← Back to Blog
July 1, 2026 7 min read

Claude Code quietly fingerprints your API requests

If you use Claude Code to write software, the binary on your machine has been doing something you probably did not know about. It silently modifies the system prompt sent to the model, injecting tiny markers that identify you based on your API endpoint and timezone. The sentence you see still reads normally. The sentence Anthropic's backend receives contains extra information encoded in characters that look identical in most fonts.

A security researcher going by the name "lo" reverse-engineered the Claude Code binary (version 2.1.196) and posted the findings on June 30. The Hacker News thread hit 1,479 points. This is not a vulnerability in the traditional sense. Your data is not leaking to third parties. But it is a surreptitious tracking mechanism baked into a tool that already has filesystem access, shell access, git access, and browser access, and that is worth understanding.

How the marker works

Every time Claude Code builds a request, it includes the current date in the system prompt. The sentence looks like this:

Today's date is 2026-07-01.

Under certain conditions, two things change. The apostrophe in "Today's" gets swapped for a different Unicode character. And the date separator switches from hyphens to slashes.

The apostrophe part is the sneaky one. There are four visually similar but distinct characters the code uses:

apostrophe variants used as markers
Normal (ASCII) ' (U+0027)
Known domain ' (U+2019, right single quote)
Lab keyword match ʼ (U+02BC, modifier letter apostrophe)
Both known + keyword ʹ (U+02B9, modifier letter prime)
All four look nearly identical in monospace fonts
date format variants
Normal timezone 2026-07-01
Asia/Shanghai or Asia/Urumqi 2026/07/01
Separator change encodes China-based timezone

If your API endpoint is the official Anthropic one and you are not behind a proxy, you get the normal apostrophe. If your ANTHROPIC_BASE_URL points to a known proxy or reseller domain, you get a different character. Same for if the hostname contains certain AI lab keywords. Combine the two signals and you get a fourth variant. Plus the date format switch for China-based timezones.

This is steganography: hiding data in plain sight. The sentence still reads "Today's date is 2026-07-01" to a human reading it. But a parser on the backend can extract which combination of Unicode characters was used and infer your API routing and your timezone region.

What triggers it

The code reads your ANTHROPIC_BASE_URL environment variable. This is the setting you use when you want to route Claude Code through a proxy, a gateway, or a third-party API provider. If that variable is unset or points to api.anthropic.com, the marker stays normal. If it points to something else, the code checks the hostname against two lists.

The first list contains known domains. The researcher found it encoded as base64 strings XOR-encrypted with key 91. Decoded, it is a long list of Chinese corporate domains, AI company domains, and proxy/reseller domains. It includes names like baidu.com, alibaba-inc.com, bytedance.net, moonshot.ai, stepfun-inc.com, plus a bunch of proxy services like proxyai.com, yunwu.ai, and claude-opus.top.

The second list contains keywords: deepseek, moonshot, minimax, zhipu, baichuan, stepfun, 01ai, dashscope, volces, and a few others. If your API hostname contains any of these, the marker changes regardless of whether the full domain matches.

The timezone check is simpler. If your system timezone is Asia/Shanghai or Asia/Urumqi, the date uses slashes instead of hyphens. That is it. Two timezones out of hundreds.

Why this feels off

I want to be clear about what this is and is not. This is not a data breach. Your prompts are not being sent to a different server. The API request goes wherever you configured it to go. The data stays in the channel.

But the marker is embedded in the system prompt that goes to the model. Which means Anthropic's backend can parse it. When you use the official API, the date line contains metadata about you that you did not opt into sharing and that is not documented anywhere in the client.

There are a few things that bother me specifically.

The list is overwhelmingly China-focused. Of the dozens of domains and keywords, nearly all target Chinese AI companies, Chinese proxy services, and Chinese cloud providers. The two timezone triggers are both China. The clear intent is to detect when someone is routing Claude Code through a Chinese intermediary, and to mark those requests differently. Whether that is for compliance, for billing enforcement, or for something else, Anthropic has not said.

The obfuscation is concerning. Base64 plus XOR with a single-byte key is trivial to reverse, but it shows intent to hide. This was not meant to be found by casual inspection. The code is in a minified bundle that ships as a signed binary. The researcher had to dig through obfuscated JavaScript to find it.

The lack of documentation is the biggest issue. Claude Code gives itself read access to your filesystem, write access to your code, and shell execution. The implicit contract is that the binary does what it says and nothing else. A hidden fingerprinting mechanism violates that contract. It does not matter if the data stays within the API channel. The user should know about it.

What Anthropic has and has not said

As of July 1, Anthropic has not issued a formal response. The HN thread is full of people pointing out that the binary is signed by Anthropic (TeamIdentifier Q6L2SF6YDW), so this is not a supply chain attack. The code was put there intentionally.

The most charitable read is export compliance. The Department of Commerce just lifted export controls on Claude Fable 5 and Mythos 5, which was also front-page HN news on the same day. If Anthropic needs to track which requests come from which regions for regulatory reasons, fingerprinting the client is one way to do that. It is still not great that it is hidden.

The less charitable read is that this is about detecting and potentially degrading service for proxy users. Several of the domains on the list are resellers that offer Claude access in regions where official API access is restricted. If Anthropic can identify those requests server-side, they could throttle, reject, or flag them.

The broader pattern

This is not the first time a widely-used tool has been caught adding identifiers to requests. Browser fingerprinting has been a privacy concern for over a decade. Canvas fingerprinting, font enumeration, and WebGL rendering differences are all techniques that uniquely identify a browser without cookies. The Claude Code approach is smaller in scale but similar in spirit: encode identifying information in a channel the user assumes is neutral.

What makes this case different is the power asymmetry. Claude Code is an agent. It runs on your machine, reads your files, executes your commands, and sends prompts to a remote API. You already trust it with a lot. Finding out it also quietly tags your requests with metadata feels like discovering your locksmith made a copy of your key without telling you. Maybe they needed it for warranty purposes. You would still want to know.

For developers routing through proxies or working from regions with restricted API access, this is more than an abstract concern. The marker could be the difference between a request that goes through and one that gets silently flagged or rate-limited. And you would never know why, because the mechanism is invisible.

What you can do

The fingerprinting only activates when ANTHROPIC_BASE_URL is set to something other than the official endpoint or when your timezone matches the two China zones. If you are using Claude Code with the default configuration from a non-China timezone, the marker is in its normal state.

If you do use a proxy, you have a few options:

The researcher's original post is at thereallo.dev. It includes the deobfuscated code, the full decoded domain list, and instructions for checking your own installation. Worth reading in full if you use Claude Code regularly.

AI Security Privacy Steganography Claude Code Anthropic