Install command
Not provided
Set Claude Code environment variables correctly and debug auth, model, and config issues using only documented variables and the /doctor diagnostics.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Not provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
None
Platforms
1 listed
Difficulty
40/100
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
1 safety and 1 privacy notes across 1 risk area. Review closely: credentials & tokens.
## Overview
Claude Code is configured through a layer of environment variables on top of its settings files. Variables can come from your shell, from the `env` block in a `settings.json` file, or from CLI flags, and they generally take precedence over the matching settings field. Claude Code reads variables at startup, so changes take effect on the next launch.
When something is misconfigured, the symptoms are usually one of: the wrong account or API key is in use, the wrong model is selected, a proxy/gateway endpoint isn't being honored, or a value you set in one file is being silently overridden by another scope. This guide covers how to set the documented variables correctly and how to diagnose which layer is winning.
## Setting environment variables
You can set variables in your shell before launching Claude Code:
```bash
# macOS, Linux, WSL
export ANTHROPIC_API_KEY="sk-ant-..."
export ANTHROPIC_MODEL="claude-sonnet-4-5"
export API_TIMEOUT_MS="1200000"
claude
```
```powershell
# Windows PowerShell
$env:ANTHROPIC_API_KEY = "sk-ant-..."
$env:API_TIMEOUT_MS = "1200000"
claude
```
To apply the same variables to every session and to the subprocesses Claude Code spawns, set them under the `env` key in `settings.json` (for example `~/.claude/settings.json` for user scope, or `.claude/settings.json` in a project):
```json
{
"env": {
"API_TIMEOUT_MS": "1200000",
"BASH_DEFAULT_TIMEOUT_MS": "300000",
"DISABLE_TELEMETRY": "1"
}
}
```
For dynamically generated credentials (temporary or rotating keys), use the `apiKeyHelper` setting instead of a static key. It points at a script run in `/bin/sh`; its output is sent as the `X-Api-Key` and `Authorization: Bearer` headers, and the refresh interval is controlled by `CLAUDE_CODE_API_KEY_HELPER_TTL_MS`:
```json
{
"apiKeyHelper": "/path/to/generate_temp_api_key.sh"
}
```
> One important gotcha: variables in `settings.json` `env` do **not** propagate to MCP child processes. Set per-server `env` inside `.mcp.json` instead.
## Common environment variables
These are documented variables from the Claude Code environment variables reference. They are a subset focused on auth, model selection, endpoints, and the most common runtime knobs.
| Variable | What it does |
| :-- | :-- |
| `ANTHROPIC_API_KEY` | API key sent as the `X-Api-Key` header. When set, it overrides a Claude Pro/Max/Team/Enterprise subscription; in interactive mode you approve it once. |
| `ANTHROPIC_AUTH_TOKEN` | Custom value for the `Authorization` header (prefixed with `Bearer `). |
| `ANTHROPIC_BASE_URL` | Override the API endpoint to route through a proxy or gateway. |
| `ANTHROPIC_MODEL` | Override the default model for the session. |
| `ANTHROPIC_DEFAULT_HAIKU_MODEL` | Haiku-class model used for background tasks. |
| `ANTHROPIC_DEFAULT_SONNET_MODEL` | Sonnet-class model to use. |
| `ANTHROPIC_DEFAULT_OPUS_MODEL` | Opus-class model to use. |
| `CLAUDE_CODE_USE_BEDROCK` | Route requests through Amazon Bedrock. |
| `CLAUDE_CODE_USE_VERTEX` | Route requests through Google Vertex AI. |
| `CLAUDE_CODE_API_KEY_HELPER_TTL_MS` | Refresh interval (ms) for credentials generated by `apiKeyHelper`. |
| `API_TIMEOUT_MS` | Timeout for API requests (default 600000 / 10 min). Raise it on slow networks or proxies. |
| `BASH_DEFAULT_TIMEOUT_MS` | Default timeout for long-running Bash commands (default 120000 / 2 min). |
| `BASH_MAX_TIMEOUT_MS` | Maximum timeout the model can set for Bash commands (default 600000 / 10 min). |
| `MAX_THINKING_TOKENS` | Token budget for extended thinking; set to `0` to disable on models that support it. |
| `CLAUDE_CODE_EFFORT_LEVEL` | Effort level for the session (`low`, `medium`, `high`, `xhigh`, `max`, `auto`); takes precedence over `/effort` and the `effortLevel` setting. |
| `USE_BUILTIN_RIPGREP` | Set to `0` to use a system-installed `ripgrep` instead of the bundled binary. |
| `DISABLE_TELEMETRY` | Set to `1` to disable telemetry. |
| `DISABLE_AUTOUPDATER` | Set to `1` to disable automatic updates. |
| `CLAUDE_CONFIG_DIR` | Override the configuration directory (defaults to `~/.claude`); useful for isolating a clean config. |
For the complete list (Bedrock/Vertex/Foundry endpoints, TLS/mTLS certs, UI/terminal flags, and feature toggles), see the environment variables reference linked at the end.
## Troubleshooting
Start inside Claude Code with `/doctor`, which validates your configuration files and surfaces invalid keys, schema errors, and installation health. When it reports issues, press `f` to hand the diagnostic report to Claude and walk through fixes. If `claude` won't start at all, run `claude doctor` from your shell instead.
**A value you set seems ignored.** Settings merge across managed, user, project, and local scopes. Managed settings always win; otherwise the closer scope overrides the broader one in the order local, then project, then user. Environment variables and CLI flags act as a further override layer on top of settings. Run `/status` to see which settings sources are active (including whether managed settings are in effect). A frequent cause is the same key being set in `settings.local.json`, which overrides `settings.json`.
**Variables added globally are ignored.** `permissions`, `hooks`, and `env` belong in `~/.claude/settings.json`. If you put them in `~/.claude.json` (which only holds app state and UI toggles) they won't apply.
**MCP server starts without expected variables.** Variables in `settings.json` `env` don't propagate to MCP child processes. Move them to a per-server `env` block in `.mcp.json`. To see server stderr, run `claude --debug mcp`.
**Isolate the problem with a clean configuration.** Launch `claude --safe-mode` to disable all customizations (CLAUDE.md, skills, plugins, hooks, MCP servers, custom commands) while keeping auth, model selection, and permissions working. If the problem disappears, one of those surfaces is the cause. To bypass everything under `~/.claude` as well, create a fresh private temporary directory, point `CLAUDE_CONFIG_DIR` at an empty subdirectory inside it, and launch from a folder with no project config:
```bash
clean_root="$(mktemp -d)" && chmod 700 "$clean_root"
mkdir "$clean_root/config" "$clean_root/work"
cd "$clean_root/work" && CLAUDE_CONFIG_DIR="$clean_root/config" claude
```
On Linux and Windows you'll be prompted to log in again in the clean session because credentials live under the config directory; on macOS they're in the Keychain and carry over. Never use a fixed path in a shared temporary directory for this test, because another local user could pre-create or tamper with it. If the problem persists even here, the cause is outside your user and project configuration — check for environment variables affecting Claude Code and managed settings via `/status`.
**Search isn't finding files.** If the bundled `ripgrep` can't run on your system, install your platform's `ripgrep` package and set `USE_BUILTIN_RIPGREP=0`.
For broader installation, login, and connectivity problems, see the troubleshooting and debug-your-configuration pages linked below.Claude Code is configured through a layer of environment variables on top of its settings files. Variables can come from your shell, from the env block in a settings.json file, or from CLI flags, and they generally take precedence over the matching settings field. Claude Code reads variables at startup, so changes take effect on the next launch.
When something is misconfigured, the symptoms are usually one of: the wrong account or API key is in use, the wrong model is selected, a proxy/gateway endpoint isn't being honored, or a value you set in one file is being silently overridden by another scope. This guide covers how to set the documented variables correctly and how to diagnose which layer is winning.
You can set variables in your shell before launching Claude Code:
# macOS, Linux, WSL
export ANTHROPIC_API_KEY="sk-ant-..."
export ANTHROPIC_MODEL="claude-sonnet-4-5"
export API_TIMEOUT_MS="1200000"
claude
# Windows PowerShell
$env:ANTHROPIC_API_KEY = "sk-ant-..."
$env:API_TIMEOUT_MS = "1200000"
claude
To apply the same variables to every session and to the subprocesses Claude Code spawns, set them under the env key in settings.json (for example ~/.claude/settings.json for user scope, or .claude/settings.json in a project):
{
"env": {
"API_TIMEOUT_MS": "1200000",
"BASH_DEFAULT_TIMEOUT_MS": "300000",
"DISABLE_TELEMETRY": "1"
}
}
For dynamically generated credentials (temporary or rotating keys), use the apiKeyHelper setting instead of a static key. It points at a script run in /bin/sh; its output is sent as the X-Api-Key and Authorization: Bearer headers, and the refresh interval is controlled by CLAUDE_CODE_API_KEY_HELPER_TTL_MS:
{
"apiKeyHelper": "/path/to/generate_temp_api_key.sh"
}
One important gotcha: variables in
settings.jsonenvdo not propagate to MCP child processes. Set per-serverenvinside.mcp.jsoninstead.
These are documented variables from the Claude Code environment variables reference. They are a subset focused on auth, model selection, endpoints, and the most common runtime knobs.
| Variable | What it does |
|---|---|
ANTHROPIC_API_KEY |
API key sent as the X-Api-Key header. When set, it overrides a Claude Pro/Max/Team/Enterprise subscription; in interactive mode you approve it once. |
ANTHROPIC_AUTH_TOKEN |
Custom value for the Authorization header (prefixed with Bearer ). |
ANTHROPIC_BASE_URL |
Override the API endpoint to route through a proxy or gateway. |
ANTHROPIC_MODEL |
Override the default model for the session. |
ANTHROPIC_DEFAULT_HAIKU_MODEL |
Haiku-class model used for background tasks. |
ANTHROPIC_DEFAULT_SONNET_MODEL |
Sonnet-class model to use. |
ANTHROPIC_DEFAULT_OPUS_MODEL |
Opus-class model to use. |
CLAUDE_CODE_USE_BEDROCK |
Route requests through Amazon Bedrock. |
CLAUDE_CODE_USE_VERTEX |
Route requests through Google Vertex AI. |
CLAUDE_CODE_API_KEY_HELPER_TTL_MS |
Refresh interval (ms) for credentials generated by apiKeyHelper. |
API_TIMEOUT_MS |
Timeout for API requests (default 600000 / 10 min). Raise it on slow networks or proxies. |
BASH_DEFAULT_TIMEOUT_MS |
Default timeout for long-running Bash commands (default 120000 / 2 min). |
BASH_MAX_TIMEOUT_MS |
Maximum timeout the model can set for Bash commands (default 600000 / 10 min). |
MAX_THINKING_TOKENS |
Token budget for extended thinking; set to 0 to disable on models that support it. |
CLAUDE_CODE_EFFORT_LEVEL |
Effort level for the session (low, medium, high, xhigh, max, auto); takes precedence over /effort and the effortLevel setting. |
USE_BUILTIN_RIPGREP |
Set to 0 to use a system-installed ripgrep instead of the bundled binary. |
DISABLE_TELEMETRY |
Set to 1 to disable telemetry. |
DISABLE_AUTOUPDATER |
Set to 1 to disable automatic updates. |
CLAUDE_CONFIG_DIR |
Override the configuration directory (defaults to ~/.claude); useful for isolating a clean config. |
For the complete list (Bedrock/Vertex/Foundry endpoints, TLS/mTLS certs, UI/terminal flags, and feature toggles), see the environment variables reference linked at the end.
Start inside Claude Code with /doctor, which validates your configuration files and surfaces invalid keys, schema errors, and installation health. When it reports issues, press f to hand the diagnostic report to Claude and walk through fixes. If claude won't start at all, run claude doctor from your shell instead.
A value you set seems ignored. Settings merge across managed, user, project, and local scopes. Managed settings always win; otherwise the closer scope overrides the broader one in the order local, then project, then user. Environment variables and CLI flags act as a further override layer on top of settings. Run /status to see which settings sources are active (including whether managed settings are in effect). A frequent cause is the same key being set in settings.local.json, which overrides settings.json.
Variables added globally are ignored. permissions, hooks, and env belong in ~/.claude/settings.json. If you put them in ~/.claude.json (which only holds app state and UI toggles) they won't apply.
MCP server starts without expected variables. Variables in settings.json env don't propagate to MCP child processes. Move them to a per-server env block in .mcp.json. To see server stderr, run claude --debug mcp.
Isolate the problem with a clean configuration. Launch claude --safe-mode to disable all customizations (CLAUDE.md, skills, plugins, hooks, MCP servers, custom commands) while keeping auth, model selection, and permissions working. If the problem disappears, one of those surfaces is the cause. To bypass everything under ~/.claude as well, create a fresh private temporary directory, point CLAUDE_CONFIG_DIR at an empty subdirectory inside it, and launch from a folder with no project config:
clean_root="$(mktemp -d)" && chmod 700 "$clean_root"
mkdir "$clean_root/config" "$clean_root/work"
cd "$clean_root/work" && CLAUDE_CONFIG_DIR="$clean_root/config" claude
On Linux and Windows you'll be prompted to log in again in the clean session because credentials live under the config directory; on macOS they're in the Keychain and carry over. Never use a fixed path in a shared temporary directory for this test, because another local user could pre-create or tamper with it. If the problem persists even here, the cause is outside your user and project configuration — check for environment variables affecting Claude Code and managed settings via /status.
Search isn't finding files. If the bundled ripgrep can't run on your system, install your platform's ripgrep package and set USE_BUILTIN_RIPGREP=0.
For broader installation, login, and connectivity problems, see the troubleshooting and debug-your-configuration pages linked below.
Show that Fix Claude Code Environment Variable Configuration Errors is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/guides/fix-environment-variables)Fix Claude Code Environment Variable Configuration Errors side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
2 trust signals differ across this comparison (Source provenance, Submitter).
| Field | Set Claude Code environment variables correctly and debug auth, model, and config issues using only documented variables and the /doctor diagnostics. Open dossier | A practical guide for handling secrets when connecting MCP servers and authoring Agent SDK tools in Claude Code: env expansion in .mcp.json, OAuth scope pins, keychain storage, local scope, and redaction before tool arguments reach the model. Open dossier | Set up Claude Code in GitLab CI/CD with maintainer-approved prompts, least-privilege tool access, and Bedrock or Vertex OIDC alternatives from official GitLab integration docs. Open dossier | Set up Claude Code GitHub Actions for pull request review: install the Claude GitHub app, store ANTHROPIC_API_KEY in secrets, pin anthropics/claude-code-action to an audited commit SHA with least-privilege permissions, and follow documented security practices. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenanceDiffers | Source-backed | Submission linkedSource submission | Submission linkedSource submission | Submission linkedSource submission |
| SubmitterDiffers | — | kiannidev | kiannidev | kiannidev |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | ||
| Category | guides | guides | guides | guides |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | JSONbored | kiannidev | kiannidev | kiannidev |
| Added | 2025-10-27 | 2026-06-16 | 2026-06-16 | 2026-06-16 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓ANTHROPIC_API_KEY overrides any active subscription and apiKeyHelper runs a shell script whose output becomes auth headers; treat both as credential-bearing configuration. | ✓Stdio MCP servers inherit environment variables you pass via --env or .mcp.json env blocks; treat that as handing the server your credentials. HTTP MCP headers and OAuth tokens authenticate outbound calls; a compromised server or overly broad scope can exfiltrate data through tool results. Agent SDK tool descriptions, inputs, and outputs enter model context each turn—never embed live secrets in schemas or sample responses. Project-scoped .mcp.json is designed for version control; use ${VAR} expansion and local scope for machine-specific secrets instead of committing raw keys. | ✓Do not run write-capable Claude jobs from untrusted MR, mention, or user-supplied prompt text without maintainer approval. Avoid Bash by default; grant exact tools only for the task, and keep --permission-mode acceptEdits out of attacker-influenced flows. Never commit API keys; store ANTHROPIC_API_KEY only in protected CI/CD variables or use cloud OIDC/WIF for protected pipelines. GitLab MCP write tools can open MRs and post comments as the job identity. | ✓The Claude GitHub app requests Contents, Issues, and Pull requests read and write permissions—scope installation to intended repositories. Never commit API keys; use GitHub encrypted secrets such as ANTHROPIC_API_KEY, and only expose them to workflows you trust. Pin third-party GitHub Actions to reviewed immutable commit SHAs rather than mutable tags. Declare least-privilege GITHUB_TOKEN permissions explicitly before enabling AI review workflows. Review Claude suggestions before merging; automation should not bypass CODEOWNERS. Workflows consume GitHub Actions minutes and Claude API tokens—set timeouts and max-turn limits. |
| Privacy notes | ✓API keys set via environment variables or settings.json are credentials; avoid committing settings files that contain them and prefer apiKeyHelper for rotating secrets. | ✓MCP tool arguments, resource contents, and error messages can contain API keys, JWTs, customer IDs, and internal URLs that flow into session transcripts. OAuth access tokens for remote MCP servers are stored in the macOS Keychain or a credentials file; revoke with Clear authentication in /mcp when offboarding. Agent SDK handlers that call external APIs may log request metadata; redact at the handler boundary before traces or support exports leave your environment. Shared .mcp.json templates should name required variables (for example API_KEY) without example values that look like real credentials. | ✓Issue titles, MR diffs, and AI_FLOW variables can enter model context during jobs; treat them as untrusted input unless a maintainer curated them. CI logs may retain prompts—align retention with corporate policy. | ✓PR diffs and issue comments are attacker-controlled on public repositories; treat them as prompt-injection input and avoid giving untrusted PRs secret-backed tool access. PR diffs and issue comments are sent to the model provider during workflow runs. Logs may retain prompts—align retention with corporate data handling rules. Use repository secrets rather than echoing credentials in workflow YAML. |
| Prerequisites | — none listed |
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Use Agent Skills in the Claude Agent SDK: filesystem discovery via settingSources, the skills option to enable or filter, and tool access.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.