`claude mcp add` echoes Authorization header value verbatim to stdout, leaks bearer tokens to terminal and session transcripts
What's Wrong?
When adding an HTTP MCP server with a bearer token via --header "Authorization: Bearer <token>", the success message echoes the Authorization header value verbatim to stdout:
$ claude mcp add --transport http my-server https://example.com/mcp \
--header "Authorization: Bearer <REAL_BEARER_TOKEN>"
Added HTTP MCP server my-server with URL: https://example.com/mcp to local config
Headers: {
"Authorization": "Bearer <REAL_BEARER_TOKEN>" <-- token in plaintext
}
File modified: ~/.claude.json [project: ...]
The bearer value is now in the terminal scrollback, shell history, and any session transcript that captured the command's stdout (including Claude Code's own agentic session JSONLs).
What Should Happen?
The success-message renderer should redact known-sensitive header names before display:
Headers: {
"Authorization": "Bearer ********"
}
Suggested denylist (case-insensitive): Authorization, Proxy-Authorization, X-API-Key, X-Auth-Token, Cookie, Set-Cookie. The stored value in ~/.claude.json stays untouched, only the human-facing echo is redacted.
This mirrors what the docs at https://code.claude.com/docs/en/mcp implicitly promise about secure credential handling but does not currently deliver. The docs even show users typing bearer tokens directly on the CLI in their canonical example.
Steps to Reproduce
- Run an HTTP MCP add with a fake bearer token:
````
claude mcp add --transport http test https://example.com/mcp \
--header "Authorization: Bearer FAKE_TOKEN_123"
- Observe
FAKE_TOKEN_123appearing in plaintext in the success message echoed to stdout.
Is this a regression?
Unknown. Bisect not attempted.
Claude Code Version
2.1.153 (Claude Code)
Platform
Anthropic API.
Operating System
Windows 11 (also expected on macOS / Linux as the echo lives in the Node CLI, not the shell).
Terminal/Shell
Git Bash on Windows 11; behavior expected identically in any TTY.
Additional Information
Related issues (the broader CLI secret-leak pattern):
- #2831 —
claude mcp getdisplays Authorization in plaintext (same class, different command) - #57131 —
claude mcp removewrites literal${VAR}values to.mcp.json(same root cause class) - #44868, #59094, #58173, #20966, #32523 — broader CLI-leak pattern (open)
- #29434, #58526, #25053 — open feature requests for built-in redaction
Outside coverage of the broader pattern:
- The Register (2026-01-28): https://www.theregister.com/2026/01/28/claude_code_ai_secrets_files/
- Martin Paul Eve (2026-04-19): https://eve.gd/2026/04/19/claude-code-can-consume-transmit-and-compromise-your-env-files-even-if-you-tell-it-not-to/
- Knostic.ai: https://www.knostic.ai/blog/claude-loads-secrets-without-permission
---
🤖 Drafted by Claude Code (Opus 4.7) during a live debugging session, submitted with the account holder's review and explicit go-ahead.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗