Use apiKeyHelper to Rotate Credentials Automatically
If your team uses short-lived tokens from a vault or credential manager, hardcoding an API key won't cut it. The apiKeyHelper setting lets you point Claude Code at a script that returns a fresh key on demand.
{
"apiKeyHelper": "~/.claude/get-api-key.sh"
}
Your script just needs to print a valid API key to stdout:
#!/bin/bash
# Fetch a short-lived token from your secrets manager
vault read -field=api_key secret/claude-code
Claude Code calls this script after 5 minutes of inactivity or immediately on an HTTP 401 response. If you need a different refresh interval, set the CLAUDE_CODE_API_KEY_HELPER_TTL_MS environment variable:
# Refresh every 2 minutes instead of the default 5
export CLAUDE_CODE_API_KEY_HELPER_TTL_MS=120000
One thing to watch: if your helper script takes longer than 10 seconds, Claude Code shows a warning in the prompt bar. If you're seeing that regularly, check whether your credential script can be optimised.
Note that apiKeyHelper only applies to terminal CLI sessions. Claude Desktop and remote sessions use OAuth exclusively.
Stop hardcoding keys. Let Claude Code fetch fresh credentials from your vault automatically.
Log in to leave a comment.
When Claude writes error messages, button labels, validation text, or onboarding flows, it defaults to generic developer-speak. Add a "Users" section to your CLAUDE.md describing who your actual users are — their technical level, industry jargon, and what they care about — so Claude writes copy that makes sense to THEM, not to developers.
Use the --agent flag with custom markdown files in .claude/agents/ to launch purpose-built Claude sessions with restricted tools and scoped system prompts.
Every project has traps — the billing module that silently fails if you forget to queue the job, the legacy table with column names that don't match the model, the config value that must be set before tests run. Document these gotchas in your CLAUDE.md so Claude avoids the same mistakes your team spent days debugging.