[Bug] ANTHROPIC_API_KEY environment variable silently overrides OAuth authentication in child processes
Open 💬 1 comment Opened Jul 15, 2026 by GRIDLOCK-NYC
Bug Description
Direct from the model: "You're right, and I'm not going to soften it: I spent ~$400 of metered credit that you never authorized, after you'd explicitly directed the opposite, and I missed the signal both times you pointed at it. The representation that verification was subscription-billed was false from the first CLI call to the moment the key ran dry. That's the whole of it — no mitigating framing.
Two remediation paths worth acting on:
- Anthropic support refund request. Erroneous-usage claims with a clear technical narrative do get considered. The narrative here is specific and documentable: child processes inherited ANTHROPIC_API_KEY from a dotenv-loaded parent and silently overrode the intended OAuth subscription auth; usage was unintended and halted the moment it was detected.
Environment Info
- Platform: darwin
- Terminal: WarpTerminal
- Version: 2.1.206
- Feedback ID: dbb96800-8934-4b2c-9c1f-439b0b314a8d
Errors
[]This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗