Add configuration to redact/suppress sensitive tool parameters in OTEL telemetry

Resolved 💬 3 comments Opened Feb 11, 2026 by vitalilevy Closed Feb 15, 2026

Summary

Tool parameters (including sensitive values like API tokens) are logged in OTEL telemetry with no way to suppress them. The existing OTEL_LOG_TOOL_DETAILS flag only controls tool/skill names, not parameter values.

Current Behavior

When OTEL telemetry is enabled (CLAUDE_CODE_ENABLE_TELEMETRY=1), tool invocations log their full parameters to the configured exporter. This includes sensitive values such as:

  • API tokens passed to CLI tools (e.g., GH_TOKEN in bash commands)
  • Authentication headers
  • Other potentially sensitive input data

Setting OTEL_LOG_TOOL_DETAILS=0 does not suppress these parameter values - per the documentation, it only controls "MCP server/tool names and skill names."

Expected Behavior

There should be a way to either:

  1. Disable logging of tool input parameters entirely (e.g., OTEL_LOG_TOOL_PARAMS=0)
  2. Automatically redact values that appear to be secrets/tokens (pattern-based redaction)
  3. Both options above

Use Case

Organizations using Claude Code with centralized telemetry (e.g., Honeycomb) need to ensure sensitive credentials don't end up in observability systems where they may be retained, accessible to broader teams, or violate security policies.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗