Anthropic locks third-party harnesses out of Claude Code subscriptions
Contents
Anthropic changed its Claude Code subscription policy, excluding usage through third-party harnesses — tools that call the Claude API from outside the official client — such as OpenClaw. The change took effect immediately on April 4, 2026 at noon Pacific Time. Going forward, third-party usage requires separate pay-as-you-go API billing.
The change, reported by TechCrunch, first surfaced through a customer email from Anthropic shared on Hacker News. The email stated that “subscription limits can no longer be used with third-party harnesses including OpenClaw,” directing users to “a pay-as-you-go option billed separately from the subscription.”
What Changed
Previously, Claude Code subscribers could consume their subscription API quota through third-party tools like OpenClaw. Even on the $200/month Claude Max plan, heavy OpenClaw users were burning through $1,000–$5,000 worth of API calls per day — an obvious money-loser for Anthropic.
After the change, there are two options.
| Option | Description |
|---|---|
| Extra usage bundle | Purchase additional usage outside the subscription |
| Direct API key | Pay full Claude API rates on a per-token basis |
Per-million-token rates for direct API usage are as follows.
| Model | Input | Output |
|---|---|---|
| Sonnet 4.6 | $3 | $15 |
| Opus 4.6 | $15 | $75 |
OpenClaw is the first target, but Anthropic explicitly stated this “applies to all third-party harnesses and will roll out progressively.” The intent is clear: subscription usage through anything other than the official Claude Code client moves to pay-as-you-go.
Different from the OpenCode Takedown in March
This is not the first time Anthropic has restricted third-party access. In March, they sent a legal demand to the OSS coding agent “OpenCode” to remove its OAuth integration. However, the OpenClaw case is fundamentally different from the OpenCode case.
OpenCode’s case involved using claude.ai’s OAuth flow from an unofficial client. A third-party app was capturing the user’s login authentication tokens and hitting the API with them. This is the kind of thing that violates TOS on any service — an app hijacking GitHub OAuth tokens, a tool piggybacking on Google login sessions. Service providers are fully within their rights to stop it, and there is almost nothing to debate.
The OpenClaw case, by contrast, is not about authentication method. OpenClaw calls the Claude Code API through legitimate means. There is no login-token abuse. What Anthropic objects to is the pattern and volume of usage — the claim that it exceeds what the subscription was designed for.
flowchart TD
A["OpenCode (March)"] --> B["Used claude.ai OAuth tokens<br/>from an unofficial client"]
B --> C["Authentication method itself<br/>violates TOS — clear-cut"]
D["OpenClaw (April)"] --> E["Legitimate API calls<br/>No auth issues"]
E --> F["Usage pattern and volume<br/>exceed subscription design"]
F --> G["What counts as 'exceeding'?<br/>No published criteria"]If it is about login tokens, the line is clear. But once the argument shifts to “your usage pattern is not what we intended,” the natural follow-up is: what pattern, exactly, crosses the line?
The Black Box of “Excessive Usage”
Boris Cherny, who leads Claude Code, explained on X that “the subscription was not designed to account for the usage patterns of these third-party tools.” He added that “members of the Claude Code team are huge fans of open source” and that he had personally “submitted several PRs to improve OpenClaw’s prompt cache efficiency,” framing the decision as purely an “engineering constraint.” Anthropic also acknowledged that some subscribers did not realize they were using OpenClaw, and is providing clarification and refunds.
The reasoning is understandable. Absorbing third-party usage patterns within a flat subscription fee was presumably unsustainable. But the explanation leaves the key question unanswered.
What are the “usage patterns it was not designed for,” specifically? Anthropic has never published any criteria. Burning $5,000/day on a $200/month plan is obviously anomalous — but what about $500/day? $100/day? Is the problem automated retry storms? Pure volume? Prompt structures that differ from the official client and waste cache?
There are several ways third-party tools can cause inefficiency.
| Factor | Details |
|---|---|
| Prompt cache misalignment | The official client goes through Anthropic’s optimized cache pipeline. Third-party tools use their own prompt structures, lowering cache hit rates and potentially multiplying token consumption for the same task |
| Context management | The official client compresses context and prunes unnecessary information. Without this, every request sends full context |
| Request patterns | Batch processing, parallel requests, retry frequency — call patterns the official client does not produce |
| Tool definition overhead | Custom tool definitions and system prompts from third-party tools add tokens per request |
The fact that Cherny had been submitting PRs to improve OpenClaw’s prompt cache efficiency shows that the team was trying to mitigate this technically. But individual optimizations could not keep up.
The problem is that outsiders cannot tell which of these factors matters and to what degree. It is understandable that some usage patterns consume more resources than a flat-rate subscription can cover. But cutting off all third-party harnesses without publishing any threshold or criteria is effectively declaring that “everything besides the official client is inefficient.” For third-party developers, that leaves no path to compliance — they cannot optimize what they cannot measure.
OpenAI Opens Up While Anthropic Closes Down
Competitors moving in the opposite direction at the same time makes for a striking contrast.
OpenAI hired OpenClaw founder Peter Steinberger in February, and OpenClaw continues operating as OSS with OpenAI’s backing. Codex CLI is open source and explicitly welcomes third-party usage. In March, OpenAI acquired the Python toolchain company Astral and folded it into the Codex team, expanding the ecosystem.
GitHub Copilot has also launched CLI and Fleet parallel agents, broadening its platform. Cursor 3 pivoted to an agent-first IDE.
Meanwhile, Anthropic legally removed OAuth integration from OpenCode in March and locked OpenClaw out of subscriptions in April. Two third-party access restrictions in two months.
To be clear, OpenAI’s openness is not purely altruistic. Codex, as the latecomer, needs to absorb the existing ecosystem to take share from Claude Code. Openness is strategy. Anthropic’s closure is also a business decision — protecting the sustainability of its subscription model.
But from the user’s perspective, the asymmetry is real. One side welcomes third-party tools; the other excludes them. The larger the team or project, the harder it becomes to ignore vendor lock-in risk.
Steinberger Pushes Back, and the State of the Ecosystem
What makes the timing notable is that OpenClaw founder Steinberger had just joined Anthropic’s rival, OpenAI. Sam Altman announced Steinberger’s hire in February.
Steinberger revealed that he and OpenClaw board member Dave Morin “tried to work things out with Anthropic” but only managed to delay the price increase by one week. He posted: “The timing is interesting. First copy the popular features into your own closed harness, then lock out the open source.”
OpenClaw has grown into an AI agent framework with over 50 integrations including WhatsApp, Slack, and Gmail, distributing skills (extensions) through a marketplace called SkillHub. But rapid growth has brought security problems. 7.1% of SkillHub offerings were found to contain vulnerabilities, an SSH sandbox symlink escape (CVSS 8.8) was reported, and malicious SKILL.md files distributing macOS malware were confirmed — raising questions about the ecosystem’s trustworthiness.
Refunds aside, OpenClaw users face a steep cost increase. Moving to full API rates means Sonnet 4.6 alone costs $3 input / $15 output per million tokens. Heavy users could see hundreds to thousands of dollars in additional monthly costs.
What stands out here is that Anthropic closed the door on all third-party harnesses without ever defining what “exceeding the subscription design” means. If this were about login-token abuse, the rationale would be self-evident. But for legitimate API usage patterns, they could have published the criteria and given third-party developers a chance to optimize. “Engineering constraints” is too vague a justification for a change with this much impact.