> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Claude Agent SDK API keys recorded in trace metadata

> Understand whether Claude Agent SDK traces contain API keys, how to detect affected spans safely, and how to upgrade and rotate credentials.

export const plans_0 = "Any"

export const deployments_0 = "Any"

export const data_plane_version_0 = undefined

export const use_case_0 = "Use case - Determine whether Braintrust Claude Agent SDK instrumentation recorded an API key in trace metadata and remediate affected credentials"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

A bug in Braintrust's Claude Agent SDK instrumentation could record API keys passed through `query({ options: { apiKey } })` in Braintrust trace metadata.

See [GitHub security advisory GHSA-h8xp-g5cq-35xw](https://github.com/braintrustdata/braintrust-sdk-javascript/security/advisories/GHSA-h8xp-g5cq-35xw) for the complete impact statement, affected versions, technical details, and workarounds.

<Warning>
  Upgrade to `braintrust` v3.23.1 or later, then rotate every API key that may have been recorded. Upgrading prevents new exposure but does not remove keys from existing traces.
</Warning>

## Frequently asked questions

### Is my application affected?

Your application is affected only when all of these conditions apply:

* It uses the `braintrust` JavaScript package v0.4.0 through v3.23.0.
* It instruments the Anthropic Claude Agent SDK with `wrapClaudeAgentSDK()` or Braintrust auto-instrumentation.
* It passes an API key directly through `options.apiKey` when calling `query()`.

The [security advisory](https://github.com/braintrustdata/braintrust-sdk-javascript/security/advisories/GHSA-h8xp-g5cq-35xw) includes the complete version and instrumentation details.

### Were keys supplied through environment variables affected?

No. Keys supplied through `process.env.ANTHROPIC_API_KEY` were not captured. Values supplied through `options.env` were also not captured because the instrumentation did not include the `env` option in span metadata.

### How do I check for affected traces?

Run this query in the [**SQL sandbox**](https://www.braintrust.dev/app/~/sql) for each project that contains Claude Agent SDK traces. Replace `<PROJECT_ID>` with the project's ID. The query identifies affected spans without returning API key values.

```sql theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
SELECT
  created,
  root_span_id,
  id AS row_id,
  span_id,
  metadata.apiKey IS NOT NULL AS contains_api_key
FROM project_logs('<PROJECT_ID>', shape => 'spans')
WHERE created >= '2025-10-02'
  AND span_attributes.name = 'Claude Agent'
  AND metadata.apiKey IS NOT NULL
ORDER BY created DESC
LIMIT 1000
```

A row where `contains_api_key` is `true` confirms that a key was stored. Do not select `metadata.apiKey` or share raw affected span metadata in tickets, chat messages, or screenshots.

### What should I do if the query returns affected traces?

1. Upgrade the `braintrust` JavaScript package to v3.23.1 or later and redeploy your application.
2. Revoke and replace every API key that may have been recorded.
3. Update your application to use the replacement credentials.

Rotate affected credentials even if you plan to delete the traces. Deleting stored data cannot invalidate a credential that someone may already have viewed.

### Was the npm package or publishing process compromised?

No. This issue was an implementation bug in Braintrust-maintained instrumentation, not a supply chain attack or a compromise of the npm package, build, or publishing process.
