Unauthorized Usage

Detailed Analysis

A Reddit user posting to r/ClaudeAI reported that Claude Code continued logging active sessions and consuming tokens under their account even after they had explicitly revoked the tool's access through Anthropic's interface. The usage dashboard reflected ongoing activity under scopes including `user:file_upload`, `user:ccr_inference`, and `user:sessions:claude_code` — suggesting the revocation mechanism in the UI failed to terminate the underlying authorization. The user took additional remediation steps including uninstalling the CLI, deleting local credentials and configuration files, and auditing their API keys and connectors page, all without resolution. The persistence of session logs despite these measures points to a potential disconnect between the frontend revocation UI and whatever backend systems actually govern active session state for Claude Code.

The support experience described compounds the technical concern. The user opened a support ticket and received an automated response from Anthropic's Fin AI bot indicating a rapid human follow-up, but reported receiving no human reply after two weeks. This pattern — an AI-handled first response that creates an expectation of timely escalation, followed by extended silence — represents a meaningful failure in the support pipeline, particularly for a security-adjacent issue. Unauthorized token consumption is not merely a billing nuisance; it raises questions about whether third-party integrations or residual session states could act on a user's behalf without their knowledge or consent.

The incident arrives at a moment when Anthropic is aggressively expanding Claude Code as a developer-facing agentic tool. Agentic systems that operate with elevated file and inference permissions require especially robust access revocation infrastructure, because the consequences of a failed revoke are qualitatively different from those in a standard consumer chat product. If a user cannot reliably terminate an agent's access to their account, the trust model underlying the entire product category is weakened. The scopes visible in the logs — particularly `user:file_upload` and `user:ccr_inference` — suggest Claude Code operates with permissions broad enough that any ambiguity about when they end should be treated as a priority engineering and security concern.

More broadly, the post reflects a growing tension across the AI industry between rapid agentic product deployment and the maturation of the underlying authorization and audit infrastructure. Tools like Claude Code, GitHub Copilot Workspace, and similar products are moving faster than the session management and access control frameworks typically found in enterprise software, where revocation guarantees are well-defined and legally significant. Users who discover discrepancies between what the UI represents and what is actually occurring in backend systems have limited recourse, and community posts like this one function as informal transparency mechanisms in the absence of a clear escalation path through official channels.

The user's public advisory — checking `claude.ai/settings/usage` to verify sessions terminate after revocation — highlights that individual vigilance is currently filling a gap that Anthropic's own tooling and support infrastructure has not fully addressed. Whether the described behavior reflects a reproducible bug, a rare edge case, or a UI representation issue remains unresolved given the lack of official response. Regardless, the combination of a non-functional revocation control and a two-week support blackout for a security-relevant report represents the kind of gap that, if confirmed at scale, would pose a meaningful reputational and trust risk for Anthropic as it positions Claude Code for broader enterprise and developer adoption.