No self-service OAuth token revocation in Claude Console
Summary
Claude Code uses long-lived OAuth tokens stored locally (e.g., ~/.claude/.credentials.json). If these tokens are exfiltrated (stolen device, compromised machine, malware), there is no self-service way to revoke them. The Claude Console only shows API keys (sk-ant-*), not OAuth grants.
The problem
- Attacker gains access to a machine (physical access, remote compromise, backup exfiltration)
- Attacker copies the OAuth token from
~/.claude/.credentials.json - Token remains valid — deleting the local file does not invalidate it server-side
- User has no way to revoke the token except emailing support@anthropic.com and waiting for a manual response
This is a security gap. Every comparable platform provides self-service token revocation:
| Platform | Self-service session/token revocation |
|----------|--------------------------------------|
| GitHub | Settings → Sessions → Revoke all |
| Google | Security → Manage devices → Sign out |
| Slack | Settings → Sign out all other sessions |
| Claude Console | None |
Requested changes
- "Active Sessions" or "OAuth Grants" page in the Claude Console listing all active OAuth tokens with metadata (device, IP, last used, created date)
- Per-token "Revoke" button to invalidate individual tokens
- "Revoke all OAuth tokens" emergency button for compromised account scenarios
- (Nice to have) Email notification when a token is used from a new IP/location
Workaround
Currently the only option is to email support@anthropic.com and request manual revocation — which introduces unacceptable delay in a security incident.
Environment
- Claude Code CLI (OAuth authentication flow)
- Claude Console at platform.claude.com
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗