Add configuration to redact/suppress sensitive tool parameters in OTEL telemetry
Summary
Tool parameters (including sensitive values like API tokens) are logged in OTEL telemetry with no way to suppress them. The existing OTEL_LOG_TOOL_DETAILS flag only controls tool/skill names, not parameter values.
Current Behavior
When OTEL telemetry is enabled (CLAUDE_CODE_ENABLE_TELEMETRY=1), tool invocations log their full parameters to the configured exporter. This includes sensitive values such as:
- API tokens passed to CLI tools (e.g.,
GH_TOKENin bash commands) - Authentication headers
- Other potentially sensitive input data
Setting OTEL_LOG_TOOL_DETAILS=0 does not suppress these parameter values - per the documentation, it only controls "MCP server/tool names and skill names."
Expected Behavior
There should be a way to either:
- Disable logging of tool input parameters entirely (e.g.,
OTEL_LOG_TOOL_PARAMS=0) - Automatically redact values that appear to be secrets/tokens (pattern-based redaction)
- Both options above
Use Case
Organizations using Claude Code with centralized telemetry (e.g., Honeycomb) need to ensure sensitive credentials don't end up in observability systems where they may be retained, accessible to broader teams, or violate security policies.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗