https://github.com/karpeleslab/teamclaude
Multi-account Claude proxy with automatic quota-based rotation
https://github.com/karpeleslab/teamclaude
anthropic claude claude-code load-balancer multi-account nodejs oauth proxy
Last synced: about 9 hours ago
JSON representation
Multi-account Claude proxy with automatic quota-based rotation
- Host: GitHub
- URL: https://github.com/karpeleslab/teamclaude
- Owner: KarpelesLab
- License: mit
- Created: 2026-03-24T14:49:08.000Z (3 months ago)
- Default Branch: master
- Last Pushed: 2026-06-22T02:44:23.000Z (6 days ago)
- Last Synced: 2026-06-22T04:09:49.986Z (6 days ago)
- Topics: anthropic, claude, claude-code, load-balancer, multi-account, nodejs, oauth, proxy
- Language: JavaScript
- Size: 728 KB
- Stars: 56
- Watchers: 0
- Forks: 19
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# TeamClaude
[](https://github.com/KarpelesLab/teamclaude/actions/workflows/ci.yml)
[](https://www.npmjs.com/package/@karpeleslab/teamclaude)
[](https://nodejs.org)
[](LICENSE)
Multi-account Claude proxy with automatic quota-based rotation for [Claude Code](https://claude.ai/claude-code).
Sits transparently between Claude Code and the Anthropic API, managing multiple Claude Max (or API key) accounts and automatically switching when one approaches its session or weekly quota limit.
## Features
- **Automatic account rotation** — switches to the next account when session (5h) or weekly (7d) quota reaches the configured threshold (default 98%)
- **Auto-retry on 429** — waits the `retry-after` duration and retries the same account; switches to the next on persistent errors
- **Interactive TUI** — real-time dashboard with color-coded quota bars, reset countdowns, activity log, and keyboard controls; a settings screen (`g`) edits the rotation threshold, quota-probe interval, and sx.org proxy live
- **OAuth token management** — automatically refreshes tokens nearing expiry and persists them to config; client token refreshes pass through untouched
- **Hot-reload accounts** — add or change accounts while the server is running; press **R** in the TUI, or run headless and CLI changes auto-reload via a local control endpoint
- **Headless mode** — run the proxy without the TUI (`--headless`) for backgrounding/services
- **Org-aware accounts** — one email can hold multiple accounts across different organizations (e.g. corp + personal); dedup is keyed on account + org, and names disambiguate as `email (Org)`
- **Rotation priority** — pin a preferred account order with `teamclaude priority`
- **Enable/disable accounts** — temporarily pause an account without removing it (`teamclaude disable`/`enable`, or `d` in the TUI); re-enabling also clears a stuck error state
- **Quota persistence** — observed quota survives restarts (saved to a sibling state file), so rotation state isn't lost on restart; stale windows are discarded automatically
- **Optional quota probe** — off by default; when enabled, periodically refreshes idle accounts' quota from the usage endpoint (no message spend), and surfaces the Sonnet weekly bucket
- **MITM proxy mode (default)** — `teamclaude run` routes claude via an HTTPS forward proxy with a local CA so even hardcoded `api.anthropic.com` endpoints (e.g. the Claude Design MCP) get the real token injected; pass `--no-mitm` for base-URL routing only
- **Optional sx.org proxy mode** — off by default; set an [sx.org](https://sx.org) API key in the TUI settings screen (`g`) and TeamClaude auto-provisions a residential proxy to change the egress IP and work around IP-based `429`s. Three modes (`m` to cycle): **always** (route all upstream traffic), **on 429 only** (stay direct, fail over to the proxy after a 429), or **off** (keep the key but don't use it). TLS stays end-to-end with Anthropic (the proxy only relays ciphertext)
- **Request logging** — optional full request/response logging for debugging
- **Zero dependencies** — uses only Node.js built-in modules
## Quick Start
Requires Node.js 18+.
```bash
# Install
npm install -g @karpeleslab/teamclaude
# Add your first account (opens browser for OAuth)
teamclaude login
# Add a second account
teamclaude login
# Start the proxy
teamclaude server
# In another terminal, run Claude Code through the proxy
teamclaude run
```
You can also import existing Claude Code credentials instead of logging in:
```bash
claude /login # Log into an account in Claude Code
teamclaude import # Import its credentials
```
## Adding Accounts
### OAuth Login (recommended)
The easiest way to add accounts — opens your browser for authentication:
```bash
teamclaude login
```
Uses the same OAuth flow as Claude Code. Auto-detects the account email and subscription tier. Logging in with the same account again updates its credentials.
You can add accounts while the server is running — press **R** in the TUI to reload.
### Import from Claude Code
If you already have Claude Code set up, you can import its credentials directly:
```bash
claude /login # Log into an account in Claude Code
teamclaude import # Import its credentials
```
Re-importing the same account updates its credentials. You can also import from a custom path:
```bash
teamclaude import --from /path/to/credentials.json
```
### API Key
For Anthropic API key accounts (billed via Console):
```bash
teamclaude login --api
```
## Usage
### Start the proxy server
```bash
teamclaude server
```
When running from a TTY, shows an interactive TUI with:
- Account table with session/weekly quota progress bars and reset countdowns
- Real-time activity log with request tracking
- Keyboard shortcuts (see below)
Falls back to plain log output when not a TTY (e.g. running as a service). Pass `--headless` (or `--no-tui`) to force the plain-log mode even from a terminal — useful for backgrounding the proxy.
When running headless, you can re-sync accounts from the config without a restart by POSTing to the local control endpoint (the equivalent of pressing **R** in the TUI):
```bash
curl -X POST http://localhost:3456/teamclaude/reload
```
You usually don't need to call it directly: `teamclaude login`, `import`, `enable`, `disable`, and `priority` automatically notify a running server to reload. (New accounts and credential/priority/enable-disable changes are picked up live; account *removals* still require a restart.)
#### TUI Keyboard Shortcuts
| Key | Action |
|-----|--------|
| `s` | Switch active account |
| `a` | Add account (import or API key) |
| `r` | Remove an account |
| `d` | Enable/disable an account |
| `R` | Reload accounts from config |
| `q` | Quit |
In selection mode, use `j`/`k` or arrow keys to navigate, `Enter` to confirm, `Esc` to cancel.
### Run Claude Code through the proxy
```bash
teamclaude run
```
`run` probes the proxy first: if it's up, Claude Code is routed through it; if it's **not** running, `claude` is launched directly so nothing breaks.
Since **1.1.0**, `run` defaults to [MITM forward-proxy mode](#mitm-proxy-mode-default) so even hardcoded `api.anthropic.com` endpoints (e.g. the Claude Design MCP) are intercepted. To keep the previous base-URL-only behavior, pass `--no-mitm`:
```bash
teamclaude run --no-mitm
```
Or manually set the environment:
```bash
eval $(teamclaude env)
claude
```
### Routing plain `claude` automatically (alias)
So you don't have to type `teamclaude run` every time, add a shell alias that makes plain `claude` go through the proxy (and fall back to direct when it's down):
```bash
teamclaude alias # print the alias for your shell
teamclaude alias --install # or write it to your shell rc (--uninstall to remove)
```
This is an interactive-shell alias — it affects `claude` typed at a prompt, not `claude` spawned by editors or scripts. It's a thin passthrough to `teamclaude run`, which holds the proxy-up/down logic.
### Other commands
```bash
teamclaude accounts # List accounts with subscription tier and token status
teamclaude accounts -v # Also show token expiry times
teamclaude status # Show live proxy status (requires running server)
teamclaude remove # Remove an account (by name or email)
teamclaude disable # Temporarily exclude an account from rotation
teamclaude enable # Re-enable it (also clears a stuck error state)
teamclaude priority 1 # Set rotation priority (lower = preferred)
teamclaude probe 300 # Enable background quota refresh (off by default)
teamclaude alias # Print/install a `claude` alias that routes via the proxy
teamclaude api # Call an API endpoint with account credentials
teamclaude help # Show all commands
```
When the same email belongs to multiple organizations, accounts are named
`email (Org)` to keep them distinct. Pass `--org ` to disambiguate a
bare email, e.g. `teamclaude remove user@example.com --org Acme`. Use
`teamclaude priority --first` / `--last` to move an account to the front
or back of the rotation order.
### Request logging
Log full request/response details to a directory (one file per request):
```bash
teamclaude server --log-to /tmp/requests
```
## Configuration
Config is stored at `~/.config/teamclaude.json` (or `$XDG_CONFIG_HOME/teamclaude.json`). A random proxy API key is generated on first use.
Volatile runtime state (observed quota) is written separately to `teamclaude.state.json` alongside the config, so the config file stays clean and hand-editable. The state file is safe to delete — quota is simply re-learned from traffic.
Override the config path with `TEAMCLAUDE_CONFIG`:
```bash
TEAMCLAUDE_CONFIG=./my-config.json teamclaude server
```
### Config format
```json
{
"proxy": {
"port": 3456,
"apiKey": "tc-auto-generated-key"
},
"upstream": "https://api.anthropic.com",
"switchThreshold": 0.98,
"sx": { "apiKey": "your-sx-org-api-key", "mode": "always" },
"accounts": [
{
"name": "user@example.com (Acme)",
"type": "oauth",
"accountUuid": "...",
"orgUuid": "...",
"orgName": "Acme",
"priority": 0,
"accessToken": "sk-ant-oat01-...",
"refreshToken": "sk-ant-ort01-...",
"expiresAt": 1774384968427
}
]
}
```
| Field | Description |
|-------|-------------|
| `proxy.port` | Local port the proxy listens on |
| `proxy.apiKey` | API key clients use to authenticate with the proxy |
| `upstream` | Upstream API base URL |
| `switchThreshold` | Quota utilization (0–1) at which to switch accounts (TUI: `g` → `t`) |
| `quotaProbeSeconds` | Background quota-probe interval in seconds (`0` = off, the default; CLI `probe` or TUI `g` → `p`) |
| `sx.apiKey` | [sx.org](https://sx.org) API key. When set, TeamClaude auto-provisions a residential proxy (egress-IP 429 workaround). Absent/empty = off |
| `sx.mode` | `always` (route all upstream traffic), `429` (direct, fail over to the proxy after a 429), or `off` (keep the key but don't use it). Defaults to `always` when a key is set |
| `accounts[].accountUuid` | Anthropic account (person) id; set automatically from the OAuth profile |
| `accounts[].orgUuid` / `orgName` | Organization the account is scoped to — lets one email hold multiple org accounts |
| `accounts[].priority` | Rotation preference, lower = preferred (default 0) |
| `accounts[].disabled` | If `true`, the account is excluded from rotation until re-enabled |
### Quota probe (optional, off by default)
By default TeamClaude is **passive** — it learns each account's quota only from the responses that flow through it, so an account that hasn't been used yet shows unknown quota until it's first rotated to.
If you'd rather keep idle accounts' quota fresh, enable the background probe:
```bash
teamclaude probe 300 # refresh every 300s
teamclaude probe off # back to passive (default)
teamclaude probe # show current setting
```
You can also set the interval live from the TUI settings screen (`g` → `p`), alongside the rotation threshold (`t`).
It reads each OAuth account's utilization from Anthropic's usage endpoint (`/api/oauth/usage`), which reports quota **without consuming any message quota**. Minimum interval is 30s. Changing it takes effect on a running server immediately (no restart). When enabled, it also surfaces the **Sonnet 7-day** bucket as an extra bar in the TUI / `status` (when your plan exposes it).
### MITM proxy mode (default)
The plain reverse-proxy only intercepts what `ANTHROPIC_BASE_URL` covers. Some Claude Code features (e.g. the **Claude Design MCP**) use a **hardcoded** `https://api.anthropic.com` URL that ignores that variable, so they bypass the proxy. MITM proxy mode captures those too, which is why it's the default for `teamclaude run` (and the shell alias):
```bash
teamclaude run --
```
To opt out and route via `ANTHROPIC_BASE_URL` only, pass `--no-mitm`:
```bash
teamclaude run --no-mitm --
```
That launches claude pointed at teamclaude as an **HTTPS forward proxy** (`HTTPS_PROXY`) and trusts a locally-generated CA (`NODE_EXTRA_CA_CERTS`). For an intercepted host, teamclaude **dials the real upstream first, mirrors its negotiated ALPN** (HTTP/2 or HTTP/1.1), then terminates TLS toward claude with the same protocol and relays the traffic **as transparently as possible** — rewriting only what it must:
- the **`authorization`** header → the active account's real token (dropping any client `x-api-key`);
- the **`account_uuid`** inside `metadata.user_id` → the active account's UUID (so the body agrees with the injected token);
- and it reads `anthropic-ratelimit-*` from responses for quota.
Everything else is copied byte-for-byte (HTTP/2 is handled with a built-in HPACK codec so the only header changed is the auth one). Any host other than the upstream is blind-tunnelled. The server accepts *both* base-URL and proxy clients at once, so instances launched with and without `--no-mitm` can share one server.
Trust model:
- The CA is generated locally, stored in the config dir, and trusted **only** by the claude process you launch via `teamclaude run` (through `NODE_EXTRA_CA_CERTS`) — it is **never** added to your system trust store. The leaf private key is `0600`; the CA private key is never written to disk.
- teamclaude still verifies the **real** Anthropic certificate on the upstream leg.
Verify the proxy + CA without any credentials — the proxy always answers a built-in test host:
```bash
# (with the server running and certs generated, e.g. after one `teamclaude run`)
curl --proxy http://localhost:3456 --cacert ~/.config/teamclaude-ca.pem https://www.example.org/
# → {"teamclaude":"mitm-proxy-ok","host":"www.example.org",...}
```
### sx.org proxy mode (optional, off by default)
Some transient `429`s key on the proxy's **outbound IP**, not the account — so rotating accounts doesn't help. To work around them, TeamClaude can route upstream requests through a residential proxy from [sx.org](https://sx.org), giving a different egress IP.
Open the TUI and press **`g`** for the settings screen, then **`k`** to paste your sx.org API key (stored in `config.sx.apiKey`). TeamClaude reuses an existing active proxy port on your sx.org account, or auto-creates a residential US one, and dials the upstream through it via HTTP `CONNECT` on **both** the reverse-proxy and `--mitm` paths.
Press **`m`** to cycle the **mode**:
| Mode | Behavior |
|------|----------|
| **always** | Tunnel **every** upstream request through sx.org. |
| **on 429 only** | Connect directly; on a `429` (which is IP-based), immediately retry that request through sx.org's fresh egress IP — no wait. On the `--mitm` path, a recent `429` routes new tunnels through sx.org for a short window. |
| **off** | Never use sx.org, but **keep the API key** so you can re-enable it instantly. |
TLS is established **end-to-end with `api.anthropic.com` over the tunnel**, so the sx.org proxy only ever relays ciphertext and the real Anthropic certificate is still verified. Mode and key changes apply live (no restart). Press **`x`** to forget the key entirely.
> **Cost:** in **always** mode *all* Claude traffic flows through the residential proxy, which sx.org meters by bandwidth — expect real per-GB cost. **on 429 only** uses the proxy just when you're actually being throttled, so it's the cheaper way to ride out rate limits.
## How It Works
1. Claude Code connects to the local proxy instead of `api.anthropic.com`
2. The proxy selects the active account and forwards requests with that account's credentials
3. OAuth tokens expiring within 5 minutes are automatically refreshed and persisted to config
4. Rate limit headers from the API (`anthropic-ratelimit-unified-*`) track session (5h) and weekly (7d) quota utilization
5. When usage reaches the threshold, the proxy switches to the next available account via round-robin
6. On 429 responses, the proxy waits the `retry-after` duration and retries; on persistent errors, it switches accounts
7. Transient network errors (connection reset, timeout) drop the connection so the client can retry
8. If all accounts are exhausted, returns 429 with the soonest reset time
9. Client token refresh requests (`/v1/oauth/token`) are relayed to upstream untouched — the proxy and client manage their own token lifecycles independently
## Security
The only canonical sources for TeamClaude are this repository
(https://github.com/KarpelesLab/teamclaude) and the
[`@karpeleslab/teamclaude`](https://www.npmjs.com/package/@karpeleslab/teamclaude)
npm package. TeamClaude is **never** distributed as a downloadable binary
archive — be wary of soft-forks that bundle a `.zip` and tell you to extract and
run it. See [SECURITY.md](SECURITY.md) for details and how to report issues.
## License
MIT — see [LICENSE](LICENSE).