When your company gives you Claude Code but not actual Claude access, you've got a CLI tool and nowhere to log in. That's the situation developer Shatil Khan found himself in—until he discovered that Claude Code carries its own authentication layer, hidden in plain sight inside ~/.claude/.credentials.json.

The Problem: No API Key, No Problem

Khan's company provided Claude Code through dev environments but blocked console.anthropic.com access. No web OAuth. No API keys. Just an installed binary sitting there with untapped potential. Meanwhile, his boss kept nagging him about "showing proof of work" while pushing code nobody could see.

The Symlink Hack

Here's the trick: when you run Claude Code's CLI normally, it performs OAuth through a browser and stores refresh tokens locally. Those tokens auto-refresh forever—no manual renewal required. Once authenticated this way, you can pipe prompts headlessly using claude -p --output-format=text without any environment variables or API keys. Khan explains: "We basically hijacked the Claude Code CLI's authentication mechanism and piped it into our OpenClaw workflow. The CLI becomes our 'API layer' without us ever touching an API key."

Making It Persistent

A headless agent needs to survive restarts. Khan wrapped his setup as a systemd user service with one critical fix: explicitly setting PATH in the unit file. "Your interactive shell has claude in PATH," he notes. "systemd doesn't. Explicitly set Environment=PATH=... or the spawn fails silently."

Meet the Clawfficer

The result is a Discord bot that acts as an AI product manager. The Clawfficer pulls activity from all eight repos across every branch—deduping by commit SHA—and pipes it into Claude for natural language summaries. Posts go to #roadmap at 9 AM daily and 10 AM Sundays. "Medihelp saw 12 commits across 3 branches this week, mostly schema migrations by Mahim. The eyecraft landing page got its first PR review." That's the prose format—not bullet points, not JSON blobs.

Key Takeaways

  • Branch coverage matters: GitHub's /commits endpoint defaults to default branch only. Iterate all branches and dedupe by SHA.
  • OAuth tokens are fragile: if ~/.claude/.credentials.json corrupts, claude -p exits with code 1. Run interactively once to re-auth.
  • Systemd PATH ≠ shell PATH: always explicitly declare Environment=PATH in your unit file.

The Bottom Line

Claude Code isn't just an interactive coding assistant—it's a headless LLM engine already authenticated and ready to abuse for internal tooling. No procurement battles, no API key management, just clever OAuth reuse. Corporate IT locks down the web console but leaves the CLI wide open. Classic move.