Summary
The Minara CLI (minara npm package v0.4.7) cannot complete login or make any authenticated API calls when invoked from Claude Code (or any non-TTY agent environment) due to Cloudflare Bot Fight Mode blocking Node.js's built-in fetch.
Steps to Reproduce
- Install
minara CLI globally
- Attempt
minara login --email user@example.com or minara login --device
- CLI receives a Cloudflare HTML challenge page instead of a JSON API response
Root Cause
The CLI uses Node.js's built-in fetch (via undici) which has a distinct TLS fingerprint (JA3/JA4) that Cloudflare Bot Fight Mode identifies as a bot. The same API endpoints work correctly when called via curl with identical headers — confirming the issue is the HTTP client's TLS fingerprint, not authentication logic.
Evidence:
# CLI call → returns Cloudflare HTML challenge (800KB+ HTML)
minara login --email user@example.com
# ✖ [HTML page]
# Direct curl with same headers → returns correct JSON
curl -s -X POST https://api.minara.ai/auth/email/code \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Origin: https://minara.ai' \
-H 'Referer: https://minara.ai/' \
-H 'User-Agent: Minara-CLI/1.0' \
-d '{"email":"user@example.com","platform":"web"}'
# → {"success":true,"message":"Email verification code sent successfully"}After manually writing valid credentials to ~/.minara/credentials.json, authenticated API calls (e.g. minara account, minara balance) also return Cloudflare HTML instead of JSON.
Impact
- CLI is completely non-functional in agent/automation environments (Claude Code, CI, scripts)
- Email and device login flows both fail
- Even with a valid JWT token, all authenticated API calls fail
Suggested Fix
Replace Node.js built-in fetch with an HTTP client that presents a browser-like TLS fingerprint, or whitelist the CLI's user agent / IP range on Cloudflare. Options:
- Use
node-fetch or axios with a custom TLS configuration that passes Cloudflare's bot checks
- Add a Cloudflare WAF rule to bypass Bot Fight Mode for requests with
User-Agent: Minara-CLI/*
- Use
curl as the HTTP backend via child_process.exec for CLI environments
Environment
- macOS Darwin 25.3.0 (Apple Silicon)
- Node.js v24.10.0
- minara CLI v0.4.7
- Skill v3.0.2
- Invoked from Claude Code (agent environment, non-TTY stdin)
Workaround
Manually write credentials to ~/.minara/credentials.json after obtaining a JWT via direct curl call to the auth API, then use curl directly for all subsequent API calls. This confirms the API itself is functional — the issue is purely the CLI's HTTP client.
Summary
The Minara CLI (
minaranpm package v0.4.7) cannot complete login or make any authenticated API calls when invoked from Claude Code (or any non-TTY agent environment) due to Cloudflare Bot Fight Mode blocking Node.js's built-infetch.Steps to Reproduce
minaraCLI globallyminara login --email user@example.comorminara login --deviceRoot Cause
The CLI uses Node.js's built-in
fetch(via undici) which has a distinct TLS fingerprint (JA3/JA4) that Cloudflare Bot Fight Mode identifies as a bot. The same API endpoints work correctly when called viacurlwith identical headers — confirming the issue is the HTTP client's TLS fingerprint, not authentication logic.Evidence:
After manually writing valid credentials to
~/.minara/credentials.json, authenticated API calls (e.g.minara account,minara balance) also return Cloudflare HTML instead of JSON.Impact
Suggested Fix
Replace Node.js built-in
fetchwith an HTTP client that presents a browser-like TLS fingerprint, or whitelist the CLI's user agent / IP range on Cloudflare. Options:node-fetchoraxioswith a custom TLS configuration that passes Cloudflare's bot checksUser-Agent: Minara-CLI/*curlas the HTTP backend viachild_process.execfor CLI environmentsEnvironment
Workaround
Manually write credentials to
~/.minara/credentials.jsonafter obtaining a JWT via directcurlcall to the auth API, then usecurldirectly for all subsequent API calls. This confirms the API itself is functional — the issue is purely the CLI's HTTP client.