Hacker News new | ask | show | jobs
by MadsRC 72 days ago
What signing?

Are you referencing the use of Claude subscription authentication (oauth) from non-Claude Code clients?

That’s already possible, nothing prevents you from doing it.

They are detecting it on their backend by profiling your API calls, not by guarding with some secret crypto stuff.

At least that’s how things worked last week xD
1 comments
stavros 72 days ago
I'm referring to this signing bit:

https://alex000kim.com/posts/2026-03-31-claude-code-source-l...

Ah, it seems that Bun itself signs the code. I don't understand how this can't be spoofed.

link
MadsRC 72 days ago
Ah yes, the API will accept requests that doesn’t include the client attestation (or the fingerprint from src/utils/fingerprint.ts. At least it did a couple of weeks back.

They are most likely using these as post-fact indicators and have automation they kicks in after a threshold is reached.

Now that the indicators have leaked, they will most likely be rotated.

link
Galanwe 72 days ago
> Now that the indicators have leaked, they will most likely be rotated.

They can't really do that. Now they have no way to distinguish "this is a user of a non updated Claude code" from "this is a user of a Claude code proxy".

link