Does Claude Code save my API keys?

Not your keys as such. Login credentials are stored by the app (in the encrypted Keychain on macOS). What persists per project is .claude/settings.local.json — your approved permission rules, including approved shell commands. If a command you approved had a credential typed into it, that credential is now sitting in that file.

What is .claude/settings.local.json?

It is Claude Code's per-project local settings file, holding personal preferences and the permission rules you approve — for example, a Bash command approved with "Yes, don't ask again" is written there permanently for that project. Per Anthropic's docs, Claude Code configures git to ignore the file when it creates it; if you created it yourself, you must gitignore it manually.

How do I stop Claude Code from publishing my keys to npm?

Git ignoring is not npm ignoring — npm publish uses the files field and .npmignore, not .gitignore alone. Run npm pack --dry-run before publishing and check that no .claude/ directory is in the tarball; add .claude/ to .npmignore or use an explicit files allowlist. The structural fix: never type a raw credential into an agent command, so there is nothing sensitive to ship.

Learn · Claude Code & coding agents

Can Claude Code workflows expose API keys?

Last updated: June 11, 2026

Facts last verified against primary sources: June 11, 2026

In short

Yes, in one specific and checkable way: credentials that enter the workflow — typed into approved commands or sitting in workspace files — can persist in .claude/settings.local.json and ship wherever the project ships.

In April 2026, Lakera found 428 npm packages containing that settings file; roughly one in thirteen of those files held something sensitive. The file itself is working as documented — it stores the permission rules you approve. The exposure happens when raw credentials enter those rules or the workspace. Keys the agent never holds can't be cached or published.

Open in: ChatGPT Claude Perplexity

Outloop is built for iterative coding-agent workflows like Claude Code; it does not claim official platform support beyond what is verified. Claude Code is an independent tool — names and logos belong to their respective owners.

What the Lakera study actually found

Lakera scanned ~46,500 npm packages and found 428 packages shipping a .claude/settings.local.json file (April 2026). Of those, 33 files across 30 packages — roughly one in thirteen settings files that shipped — contained something sensitive. The same year, GitGuardian measured Claude Code-assisted commits leaking secrets at 3.2% versus a 1.5% baseline. The full sourced numbers live on our credential leak statistics page.

What `settings.local.json` is — and the gap

Per Anthropic's documentation, it is the per-project local settings file: personal preferences plus the permission rules you approve. Choose "Yes, don't ask again" for a shell command and that command is written there permanently for the project — including anything embedded in it. Anthropic documents that Claude Code configures git to ignore the file when it creates it. What the docs do not cover is npm: publishing uses the files field and .npmignore, not your gitignore alone — and that mismatch is exactly how 428 packages shipped the file.

What to check today

1.Before publishing, run npm pack --dry-run and confirm no .claude/ directory appears in the tarball.
2.Add .claude/ to .npmignore, or better, use an explicit files allowlist in package.json.
3.Open your existing settings.local.json files and look at the approved commands — if any embed a credential, rotate it.
4.Stop typing raw credentials into agent commands and prompts — the cache can only persist what enters the workflow.

The structural fix: keys the agent never holds can't be cached

Checklists reduce the odds; structure removes the category. If the third-party keys your workflows use never enter the workspace — the agent requests an approved action and a local broker applies the credential host-side — then there is nothing for a settings cache, a file history, or an npm tarball to leak. That is the pattern behind Claude Code API key management and it matters most when workflows run iteratively across many client workspaces.

Outloop is in commercial beta (controlled design-partner prep), verified on the founder's Mac; Apple signing/notarization and second-machine reproduction are still in progress. See the security model.

Nothing sensitive in the workflow. Nothing sensitive in the cache.

Outloop is accepting qualified AI agencies, operators, and dev shops into commercial beta.

Reserve 14-day guided trial