name]) tool.name = replaceMap[tool.name];
// });
// Similar for responses
Server listens on localhost:8318, forwards to CLIProxyAPI:8317.
Configuring OpenClaw
Add a provider in openclaw.json:
{
"models": {
"providers": {
"custom-proxy": {
"baseUrl": "http://localhost:8318",
"apiKey": "<api-key-from-CLIProxyAPI>",
"api": "anthropic-messages",
"models": [
{"id": "claude-opus-4-6", "contextWindow": 1000000, "maxTokens": 16384},
{"id": "claude-sonnet-4-6", "contextWindow": 200000, "maxTokens": 16384}
]
}
}
}
}
Set as default:
openclaw config set "agents.defaults.model.primary" "custom-proxy/claude-opus-4-6"
Restart OpenClaw. Model switching works in-chat.
Key Takeaways
- Tool-Based Detection: Anthropic inspects tool names in the JSON body. OpenClaw uniques (subagents, session_status) trigger Extra Usage.
- Two-Tier Proxy: CLIProxyAPI hides headers, replace-proxy scrubs content.
- OAuth Auth: CLIProxyAPI auto-refreshes tokens; re-auth on refresh_token expiry.
- Streaming Support: Replace-proxy buffers events for real-time swaps.
- Risks: Bypasses Anthropic ToS. Account bans possible; detection could evolve (prompt patterns, structure).
Limitations and Monitoring
- Not for production: Personal use at your own risk.
- Monitoring: Check proxy logs for swap errors or new detections.
- Scaling: Systemd keeps it stable, but Anthropic updates may need replace-map tweaks.
Testing confirmed it works on Opus 4.6 and Sonnet 4.6 without Extra Usage.
— Editorial Team
No comments yet.