upvote

points

by stavros3 hours ago |
comments
upvoteby MadsRC2 hours ago|
[-]
What signing?

Are you referencing the use of Claude subscription authentication (oauth) from non-Claude Code clients?

That’s already possible, nothing prevents you from doing it.

They are detecting it on their backend by profiling your API calls, not by guarding with some secret crypto stuff.

At least that’s how things worked last week xD

reply
upvoteby stavros2 hours ago|
parent|
[-]
I'm referring to this signing bit:

https://alex000kim.com/posts/2026-03-31-claude-code-source-l...

Ah, it seems that Bun itself signs the code. I don't understand how this can't be spoofed.

reply
upvoteby MadsRC2 hours ago|
parent|
[-]
Ah yes, the API will accept requests that doesn’t include the client attestation (or the fingerprint from src/utils/fingerprint.ts. At least it did a couple of weeks back.

They are most likely using these as post-fact indicators and have automation they kicks in after a threshold is reached.

Now that the indicators have leaked, they will most likely be rotated.

reply
upvoteby Galanwe1 hours ago|
parent|
[-]
> Now that the indicators have leaked, they will most likely be rotated.

They can't really do that. Now they have no way to distinguish "this is a user of a non updated Claude code" from "this is a user of a Claude code proxy".

reply