Summarizer

Client Attestation DRM

Examination of the Zig-level binary attestation system that cryptographically proves requests come from official Claude Code clients, and its role in the OpenCode legal disputes

← Back to The Claude Code Source Leak: fake tools, frustration regexes, undercover mode

The debate centers on whether Claude Code’s cryptographic attestation effectively prevents third-party clients like OpenCode or if Anthropic primarily relies on behavioral profiling and delayed enforcement to flag unauthorized subscription usage. While some users question the spoofability of Bun-based binary signing, others suggest that the current API leniency is a tactical move to avoid providing an "oracle" that would help attackers refine their bypass methods. Ultimately, the consensus suggests that software-level protections are increasingly fragile, as LLM-powered reverse engineering tools make non-hardware-assisted attestation nearly impossible to maintain against determined developers.

10 comments tagged with this topic

View on HN · Topics
Can someone clarify how the signing can't be spoofed (or can it)? If we have the source, can't we just use the key to now sign requests from other clients and pretend they're coming from CC itself?
View on HN · Topics
What signing? Are you referencing the use of Claude subscription authentication (oauth) from non-Claude Code clients? That’s already possible, nothing prevents you from doing it. They are detecting it on their backend by profiling your API calls, not by guarding with some secret crypto stuff. At least that’s how things worked last week xD
View on HN · Topics
I'm referring to this signing bit: https://alex000kim.com/posts/2026-03-31-claude-code-source-l... Ah, it seems that Bun itself signs the code. I don't understand how this can't be spoofed.
View on HN · Topics
Ah yes, the API will accept requests that doesn’t include the client attestation (or the fingerprint from src/utils/fingerprint.ts. At least it did a couple of weeks back. They are most likely using these as post-fact indicators and have automation they kicks in after a threshold is reached. Now that the indicators have leaked, they will most likely be rotated.
View on HN · Topics
> Now that the indicators have leaked, they will most likely be rotated. They can't really do that. Now they have no way to distinguish "this is a user of a non updated Claude code" from "this is a user of a Claude code proxy".
View on HN · Topics
Assuming Claude Code was used. If OpenCode or some other programmatic method was used, the "fake tool calls" won't be added
View on HN · Topics
A few weeks ago I was using Opus and Sonnet in OpenCode. Is this not possible anymore?
View on HN · Topics
It's still possible but if you do it using your Claude Max plan, it's technically no longer allowed. They don't want you using your subscription outside of Claude Code. Only API key usage is allowed. Google also doubled down on this and OpenAI are the only ones who explicitly allow you to do it.
View on HN · Topics
re: binary attestation: "Whether the server rejects that outright or just logs it is an open question" ...what we did at Snap was just wait for 8-24 hours before acting on a signal , so as not to provide an oracle to attackers. Much harder to figure out what you did that caused the system to eventually block your account if it doesn't happen in real-time. (Snap's binary attestation is at least a decade ahead of this, fwiw)
View on HN · Topics
LLMs and radare2 absolutely breeze through undoing binary protection and virtualization, tracing execution flow, etc. Sans the ability to JIT, I don't see non-hardware-assisted binary attestation for Snap and others lasting very long in a post-LLM world.