[FEATURE] Secure secrets injection for Claude Code on the web

Open 💬 7 comments Opened Mar 10, 2026 by lieblius

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Claude Code on the web (claude.ai/code) has no way to securely provide secrets to async cloud sessions.

The environment variables field in the environment settings dialog explicitly warns: "don't add secrets or credentials."

This blocks any workflow that requires authentication in a web session:

  • Installing packages from private registries (npm, PyPI, etc.): the proxy strips user-provided auth headers (#11078) and the auto-injected GitHub credential lacks read:packages scope
  • Cross-repo private dependencies via Cargo, pip, Go modules (#11056)
  • Calling external APIs that require keys (Stripe, AWS, database URLs, etc.) during build/test/runtime
  • Authenticating HTTP-based MCP servers that need Bearer tokens (#28942)
  • Setup scripts that need to pull from private infrastructure

Devin, OpenAI Codex, and Cursor background agents all provide a dedicated encrypted secrets store for their cloud/async agent environments. Claude Code on the web has nothing.

For teams using custom/private packages (which is most professional teams), Claude Code on the web is literally unusable.

Proposed Solution

Add per-user and per-org encrypted secrets store in the environment settings, separate from the existing environment variables field.

Secrets should:

  • Be stored encrypted and only decrypted inside the user's own sandbox at session start
  • Never appear in conversation transcripts or model context
  • Be injected as environment variables at the process level, available to setup scripts, npm install, pip install, and other CLI tools
  • Be scoped per-environment so users can manage different credentials for different repos

The UX could be as simple as a separate "Secrets" section in the environment settings dialog with key-value pairs, visually distinct from the shared env vars, with a note that these are encrypted.

Alternative Solutions

  • Put secrets in the shared environment variables field: explicitly warned against in the UI; visible to all environment users
  • Paste secrets into chat: persisted in conversation history, massive security risk
  • Use --remote from CLI instead of the web: works but loses the async fire-and-forget benefit entirely

None of these are adequate.

Priority

Critical - Blocking my work

Feature Category

Other

Use Case Example

Our team uses private images on ECR. We literally cannot pull anything to run our code. I am just going and using Devin instead. Codex and cursor agents support this as well.

This same pattern applies to any team using private PyPI, Cargo, Maven, or Go module registries, or any project that needs API keys or database credentials during development.

Additional Context

_No response_

View original on GitHub ↗

This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗