Claude Code Token Burn and API Key Leaks: How to Triage Your Agent Before It Touches Production

You wake up to a $3,800 Anthropic bill and a Slack ping from a stranger thanking you for the free Claude credits. Your Claude Code agent committed your .env to a feature branch three nights ago, your ANTHROPIC_API_KEY hit a public fork by morning, and a scraper had it inside of an hour. The agent did exactly what you told it to do. You told it to fix the test setup, and it staged everything in the working directory because that was the path of least friction. Nobody wrote a malicious prompt. Nobody breached anything. You gave a fast, eager coding agent shell access and a git remote, and it shipped your secret like it would ship any other file. This is the new shape of the API key leak for vibe coders. Not a misconfigured S3 bucket. Not a phished employee. An agent on your laptop, running with your credentials, helpfully checking in everything it touched. The triage starts before the next push, not after the bill clears.

02Your agent has hands and a wallet

Claude Code is not a chat window. It runs git add, it edits files, it executes your test suite, it can curl your localhost. When you point it at a repo, it sees your .env, your .envrc, your ~/.aws/credentials, and your gh CLI token cached at ~/.config/gh/hosts.yml. None of that is a bug. That is the product. The problem starts when the agent's idea of helpful includes committing untracked files, writing logs to disk that contain env values, or pasting a stack trace into a code comment that includes your STRIPE_SECRET_KEY. One concrete bug path: you ask the agent to debug a failing webhook handler. It adds a console.log of the entire request object, which includes your STRIPE_WEBHOOK_SECRET in the signature header. It commits. The commit goes to a public branch on your indie repo. GitHub's secret scanning catches it forty minutes later, but it never matches your ANTHROPIC_API_KEY in the same file, because to a generic regex it looks like base64 noise. Check today: run git log --all --full-history -p -- .env and the same for .env.local. If anything comes back that is not an empty commit, your keys are already out. Also run gh secret list --repo your/repo and confirm no production keys are sitting as plain env values in your repo root.

03How the key actually walks out

The Anthropic key leak is the easy one to imagine, but it is rarely the most expensive. The pattern that drains the most money in a single weekend is your agent leaking a key with billing attached and a generous quota: ANTHROPIC_API_KEY, OPENAI_API_KEY, your Supabase service_role key, an AWS access key. Once the key is public, a Cloudflare worker somewhere starts a loop, and your usage dashboard goes vertical. Three walk-out paths I have seen on founder repos this quarter. First, the .env commit. Agent stages everything, you do not read the diff, the push goes through. Fix: a pre-commit hook that hard-fails on any line matching sk-ant-, sk-, xoxb-, AKIA, or eyJ. Second, the Vercel preview leak. Your agent writes a debug page at /api/_debug that returns process.env. You push, Vercel builds a preview URL, the URL ends up in the PR comment, a bot indexes it. Check: grep -r process.env app/api/ pages/api/ and confirm no route returns the whole object. Third, the screen share. You demo your agent on a stream or a Loom, and the scrollback includes the line where it printed export ANTHROPIC_API_KEY while setting up your shell. Loom transcripts get indexed. Search site:loom.com for your key prefix and pray.

04Triage before it touches production

Treat the Claude Code agent like a new hire on day one with sudo access. Rotate any key the agent has read in the last 90 days, because you do not actually know where each one went. Anthropic, OpenAI, Supabase service_role, Stripe restricted keys, GitHub PAT, Vercel deploy hooks: rotate them all, then reissue as scoped tokens with expirations. Then lock the agent down. Move secrets out of .env files in the repo and into your platform's secret manager: Vercel env vars marked Sensitive, Supabase Vault, Doppler, 1Password CLI. Add .env* to .gitignore at the root and inside every subpackage, because monorepos love to forget. Wire up a pre-commit hook with gitleaks or trufflehog. Turn on GitHub push protection on the repo, not just the org, and confirm it actually blocks by trying to push a clearly fake test key. The boring step is the last one. After every Claude Code session that touched secrets or auth code, audit the diff line by line before you push. Not the summary the agent gave you. The actual diff. Guardian was built for this exact triage. We scan your repo, your Vercel project, and your live endpoints for leaked keys, exposed debug routes, and the /api/_debug style mistakes Claude Code leaves behind. Run it after every agent session that touched production code, and you will catch the leak before the scraper does.