Security: Tokens pasted into web/mobile sessions are exposed in the LLM context window
Problem
When using Claude Code on web or mobile (not the local CLI), there is no way to provide API tokens (e.g., GITHUB_TOKEN) without pasting them directly into the chat. This means secrets land in the LLM context window — visible in conversation history, potentially included in training data, and exposed to anyone with account access.
The local CLI solves this correctly: tokens live in environment variables or OS keychains (e.g., Docker MCP reads credentials from the OS keychain, never touching the chat). Web/mobile sessions have no equivalent mechanism.
Proposed solution
A secrets/environment injection mechanism for web and mobile sessions:
- Users configure secrets in their Anthropic account settings (or a project-level config).
- At session start, these are injected as environment variables into the container — the same way
ANTHROPIC_API_KEYis already provided. - Secrets never appear in the LLM context window, conversation history, or logs.
This mirrors how CI systems (GitHub Actions secrets, AWS Parameter Store) handle credentials: configured out-of-band, injected at runtime.
Why this matters
- Current workaround is insecure by design. Users who need GitHub/AWS/etc. access on mobile must paste tokens into chat. No amount of short-TTL scoping fully mitigates context-window exposure.
- The local CLI already has the right pattern. Docker MCP uses OS keychain credentials.
GITHUB_TOKENis read from the environment. The web/mobile experience should match. - Adoption blocker for teams. Security-conscious teams won't use Claude Code on mobile/web for real work if it requires pasting secrets.
Alternatives considered
- Short-TTL, minimal-scope tokens: Reduces blast radius but doesn't solve the exposure problem. We do this as mitigation, not a fix.
- OAuth device flow in-session: Still surfaces the token in the context window after the flow completes.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗