[DOCS] Insecure API_KEY Example in SessionStart Hooks Documentation

Resolved 💬 3 comments Opened Jan 24, 2026 by coygeek Closed Feb 7, 2026

Documentation Type

Incorrect/outdated documentation

Documentation Location

https://code.claude.com/docs/en/hooks

Section/Topic

SessionStart hooks section - "Set environment variables" example

Current Documentation

The docs currently show this example for setting environment variables via SessionStart hooks:

if [ -n "$CLAUDE_ENV_FILE" ]; then
  echo 'export NODE_ENV=production' >> "$CLAUDE_ENV_FILE"
  echo 'export API_KEY=your-api-key' >> "$CLAUDE_ENV_FILE"
  echo 'export PATH="$PATH:./node_modules/.bin"' >> "$CLAUDE_ENV_FILE"
fi

What's Wrong or Missing?

The example hardcodes an API key value (API_KEY=your-api-key) directly in the script, teaching an insecure practice:

  • Developers copy-paste examples directly into their projects
  • Hardcoded credentials get committed to version control
  • Even "placeholder" values train users on insecure patterns
  • This contradicts security best practices documented elsewhere in Claude Code docs

Suggested Improvement

Option A: Replace with a secure pattern that reads from existing environment:

if [ -n "$CLAUDE_ENV_FILE" ]; then
  echo 'export NODE_ENV=production' >> "$CLAUDE_ENV_FILE"
  # Pass through API key from environment, not hardcoded
  echo "export API_KEY=\"\${API_KEY:-}\"" >> "$CLAUDE_ENV_FILE"
  echo 'export PATH="$PATH:./node_modules/.bin"' >> "$CLAUDE_ENV_FILE"
fi

Option B: Add a prominent warning comment in the example:

# WARNING: Replace with secure credential retrieval - NEVER commit real API keys
echo 'export API_KEY=your-api-key' >> "$CLAUDE_ENV_FILE"

Option C: Remove the API_KEY line entirely and use a non-sensitive example variable instead.

Impact

High - Prevents users from using a feature

Additional Context

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗