1
2 Comments

How We Stopped Worrying About Client-Side Tracking and Switched to API-First — 3 Months of Zero Bans

Three months ago, an unverified community report on Reddit claimed that decompiling the Claude Code binary revealed embedded tracking logic. The post alleged the client was checking timezone and proxy settings, then fingerprinting users through a Unicode apostrophe inserted into the System Prompt. Worth noting: this remains a single, unverified report. Anthropic has not acknowledged it, and we haven't independently confirmed the decompilation. But it was enough to make us ask a question we should have asked much earlier: what exactly is the client sending home?

We were using Claude Code daily at that point. Six developers. Multiple projects. That Reddit post — substantiated or not — triggered a team-wide conversation about something we'd been ignoring.


The Problem We Had to Solve

We had two problems, and they were connected.

The first was practical. We were paying $200/month for Claude Max. One account. Six people. To be direct: this was a ToS violation. Anthropic's pricing is per-seat, and we were sharing one seat across six developers. Their fraud detection flagged us within the first week — six different IPs hitting one subscription looks exactly like what it was. We tried residential proxies, dedicated IPs, staggered usage schedules. Nothing worked consistently. We'd go a week without issues, then someone would get locked out right before a deadline.

The second problem was architectural. Even if we somehow solved the ban problem, the Reddit report — whether accurate or not — exposed a structural reality: any client-side binary with local permissions can collect whatever it wants. Timezone, language settings, proxy configs, installed fonts. And we had no way to know what any given update might start checking. The trust model of running opaque binaries just to call a REST API felt increasingly hard to justify.


The Insight That Changed Our Approach

Here's the thing we kept missing: using Claude's models and using the Claude Code client are two completely separate decisions.

Anthropic doesn't only offer Claude through their proprietary client. They have a REST API. You can call it from any tool — VS Code plugins, terminal scripts, Cursor, whatever. The API doesn't know what OS you're on or what timezone you're in. It just receives JSON with a model parameter and messages.

So we asked ourselves: why are we routing through a client whose data collection surface we can't audit, when we can route through a pipe we fully control?


What We Built

We set up a local proxy on one machine. It's a lightweight service that does three things:

  1. Strips client metadata. Every outbound request gets sanitized — no extra headers, no environment info, nothing but the model name and conversation content.
  2. Holds the real API credentials. The proxy has the actual API key. Nobody else on the team ever sees it.
  3. Issues virtual keys. Each developer gets a derived key with their own quota, rate limit, and model whitelist. From the API's perspective, all traffic comes from one IP, one account, normal usage patterns.

The setup is dead simple on the developer side. We just changed our API endpoint to http://localhost:27200. Done. Everyone keeps using their preferred tools. VS Code. Cursor. Shell scripts. Nothing changes except where the requests go.

An important honesty note for anyone evaluating this approach: virtual keys + a shared API billing account still means one API key serves multiple people. Most model providers' API ToS are structured around per-organization usage rather than per-seat login restrictions, so this arrangement is materially different from the account-sharing we described earlier. But if you're procuring for an enterprise, you should read the relevant API terms yourself and decide your comfort level. We're not lawyers, and this isn't legal advice — it's just what worked for us.


Why Multi-Provider Matters More Than Any Single Vendor Fix

This is where the architecture delivers value that goes far beyond the tracking concerns that started it.

Once the proxy is in place, adding a new model provider takes about five minutes. We now route through OpenAI, Anthropic, and Gemini from the same endpoint. Developers don't think about which vendor they're using — they just pick a model and the proxy handles the rest.

Why this matters:

  • No vendor lock-in. If one provider has an outage, raises prices, or changes their API, we switch models without changing a single line of developer code. The proxy abstracts all of that.
  • Model routing becomes a business decision, not a technical migration. We moved a project from Claude 3.5 Sonnet to GPT-4o last month because the cost-per-task was 40% lower. The migration was a config change in the proxy. The developers didn't even notice.
  • One audit surface. Instead of auditing six different client binaries from six different vendors, we audit one proxy. The attack surface for data collection collapses from "every AI tool on every developer's machine" to "one service on one machine."
  • Cost comparison across providers is actually possible. We can see, per project, what OpenAI costs vs. Anthropic vs. Gemini for the same type of tasks. Before this, comparing providers meant guessing from aggregate monthly bills.

The tracking concern got us to build the proxy. The multi-provider capability is what made it indispensable. If you're setting this up, lead with the multi-provider story — it's the part that scales.


The Transition: What Actually Happened Day By Day

I want to be honest about the migration because these "we just switched" stories usually skip the messy parts.

Day 1: We spent about 3 hours setting up the proxy. Most of that time was reading documentation, not actual configuration. The proxy itself is maybe 50 lines of config once you understand it.

Day 2: We migrated two developers as a pilot. One used Cursor, the other used a terminal-based workflow. Both just changed one environment variable (OPENAI_BASE_URLhttp://localhost:27200/v1) and everything kept working. That was the moment we knew this approach was viable.

Day 3-5: We migrated the rest of the team. One developer had a custom script that hardcoded the Anthropic endpoint — that took an extra 10 minutes to update. Another was using a plugin that didn't support custom endpoints, so they switched to a different plugin. Total friction: maybe 30 minutes across the team.

Day 6: We revoked the old shared Claude Max password. No more shared logins. Everyone on virtual keys. The Claude Max subscription was cancelled and replaced with API billing across multiple providers.

The whole transition took less than a week, and most of that was just coordination — waiting for people to be available to make the switch. The technical part was the easy part.


The Results (Numbers)

We've been running this setup for about a month now across six developers. Here's what changed:

  • Bans: 0. Previously we averaged one lockout every 1-2 weeks. Complete elimination (now using legitimate API access rather than shared subscription credentials).
  • Onboarding time: from 30 minutes to 2 minutes. New team members used to need account registration, credit card setup (which failed half the time for international cards), and proxy configuration. Now we issue a virtual key and send them an endpoint URL.
  • Offboarding: instant. When a contractor finished their engagement, we revoked their virtual key. It took effect within minutes. The real API credentials never left our control.
  • Cost visibility: actually useful now. We can see who used what model, how many tokens, and what it cost — broken down by project, person, and provider. Before this, we had one lump bill and no idea who spent what.

What We Learned

The community report that started this wasn't really about Claude specifically. Verified or not, it exposed a universal truth about any client-side tool: if a binary runs on your machine with local permissions, it can collect whatever it wants. You can't audit every update. You can't predict every detection vector.

The defense isn't "find and block all trackers." It's architectural: don't run the client. Use the API. Put a proxy in the middle that you control.

And the multi-provider angle — the ability to route through OpenAI, Anthropic, and Gemini from one endpoint — is where the real staying power is. The proxy eliminates vendor lock-in, collapses your audit surface, and lets you make model decisions based on cost and quality, not migration overhead, on a per-task basis.


What We'd Do Differently

If we were starting over, we'd skip the six-month saga of fighting bans with residential proxies and IP rotation. We'd go straight to API + local proxy from day one. The monthly cost is comparable (API pricing vs. subscription), and the operational overhead is essentially zero once it's running.

The one downside: you need someone on the team who's comfortable setting up a proxy service. It's not hard — a few dozen lines of config — but it's not plug-and-play either. Tools are emerging to make this easier, and I expect this will be a standard part of any AI-heavy dev team's stack within a year or two.


TL;DR

  • An unverified community report about client-side tracking in Claude Code prompted us to rethink our architecture — not as confirmed fact, but as a structural question worth taking seriously
  • Any client-side tool can collect local data; the only real defense is not running the client
  • Switch to API + local proxy: full model access, zero metadata exposure, and one audit surface instead of many
  • Virtual keys + API billing eliminate the operational headaches of shared subscriptions; be aware this is a different ToS arrangement than per-seat licensing
  • The multi-provider capability (OpenAI + Anthropic + Gemini through one endpoint) is the architecture's most durable value — no vendor lock-in, switching models is a config change, and cross-provider cost comparison is finally possible

If you're dealing with similar scaling pains around AI access for your team, we've open-sourced our approach. Happy to share details: https://aikeylabs.com/zh/i/ih16

Enterprise: [email protected]

posted to Icon for group AI Tools
AI Tools
on July 3, 2026
  1. 1

    The API + local-proxy architecture is genuinely sound, and the offboarding point (revoke a virtual key, done, real credentials never exposed) is the strongest practical argument here. That alone justifies the pattern for any team sharing AI access.

    One honest flag, said as someone who's followed your TokenOps posts: the opening tracking claim is doing a lot of load-bearing work, and it's presented as settled fact ("decompiled, found tracking, Unicode apostrophe in the system prompt") sourced to a single Reddit post. That's a serious accusation, and if it turns out to be misread or unverified, it undermines the genuinely good architectural argument that follows. The proxy case stands on its own merits (subscription-sharing bans, offboarding, cost attribution) without needing the conspiracy hook. I'd lead with the operational wins and treat the tracking story as "here's what prompted us to look," clearly flagged as an unverified report, rather than the factual centerpiece. Right now the strongest part of your post is riding on the least verifiable part.

    Separately, worth being clear-eyed on one thing: sharing one subscription across six people via virtual keys solves the fraud-flagging symptom, but it's routing around the provider's per-seat terms. That's fine to do, but it's worth naming honestly rather than framing purely as a privacy win, because a buyer evaluating this needs to know the ToS posture they're adopting.

    The multi-provider angle (one proxy, OpenAI + Gemini + Anthropic behind it) is the actually durable value. That's where this becomes infrastructure rather than a workaround. Is that the direction you're taking it?

    1. 1

      Appreciate the honest read — this is the kind of feedback that actually makes the work better, and it's rare to get it from someone who's followed the series closely enough to call things out with this level of precision.

      You're right on all three fronts.

      The tracking claim carried more weight than it could bear given the single-source nature of it. It should have been flagged as unverified from the start — the architectural argument doesn't need it, and tying the strongest part of the post to the least verifiable part was a structural mistake on my end.

      The ToS point is also fair. Framing the virtual key setup purely as a privacy win sidesteps what's actually happening at the commercial layer, and anyone evaluating this for their own team deserves to know exactly what tradeoff they're making. I should have named it directly.

      And agreed on the multi-provider angle. That's the part that scales — abstracting the vendor layer so model routing becomes a config change, not a migration. It's where this stops being a workaround and becomes infrastructure. That's the direction we're building toward, and it probably should have been the lede from day one.

      Thanks again for holding it to a higher standard.

Trending on Indie Hackers
The feature you're most sure about is the one you should question first User Avatar 116 comments The hardest part isn't building anymore User Avatar 114 comments 5 days post-launch: Top 50 on Product Hunt, zero signups, and why I think that's actually fine User Avatar 100 comments I let 3 LLMs argue on the famous AI "Car wash: Walk or Drive" problem to prove a point. User Avatar 50 comments Before you build another feature, use this workflow User Avatar 45 comments Built a local-first privacy extension. Looking for feedback. User Avatar 36 comments