The credential have been a PITA. I was working on a PR this morning before work; I should have it tonight. You have to be careful because if you look like you're spoofing the client, you can get banned.

For Claude specifically, there are two places where it tracks state:

~/.claude.json -- contains a bunch of identity stuff and something about oauth

~/claude/ -- also contains something about oauth, plus conversation history, etc

If they're not _both_ present and well-formed, then it forces you back through the auth flow. On an ordinary desktop setup, that's transparent. But if you want to sandbox each thread, then sharing just the token requires a level of involvement that feels icky, even if the purpose is TOS-compliant.