[FEATURE] OAuth tokens should be revoked server-side on claude logout and on devcontainer shutdown to support secure workflows

[osamunoda]

Preflight Checklist

• I have searched existing requests and this feature hasn't been requested yet
• This is a single feature request (not multiple features)

Problem Statement

When using Claude Code in devcontainers for security reasons (no host mounts), a new OAuth token is issued on every container creation. Currently, neither claude logout nor closing a devcontainer in VS Code revokes the token server-side. Local credentials (~/.claude/.credentials.json or macOS Keychain via VS Code extension) are removed or abandoned, but the server-side token remains valid for up to 4 days.
Additionally, the VS Code extension and CLI store credentials in different locations (VS Code secret storage / macOS Keychain vs ~/.claude/.credentials.json), meaning a claude logout in the terminal does not necessarily affect the token held by the VS Code extension, and vice versa.
The only current workaround is to manually visit claude.ai/settings/claude-code and revoke tokens one by one — which is impractical for frequent devcontainer workflows.
As a result, orphaned valid tokens accumulate server-side with each container lifecycle, which is a security concern.

Proposed Solution

claude logout should call Anthropic's token revocation endpoint server-side, immediately invalidating the token

Closing a devcontainer in VS Code (or any container shutdown event) should also trigger server-side token revocation for any tokens associated with that session

The CLI and VS Code extension should share a unified logout mechanism so that logging out from either invalidates all associated tokens

A scriptable revocation mechanism should be provided so that devcontainer shutdown hooks can automate this process

Alternative Solutions

No response

Priority

High - Significant impact on productivity

Feature Category

CLI commands and flags

Use Case Example

No response

Additional Context

No response

[tommycarstensen]

When can we expect this to be implemented?

[NexusOne23]

Adding a data point that strengthens this request: the problem extends beyond claude logout to the web-based revocation mechanism as well.

I've documented the full scenario in #43801: After using "Log out all sessions" + explicitly revoking all Claude Code instances via claude.ai/settings/claude-code, a Claude Code extension OAuth token remained valid and functional. The client (Windows VM) was completely offline for 1-2 weeks and booted 3-4 days after revocation — token still worked without re-authentication.

This confirms that token revocation is not happening server-side regardless of the revocation method used (CLI logout, web UI, or explicit instance revocation). The suggested fix in this issue (calling the revocation endpoint server-side) is necessary but not sufficient — the server must also actually invalidate the token in its store upon revocation.

[smith6jt-cop]

Adding a use case: research computing across many endpoints
Hitting this from a different angle than the devcontainer scenario in the original report. My setup spans three local workstations (two Ubuntu, one shared lab machine), an HPC cluster accessed via VS Code dev tunnels, and occasional SSH-only sessions to the same hosts. Each claude login on each environment issues a separate server-side OAuth token, and over a few months I've accumulated dozens of entries at claude.ai/settings/claude-code. The CLI and the VS Code extension storing credentials in separate locations compounds this — claude logout in the terminal doesn't touch the VS Code-held token on the same host, so a single machine can hold two valid tokens simultaneously and contribute two more on the next reinstall.
Two gaps that I'd like to see addressed alongside the server-side revocation already requested in this issue:

No bulk revoke action. Every token has to be deleted individually through the UI. With 30+ entries, that's a long manual click sequence compounded with an obligatory "Revoke access? This will revoke access for this application. You’ll need to reconnect it if you want to use it again." for each and every token. A "select all," "select older than N days," or "revoke all except current session" control would make cleanup tractable.
No metadata to identify tokens. The list doesn't expose enough context to tell which token corresponds to which host, container, or session. Without a hostname, install method (CLI vs. VS Code extension), or prominent last-used timestamp, the only safe cleanup strategy is "revoke everything and re-authenticate from scratch on every machine," which is exactly the workflow the existing request is trying to avoid.

Suggested additions to the proposal in this issue:

Bulk-action controls on the /settings/claude-code page (select all, filter by age, exclude current).
Per-token metadata at issue time: hostname, install method, last-used timestamp, and an optional user label set via a flag like claude login --label workstation-A.
A documented public API for listing and revoking tokens programmatically, so users with many environments can script cleanup pending the UI work.
Optional account-level policy for auto-revoking tokens after N days of inactivity.

The security posture isn't catastrophic given that tokens are scoped to inference and require an active subscription, but long-lived bearer credentials accumulating with no realistic cleanup path is a hygiene gap with a clear fix.