MAXIMIZE Your Claude Code Subscription (Without Getting Banned)

Why this is in the vault

Filed because the founder runs Ray (this agent) on Pro/Max OAuth tokens across two boxes (Mac mini always-on + workstation) and the “one human, one subscription, one beneficiary” rule is a directly load-bearing operational constraint — if Anthropic’s overactive abuse classifier kicks in, the always-on COO loop dies. Three reasons this entry matters: (1) it crystallizes a one-line decision rule that the founder can test his current setup against without wading through fragmented Twitter threads; (2) it documents the OpenClaw saga (Feb-April 2026 flip-flopping between Tar/Cherny/Steinberg/Laura) which is the canonical evidence base when judging future Anthropic-policy ambiguity; (3) it surfaces the right answer for any third-party harness or shared-team deployment — switch to API key, don’t guess. Pairs with the harness-thesis cluster as the operational ground-truth doc.

Episode summary

Dan walks through Anthropic’s (still very fuzzy) April 2026 stance on what you can and cannot do with a Pro/Max OAuth token versus an API key. He proposes a one-line decision rule — “one human, one subscription, one beneficiary” — and bins use cases into three tiers (safe / controversial / bannable). The bulk of the back half is him airing frustration that Anthropic staff have been flip-flopping in tweets while the official usage policy lags behind, and ends with a practical demo of how to wire a Python runner to bill against the OAuth token instead of accidentally falling back to ANTHROPIC_API_KEY.

Key arguments / segments (timestamped)

[00:00–01:30] Framing: subscription vs API key is the question of the year. Getting banned is a career-trajectory event in the Age of Agents. Three tiers incoming.
[01:30–03:00] The one rule: “Your Pro or Max subscription is for your individual use.” Test sentence: am I the only human whose work these agents are running? If yes, OAuth is fine; if no, switch to an API key.
[03:00–04:30] Safe tier: personal scripts on your laptop, cron jobs, agentic workflows, Agent SDK doing your own research, CI on your own repo, Claude Code on your work laptop for code you author. “One human, one subscription, one beneficiary.”
[04:30–07:00] Controversial tier: agency/contractor work on your personal token, Slack bots producing reports for multiple humans, open-source CLIs that ship your token, internal team tools running on one dev’s Pro/Max, third-party agent harnesses (OpenClaw-style). His advice: just switch to the API key — don’t guess.
[07:00–11:00] The OpenClaw / harness saga: Feb 18 Tar (Anthropic) said local dev with Agent SDK fine, businesses use API key. April 3 Boris Cherny (Claude Code creator) said all third-party harness use blocked. April 6 Peter Steinberg (OpenClaw author) reports first-party blocking too; Laura calls it an overactive abuse classifier. April 10 Peter is banned then reinstated. OpenCloud docs eventually say OpenClaw-style CLI usage is allowed but for long-lived gateway hosts, API keys are still cleanest. Dan’s takeaway: the canonical source is the usage policy doc, not Twitter — and he’s not using OAuth for any third-party tools right now.
[11:00–13:30] Personal stance: Dan currently uses the PI coding agent (his preferred harness) but pays for it via API key, not OAuth. Plays conservative because losing access to Anthropic models is too expensive.
[13:30–15:00] Bannable tier: shipping a product that runs on your Pro/Max OAuth, multi-tenant SaaS logging into Claude on users’ behalf, sharing one subscription across a team without team/enterprise seats, reselling Claude, extracting tokens from ~/.claude.json or the keychain to use elsewhere. Detection is easy: token volume + prompt classification + harness fingerprints.
[15:00–19:30] OAuth setup demo: companion repo disler/max-your-cc-sub. Run claude setup-token to get an OAuth token. Set CLAUDE_CODE_OAUTH_TOKEN. The gotcha: you must unset ANTHROPIC_API_KEY (or pop it from the env dict in subprocess) before invoking the CLI/SDK, otherwise the API key silently overrides the OAuth token and you end up billing API spend instead. Verify by inspecting the JSON event stream — api_key_source is none and you’ll see five_hour rate-limit-type events when you’re correctly on OAuth.
[19:30–23:30] Closing rant + meta: Anthropic is compute-constrained and (rationally) prioritizing high-revenue users. But the communication is “intentionally confusing or just unclear.” Cites the news that Anthropic is A/B-testing blocking Claude Code usage on the Pro subscription; Sam Altman commented “okay boomer” on the post; Simon Willison: “this doesn’t clarify anything, please don’t play games like that with AB tests.” Dan closes: stay safe, OAuth for solo work only, API key everywhere else.

Notable claims (timestamped)

[01:35] The golden rule, near-verbatim: one human, one subscription, one beneficiary. (≤15 words)
[02:15] Quoted policy text he reads aloud: developers building products or services that interact with Claude’s capabilities, including the SDK, should use API authentication.
[03:30] Cron files, pipelines, and agentic workflows running on your own laptop are explicitly green — you are the only user there.
[03:50] CI running your own repo with the OAuth token set is fine “as long as you’re the only one on this repo.”
[05:25] Open-source CLIs are “only safe if everyone brings their own token” — embedding your OAuth token in a shipped tool is controversial.
[06:25] Third-party agent harnesses (OpenClaw-style) are the most contested category and the Anthropic position has been “flipping back and forth.”
[13:50] Bannable list (verbatim items): shipping a product on your Pro/Max OAuth, multi-tenant SaaS logging in on users’ behalf, sharing a subscription across a team without team/enterprise seats, reselling Claude, extracting tokens from ~/.claude.json or the keychain.
[14:15] Detection vector named: token volume + prompt classification + “running in a third-party agent harness with a bunch of random requests that a single individual user could not do.”
[15:30] For controversial-tier questions, Anthropic’s published guidance is to contact sales directly for “permitted authentication use.”
[18:30] Setup gotcha: if ANTHROPIC_API_KEY is set in the environment, it overrides CLAUDE_CODE_OAUTH_TOKEN. Must unset or .pop() it before subprocess invocation.
[18:50] Verification: in the JSON event stream, api_key_source: none + a five_hour rate-limit-type event confirms OAuth, not API.
[19:15] OAuth env var name: CLAUDE_CODE_OAUTH_TOKEN (set after running claude setup-token).
[20:50] News-of-the-day: Anthropic is A/B-testing preventing Claude Code usage on the Pro subscription tier.
No specific quota numbers are quoted (no “X messages per 5 hours”) — Dan only references the existence of the five_hour rate-limit window.

Mapping against Ray Data Co

RDCO is exactly the kind of heavy CC user this video is aimed at — the always-on Mac Mini agent runs a tight cron + dynamic-loop pattern under the founder’s Max subscription. The good news: everything we currently do sits squarely in the “safe” tier under Dan’s framing.

What maps cleanly to RDCO and is safe:

Cron jobs (~/rdco-vault/01-active/agents/CRON-CATALOG) firing skills like /morning-prep, /curiosity, /finance-pulse, /graph-reingest — the founder is the sole beneficiary. Green.
Dynamic-loop / autonomous-loop scheduling (the <<autonomous-loop-dynamic>> pattern) — same logic, sole beneficiary.
Skills that ingest into the founder’s vault (/process-newsletter, /process-youtube ← this very pipeline, /deep-research) — output is for him, no third-party recipients.
Channel-relay skills (Discord/iMessage replies) — Claude Code is Ray-the-COO replying to Ray-the-founder. Single beneficiary even though there’s a second human in the loop, because that human is the subscriber.

Operational tips worth applying immediately:

Audit our actual auth path. If we’re shelling out to claude from cron and ANTHROPIC_API_KEY is exported anywhere in the launchctl/tmux env, we may have been silently burning API spend instead of using the Max subscription. Worth a one-time inspection: dump the launchd env, check ~/.claude/settings.json, and run claude -p "ping" once with --output-format stream-json to confirm api_key_source is none and we’re on the five_hour rate-limit type.
Codify the unset-before-subprocess pattern. Any RDCO script that subprocesses out to claude should env.pop("ANTHROPIC_API_KEY", None) before exec. Worth adding as a one-liner check to ~/.claude/scripts/ wrappers.
Test sentence in CLAUDE.md. Dan’s “am I the only human whose work these agents are running?” is a tighter version of the rule than what we’ve encoded. Worth a sentence in CLAUDE or SOUL so future skill authors apply the test before wiring up anything that touches an external recipient.

Where we’d cross into controversial — flagged so we don’t drift:

If we ever expose a Claude-backed endpoint on raydata.co (e.g., a chat widget on the Sanity Check landing page, an “ask the agent” interface for newsletter subscribers, an agent that processes inbound contact-form messages) — that’s a product, not personal use. Use API key + Vercel AI Gateway, not the Max OAuth.
The newsletter pipeline currently only reads for the founder — but if we ever build “auto-reply to subscriber emails,” that crosses the line.
Squarely or MAC product surfaces that route end-user requests to Claude — API key only.
Any Slack bot for Ray’s external collaborators — API key.

Bannable tactics in the video that we should NOT pick up — flagging per the request:

“You can air-quotes get away with it given your token usage is low” (re: internal team tools on one dev’s Pro/Max). Dan disclaims this immediately, but the framing exists in the video. Don’t apply. RDCO token volume from the autonomous loop is high enough that the abuse-classifier signal would not be quiet.
Token extraction from ~/.claude.json or keychain. Dan lists this as instant-ban. We have wrapper scripts under ~/.claude/scripts/ — none of them should ever read OAuth tokens out of those locations and re-inject them into other tools. Worth a quick grep to confirm zero .claude.json reads in our scripts dir.
Wiring our OAuth into a third-party harness (OpenClaw, OpenCode, the PI coding agent). Per the video, this is the contested grey-to-bannable zone where the abuse classifier has been seen flagging legitimate users. We use stock Claude Code, so we’re clear — but if a future skill suggests “let’s run this loop in OpenClaw to save tokens,” refuse.
Any pattern where a non-founder human’s request gets routed through the Max subscription. The autonomous loop and cron pattern is fine because Ray is always the beneficiary; if a contractor or collaborator ever needs Claude assistance, they bring their own subscription or we proxy via API key.

Mapping strength: medium. It’s directly operationally relevant to RDCO (we are the heavy-user persona) but no surprises — we’re already in the safe lane. The genuine value is the auth-path audit (item 1 above) and the explicit “don’t drift into product surfaces on OAuth” guardrail.