Back to Blog
vibekit-authannouncementssecurity

Introducing @vibe-kit/auth: Unlock Your AI "Max" Subscriptions

VibeKit now supports universal authentication for AI provider "Max" subscriptions, enabling developers to leverage their expensive Claude, Gemini, or Grok Max subscriptions across any application through secure OAuth flows.

3 min read
By Alan Zabihi

VibeKit now supports universal authentication for AI provider "Max" subscriptions, enabling developers to leverage their expensive Claude, Gemini, or Grok Max subscriptions across any application.

The Problem

Current approach: AI "Max" subscriptions locked to provider's closed ecosystems. New approach: Universal authentication that unlocks "Max" subscriptions for any application.

You're paying hundreds of dollars monthly for Claude, Gemini, or Grok Max subscriptions, but can only use them within their native interfaces. @vibe-kit/auth changes this by providing programmatic access to your existing subscriptions through secure OAuth flows.

What This Enables

This maximizes the value of your AI investments by enabling cross-application usage of your premium subscriptions.

Subscription Liberation

Access your "Max" subscriptions from any application. Secure OAuth 2.0 with PKCE authentication flows. Automatic token management and refresh.

Cost Optimization

Leverage existing "Max" subscriptions instead of paying per-API-call. Reduce operational costs for AI-powered applications. Maximize every dollar spent on premium AI access.

Universal Integration

Compatible with official provider SDKs like Anthropic's Claude SDK. Cross-platform support for Node.js and browser environments. Flexible token storage options for different deployment scenarios.

Getting Started

Adding universal AI authentication to your application is straightforward:

import { ClaudeAuth } from '@vibe-kit/auth/node';

// Node.js environment - automatic browser flow
const token = await ClaudeAuth.authenticate();

// Verify authentication status
const isAuthenticated = await ClaudeAuth.isAuthenticated();

// Use with official SDKs
const accessToken = await ClaudeAuth.getValidToken();

Use Cases This Enables

Development scenarios that require premium AI access across multiple applications:

  • Multi-application AI workflows: Use your Claude, Gemini, or Grok Max subscriptions across different tools and services
  • Cost-effective AI development: Avoid per-API-call charges by leveraging existing subscriptions
  • Enterprise AI integration: Centralized authentication for team-based AI applications
  • Cross-platform AI tools: Consistent premium AI access across web, desktop, and mobile applications

Technical Implementation

The authentication system uses OAuth 2.0 with PKCE for secure, cross-platform authentication flows.

Browser Integration

For client-side applications:

npm install @vibe-kit/auth
import { ClaudeWebAuth, LocalStorageTokenStorage } from '@vibe-kit/auth/browser';

const storage = new LocalStorageTokenStorage();
const auth = new ClaudeWebAuth(storage);

// Generate authorization URL
const { url, state, codeVerifier } = ClaudeWebAuth.createAuthorizationUrl();

// Handle authorization callback
const token = await auth.authenticate(authCode, codeVerifier, state);

Server-Side Setup

import { ClaudeAuth, MemoryTokenStorage } from '@vibe-kit/auth/node';

// Automatic authentication flow
const token = await ClaudeAuth.authenticate();

// Manual token management
const auth = new ClaudeAuth(new MemoryTokenStorage());
const isValid = await auth.isAuthenticated();

Integration with Official SDKs

import { Anthropic } from '@anthropic-ai/sdk';
import { ClaudeAuth } from '@vibe-kit/auth/node';

const accessToken = await ClaudeAuth.getValidToken();

const anthropic = new Anthropic({
  authToken: accessToken,
});

const response = await anthropic.messages.create({
  model: 'claude-sonnet-4-20250514',
  messages: [{ role: 'user', content: 'Hello!' }]
});

Technical Capabilities

  • OAuth 2.0 with PKCE: Secure authentication flows with CSRF protection
  • Universal token storage: Memory, localStorage, and cookie-based storage options
  • Automatic token refresh: Seamless session management
  • Cross-platform compatibility: Node.js and browser environments
  • Multi-provider support: Built for Claude, Gemini, Grok, and beyond

Security Features

  • Restricted file permissions: Secure token storage in Node.js environments
  • State parameter validation: CSRF attack prevention
  • Automatic token expiry handling: Seamless re-authentication when needed
  • Environment-specific security: Browser-safe authentication methods

Storage Options

Multiple storage backends for different deployment scenarios:

  • MemoryTokenStorage: Server-side in-memory storage
  • LocalStorageTokenStorage: Browser localStorage persistence
  • CookieTokenStorage: Server-side cookie-based storage

Requirements

  • Node.js 18+
  • Modern browser support for OAuth flows
  • Valid "Max" subscription for target AI provider

Technical documentation: https://github.com/superagent-ai/vibekit/tree/main/packages/auth

Alan Zabihi

Co-founder & CEO of Superagent.sh

Follow on X

Related Articles

Why Your AI Agent Needs More Than Content Safety

You've enabled Azure Content Safety or Llama Guard. Your AI agent still isn't secure. Here's why content filtering isn't enough when your AI takes actions.

October 11, 20255 min read
Shipped: Runtime Redaction and Command-Line Security

The past two weeks brought runtime redaction, a powerful CLI, URL whitelisting, and a developer experience that puts security directly in your workflow. Here's what shipped and why it matters for teams building with AI agents.

October 10, 20254 min read
Three years later: AI can (now) defend AI

In 2022, Simon Willison argued that 'adding more AI' was the wrong fix for prompt injection and related failures. He was mostly right at the time. What people tried then were brittle ideas that either overblocked or were easy to trick. This post explains what has changed since, what has not, and why builders can now use AI to meaningfully defend their agents in production.

September 30, 20254 min read

Subscribe to our newsletter

Get notified when we publish new articles and updates.