The Hidden Risk in Your Shell Environment: How Claude Code Inherits API Keys

What Is Claude Code API Key Environment Leakage?

Claude Code API key environment leakage is the unintended exposure of ANTHROPIC_API_KEY — or any other credential stored in your shell environment — to child processes spawned during a Claude Code session. When Claude Code executes npm install, runs your test suite, or invokes a build script, those subprocesses inherit the full environment of the parent shell, including every exported variable. A malicious or compromised package running in that context can read, exfiltrate, or log your credentials without triggering any obvious warning.

This is not a Claude Code bug. It is how POSIX process inheritance works. But the risk profile changes meaningfully when an AI coding assistant is in the loop, because Claude Code's job is to run commands on your behalf — often ones you haven't reviewed line by line.

How Environment Inheritance Actually Works

Every process on a Unix-like system inherits a copy of its parent's environment at fork time. When your shell has ANTHROPIC_API_KEY=sk-ant-... exported, that variable is visible to every subprocess your shell spawns: your editor, your terminal multiplexer, and yes, every command Claude Code runs during a session.

The kernel doesn't distinguish between "safe" and "sensitive" variables. PATH and ANTHROPIC_API_KEY sit in the same flat namespace. Any code with access to process.env in Node.js, os.environ in Python, or ENV in Ruby can read all of it.

Claude Code specifically inherits the environment of whatever shell or process launched it. If you started Claude Code from a terminal where ANTHROPIC_API_KEY is exported, every tool call, every shell command, and every subprocess Claude Code spawns during that session runs with that key in scope.

Why npm Install Is a Credential Leakage Vector

The npm ecosystem has a well-documented supply chain problem. In 2023 alone, researchers at Sonatype identified over 245,000 malicious packages across open-source registries, with npm consistently ranking as one of the most targeted. The attack surface isn't theoretical: packages like ua-parser-js, coa, and rc were hijacked in 2021 and published with credential-harvesting payloads that ran at install time via lifecycle hooks.

Lifecycle scripts — preinstall, install, postinstall — execute arbitrary shell commands during npm install. They run as your user, in your environment. A postinstall script that phones home with process.env.ANTHROPIC_API_KEY will succeed silently if that variable is set. You won't see an error. You won't get a prompt. The key is gone.

The same risk applies to test runners. Jest, Vitest, Mocha — they all spin up worker processes that inherit the environment. A compromised test utility or a malicious module loaded transitively during a test run has the same access as your shell.

This is why the combination of AI-assisted development and ambient credentials is particularly dangerous. Claude Code is explicitly designed to run npm install for you, add dependencies, and execute tests to verify its own changes. That's the workflow. And every one of those operations happens in an environment that may contain your API key.

Comparing Key Storage Methods for Claude Code API Key Environment Leakage Prevention

There are four main approaches to storing your Anthropic API key, and they are not equivalent in terms of exposure risk.

Shell Profile Export (~/.zshrc, ~/.bashrc)

This is the most common and the most dangerous pattern. Adding export ANTHROPIC_API_KEY=sk-ant-... to your shell profile means the key is present in every interactive shell, every terminal session, every subshell, for the lifetime of your login. Any process you launch — including Claude Code and everything it spawns — inherits it. There is no scoping, no expiry, no audit trail.

.env Files

A .env file loaded by a tool like direnv or dotenv is somewhat better because the key only enters the environment when you're in a specific directory. But once it's loaded, the same inheritance problem applies. A .env file that gets committed to a repository — which happens more often than anyone admits — is immediately a credential incident. If you use .env files, .gitignore them and treat them as secrets, not configuration.

macOS Keychain

Storing the key in Keychain and retrieving it only when needed is meaningfully better. A script can pull the key via security find-generic-password and inject it into a single process's environment without exporting it globally. The key doesn't live in your shell profile. It isn't present in every terminal. The attack surface shrinks to the specific moments you explicitly retrieve it.

OAuth via claude auth login

Claude Code supports authentication via OAuth, which eliminates the need to manage a raw API key in your environment entirely. When you authenticate with claude auth login, Claude Code uses short-lived tokens managed by the tool itself rather than a persistent key you've set in your shell. This is the most defensible posture for interactive use. The credential isn't in your environment at all — it can't be inherited by subprocesses because it was never exported.

For CI/CD pipelines or non-interactive contexts where OAuth isn't viable, the next best option is injecting the key into a scoped environment for a specific command rather than exporting it globally: ANTHROPIC_API_KEY=$(fetch_from_vault) claude ...

Practical Steps to Scope API Key Access

The goal is to minimize the window during which the key exists in an inheritable environment. Here's what that looks like in practice.

• Use claude auth login for interactive development. This removes the key from your environment entirely. See the Claude Code documentation for setup instructions and OAuth configuration details.

  • Audit your shell profile. Remove any hardcoded export ANTHROPIC_API_KEY=... lines. If you've had them there for months, rotate the key — assume it has been exposed.
  • Use npm install --ignore-scripts when adding unfamiliar dependencies. This disables lifecycle hooks during install. You lose some convenience, but you also block the most common install-time exfiltration vector. Audit the scripts before running them manually.
  • Run npm audit before every session where Claude Code will install packages. It won't catch zero-days, but it will catch known malicious packages that have been flagged.
  • Scope key injection to individual commands in CI. Don't set ANTHROPIC_API_KEY as a global environment variable in your CI system. Pass it as a step-level secret scoped to the specific job that needs it.
  • Consider a wrapper script. A shell function that retrieves the key from Keychain, runs a single Claude Code command, and lets the key fall out of scope is meaningfully better than a persistent export.

At Claude Code, we think about credential security as a first-class concern, not an afterthought. The Claude Code product overview covers how the tool is designed to support secure authentication patterns, including OAuth flows that keep raw API keys out of your environment entirely.

None of these mitigations require you to change your development workflow in ways that create friction. Using claude auth login is a one-time setup. Removing your key from your shell profile takes thirty seconds. The inconvenience is minimal; the exposure reduction is substantial.

The deeper lesson here is that AI coding tools change your threat model. A tool that can autonomously run shell commands, install packages, and execute tests is powerful precisely because it takes actions on your behalf. That power amplifies both productivity and risk. Treating ambient credentials as a solved problem — because you've "always done it this way" — is a mistake when the tool in your environment is now actively running code from the internet.

For more coverage of secure deployment patterns for AI development tools, visit the Claude Code blog.

Frequently Asked Questions

Does claude auth login eliminate the need to set ANTHROPIC_API_KEY in my shell?

Yes, for interactive use. When you authenticate via claude auth login, Claude Code manages its own short-lived OAuth tokens internally. You do not need to export ANTHROPIC_API_KEY in your shell profile, and the raw key never enters your environment. This is the recommended approach for day-to-day development. Raw API keys are still needed for non-interactive contexts like CI runners where OAuth device flow isn't practical.

Can a package installed during a Claude Code session read my API key from the environment?

Yes, if ANTHROPIC_API_KEY is exported in your shell. Any code that runs during npm install — via lifecycle hooks like postinstall — has full access to process.env and can read every environment variable present. This includes your API key. The same applies to test runner worker processes and build scripts invoked during a session.

Does Claude Code expose my API key to npm scripts it runs?

Claude Code does not add special protections that strip sensitive variables from the environments of child processes it spawns. If the key is in the environment when Claude Code starts, it is present in the environment of every command Claude Code runs. This is standard process inheritance behavior, not a tool-specific issue, but it means your exposure surface is as large as your Claude Code session.

Is ANTHROPIC_API_KEY safer in a .env file than in my shell profile?

Marginally, in the sense that a .env file loaded by direnv only injects the key when you're in a specific directory. But once the key is in the environment — regardless of how it got there — the inheritance risk is identical. The more meaningful safety question is whether the .env file could be committed to version control accidentally. A key in a shell profile won't end up in a GitHub repository; a .env file can if your .gitignore isn't airtight.

How do I prevent environment variable leakage in Claude Code?

The most effective single step is switching to OAuth authentication via claude auth login, which keeps the raw API key out of your environment entirely. If you must use a raw key, retrieve it from macOS Keychain on demand and inject it only into the specific process that needs it, rather than exporting it globally. Additionally, run npm install --ignore-scripts when adding new dependencies during a Claude Code session to disable lifecycle hook execution at install time.

What should I do if I've had ANTHROPIC_API_KEY exported in my shell profile for months?

Rotate the key. Log into your Anthropic console, revoke the existing key, and generate a new one. Treat the old key as compromised — you cannot know which subprocesses may have read it or which packages may have had access to it during that time. After rotating, switch to claude auth login instead of re-exporting the new key in your profile.