No self-service OAuth token revocation in Claude Console

Resolved 💬 3 comments Opened Mar 25, 2026 by Shepherd-Creative Closed Mar 28, 2026

Summary

Claude Code uses long-lived OAuth tokens stored locally (e.g., ~/.claude/.credentials.json). If these tokens are exfiltrated (stolen device, compromised machine, malware), there is no self-service way to revoke them. The Claude Console only shows API keys (sk-ant-*), not OAuth grants.

The problem

  1. Attacker gains access to a machine (physical access, remote compromise, backup exfiltration)
  2. Attacker copies the OAuth token from ~/.claude/.credentials.json
  3. Token remains valid — deleting the local file does not invalidate it server-side
  4. User has no way to revoke the token except emailing support@anthropic.com and waiting for a manual response

This is a security gap. Every comparable platform provides self-service token revocation:

| Platform | Self-service session/token revocation |
|----------|--------------------------------------|
| GitHub | Settings → Sessions → Revoke all |
| Google | Security → Manage devices → Sign out |
| Slack | Settings → Sign out all other sessions |
| Claude Console | None |

Requested changes

  1. "Active Sessions" or "OAuth Grants" page in the Claude Console listing all active OAuth tokens with metadata (device, IP, last used, created date)
  2. Per-token "Revoke" button to invalidate individual tokens
  3. "Revoke all OAuth tokens" emergency button for compromised account scenarios
  4. (Nice to have) Email notification when a token is used from a new IP/location

Workaround

Currently the only option is to email support@anthropic.com and request manual revocation — which introduces unacceptable delay in a security incident.

Environment

  • Claude Code CLI (OAuth authentication flow)
  • Claude Console at platform.claude.com

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗