Use apiKeyHelper to Rotate Credentials Automatically
If your team uses short-lived tokens from a vault or credential manager, hardcoding an API key won't cut it. The apiKeyHelper setting lets you point Claude Code at a script that returns a fresh key on demand.
{
"apiKeyHelper": "~/.claude/get-api-key.sh"
}
Your script just needs to print a valid API key to stdout:
#!/bin/bash
# Fetch a short-lived token from your secrets manager
vault read -field=api_key secret/claude-code
Claude Code calls this script after 5 minutes of inactivity or immediately on an HTTP 401 response. If you need a different refresh interval, set the CLAUDE_CODE_API_KEY_HELPER_TTL_MS environment variable:
# Refresh every 2 minutes instead of the default 5
export CLAUDE_CODE_API_KEY_HELPER_TTL_MS=120000
One thing to watch: if your helper script takes longer than 10 seconds, Claude Code shows a warning in the prompt bar. If you're seeing that regularly, check whether your credential script can be optimised.
Note that apiKeyHelper only applies to terminal CLI sessions. Claude Desktop and remote sessions use OAuth exclusively.
Stop hardcoding keys. Let Claude Code fetch fresh credentials from your vault automatically.
Log in to leave a comment.
The autoUpdatesChannel setting pins Claude Code to a stable release track that skips versions with major regressions.
The language setting makes Claude respond in your preferred language by default, across every session and project.
The attribution setting lets you customize or completely remove Claude's Co-Authored-By trailer from git commits and pull requests.