| ▲ | stavros 8 hours ago | |||||||
I'm referring to this signing bit: https://alex000kim.com/posts/2026-03-31-claude-code-source-l... Ah, it seems that Bun itself signs the code. I don't understand how this can't be spoofed. | ||||||||
| ▲ | MadsRC 8 hours ago | parent [-] | |||||||
Ah yes, the API will accept requests that doesn’t include the client attestation (or the fingerprint from src/utils/fingerprint.ts. At least it did a couple of weeks back. They are most likely using these as post-fact indicators and have automation they kicks in after a threshold is reached. Now that the indicators have leaked, they will most likely be rotated. | ||||||||
| ||||||||