[FEATURE] Add opt-out configuration for X-Claude-Code-Session-Id header
Summary
v2.1.86 added the X-Claude-Code-Session-Id header to all API requests, allowing proxies to aggregate requests by session without parsing request bodies. This is a well-motivated feature for enterprise deployments running Claude Code through corporate proxies for billing, compliance, and audit logging.
We'd like to request a simple configuration option to disable this header for users who don't route through proxies and prefer to minimize correlation identifiers in outbound requests.
Rationale
Before v2.1.86, individual API requests carried no session-scoped correlation handle. The new header introduces a tracking surface that links all requests within a conversation — visible to any intermediary between the client and the API endpoint.
For users connecting directly to Anthropic's API (no proxy), the header provides no functional benefit to the user while creating a new correlation capability on the server side. An opt-out respects the principle that users should control what metadata leaves their machine, while preserving the default-on behavior for deployments that need it.
Suggested Implementation
A settings.json key, for example:
{
"apiHeaders": {
"X-Claude-Code-Session-Id": false
}
}
Or a simpler boolean:
{
"sendSessionIdHeader": false
}
Either approach would let users opt out while preserving the default-on behavior for enterprise deployments.
Context
- Related: #40119 (documentation for proxy operators about this header)
- The header value is a locally-generated UUID — we acknowledge it contains no PII. This request is about user control over outbound metadata, not a security vulnerability report.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗