[DOCS] Insecure API_KEY Example in SessionStart Hooks Documentation
Resolved 💬 3 comments Opened Jan 24, 2026 by coygeek Closed Feb 7, 2026
Documentation Type
Incorrect/outdated documentation
Documentation Location
https://code.claude.com/docs/en/hooks
Section/Topic
SessionStart hooks section - "Set environment variables" example
Current Documentation
The docs currently show this example for setting environment variables via SessionStart hooks:
if [ -n "$CLAUDE_ENV_FILE" ]; then
echo 'export NODE_ENV=production' >> "$CLAUDE_ENV_FILE"
echo 'export API_KEY=your-api-key' >> "$CLAUDE_ENV_FILE"
echo 'export PATH="$PATH:./node_modules/.bin"' >> "$CLAUDE_ENV_FILE"
fi
What's Wrong or Missing?
The example hardcodes an API key value (API_KEY=your-api-key) directly in the script, teaching an insecure practice:
- Developers copy-paste examples directly into their projects
- Hardcoded credentials get committed to version control
- Even "placeholder" values train users on insecure patterns
- This contradicts security best practices documented elsewhere in Claude Code docs
Suggested Improvement
Option A: Replace with a secure pattern that reads from existing environment:
if [ -n "$CLAUDE_ENV_FILE" ]; then
echo 'export NODE_ENV=production' >> "$CLAUDE_ENV_FILE"
# Pass through API key from environment, not hardcoded
echo "export API_KEY=\"\${API_KEY:-}\"" >> "$CLAUDE_ENV_FILE"
echo 'export PATH="$PATH:./node_modules/.bin"' >> "$CLAUDE_ENV_FILE"
fi
Option B: Add a prominent warning comment in the example:
# WARNING: Replace with secure credential retrieval - NEVER commit real API keys
echo 'export API_KEY=your-api-key' >> "$CLAUDE_ENV_FILE"
Option C: Remove the API_KEY line entirely and use a non-sensitive example variable instead.
Impact
High - Prevents users from using a feature
Additional Context
- The security documentation at https://code.claude.com/docs/en/security emphasizes secure practices, but this example contradicts those guidelines
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗