module 03 permissions safety

What never to send

System Text-to-Speech Ready
Slide: 0:00 / 0:00
Slide 1 of 0Interactive Deck

Full Lesson Reference

Claude Code is an AI agent. Anything you type into it gets processed, remembered in the session, and potentially sent to external APIs or platforms depending on what Claude needs to do with it. Some information should never go through Claude. This lesson draws the line.

Never send these to Claude

API keys, passwords, and tokens

Don't paste API keys, platform passwords, or access tokens into a Claude Code prompt. Ever.

If Claude needs to use an API, the key lives in a file called .env (environment variables) on your machine. Claude reads it from there. You never have to type the key into a conversation.

Bad

My Klaviyo API key is pk_abc123xyz... use it to pull the campaign data

Good

Pull campaign data from Klaviyo using the API key in my .env file

Client login credentials

Don't paste client usernames, passwords, or platform access tokens. Use MCPs (Module 08) for platform access - they handle authentication securely without ever exposing credentials.

Individual customer data

Be cautious with specific customer details - email addresses, phone numbers, physical addresses, credit card details. Aggregated data is fine (total revenue, campaign metrics, conversion rates). Individual-level data needs a good reason.

Financial credentials

Credit card numbers, bank details, payment processor credentials - never. These belong in the platforms where they live (Stripe dashboard, bank portal, etc.), not in a Claude Code prompt.

Anything under NDA or strict confidentiality

Claude Code sends your prompts to Anthropic's servers to generate responses. If you've signed an NDA or agreement that prohibits sharing client information with third-party services, Claude Code falls under that rule unless your agreement has a specific AI carve-out.

Fine to send

To balance the "never" list - here's what's completely fine, and what Claude Code is actually built for:

  • Campaign metrics - ROAS, revenue, conversion rates, CPA, CPM, CTR, spend
  • Performance data - aggregated results from Google Ads, Meta, Klaviyo, GA4, Shopify
  • Strategy + briefs - campaign plans, competitive analysis, market research
  • Marketing copy - ad copy, emails, landing page drafts, social posts
  • Brand assets - logos, design files, brand guidelines
  • Technical details - build info, architecture, data schemas (without credentials)
  • Your own thinking - notes, observations, hypotheses about the work

All of this is exactly what Claude Code is designed to handle.

The .env file pattern

Since API keys come up constantly, here's the pattern once so you remember it forever.

A .env file is a plain text file inside your project folder that stores sensitive values. The filename starts with a dot - this tells your computer to hide it by default. Mac users: press Cmd+Shift+. in Finder to toggle hidden files on and off.

What it looks like inside

Platform API keys

KLAVIYO_API_KEY=pk_abc123xyz

OPENAI_API_KEY=sk-abc123...

Supabase

SUPABASE_URL=https://xyz.supabase.co

SUPABASE_ANON_KEY=eyJhbGciOi...

GitHub GITHUB_TOKEN=ghp_abc123...

One key per line. No spaces around the = sign. Lines starting with # are comments.

Where to save it

The .env file lives in the root of your project folder - the same level as your CLAUDE.md file. One .env file per project. Claude Code only reads the .env from the folder you start the session in.

Example

Claude Code/

└── my-first-project/ ├── CLAUDE.md ├── .env ← here ├── .gitignore └── (other files)

Critical: add .env to .gitignore

The .gitignore file tells git which files to never track or push to GitHub. Your .env must always be in it so your secrets stay on your local machine only.

A typical .gitignore entry

.env .env.local .env.*.local

If you don't already have a .gitignore, or you're not sure .env is listed, tell Claude:

Check that .env is in my .gitignore. If it isn't, add it.

Claude verifies and updates the file if needed.

Download the template

We've put together a starter .env template with placeholders for the platforms you're most likely to use - Anthropic, OpenAI, Supabase, Klaviyo, Google Ads, Meta, Shopify, GitHub, and more. 📎 Download attached to this lesson: env-template.txt Pre-filled template with common API placeholders + instructions. Save to your project folder, rename to .env, fill in only the keys you need.

Setting up for a new project

Fastest way - tell Claude

Create a .env file in this project folder based on the env-template.txt I downloaded. Add .env to .gitignore if it isn't already. Show me which keys I need to fill in.

Claude copies the template in, renames it to .env, updates .gitignore, and shows you the list of keys to fill in. You paste the real keys manually - never type them into the chat.

Quick verification after setup

To confirm your setup is safe, tell Claude

Confirm my .env file is in .gitignore and won't be committed to git.

Claude checks and confirms. 5-second sanity check before you start work.

If you accidentally sent a secret

Happens to everyone once. Here's the recovery

  1. Rotate the credential immediately. The moment a secret goes into a Claude Code prompt, assume it's compromised. Log into the platform, generate a new key, revoke the old one.
  2. If it was committed to git, tell Claude: "I accidentally committed a secret to git. Help me remove it from history and confirm it's gone." Claude walks you through the cleanup.
  3. close the current session. The compromised secret is still in the session memory until the session ends.
  4. Move on. One mistake with a rotated key = zero real-world damage. Pretending it didn't happen = real risk.

The mental filter

Before you paste anything into Claude Code, ask: "Would I be okay with this appearing in a log file?"

  • Campaign data - yes
  • Strategy doc - yes
  • Ad copy - yes
  • API key - absolutely not
  • Customer's credit card - absolutely not
  • Client login - absolutely not

If the answer is "not really", don't paste it. Tell Claude where to find it instead (e.g. "the file at this path", "the API key in .env").

Action items

☐ Download env-template.txt from this lesson

☐ Save it to one of your project folders and tell Claude to set it up as a proper .env file

☐ Confirm .env is in .gitignore - tell Claude to verify

☐ Memorise the never-send list: API keys, passwords, tokens, credit cards, client logins

☐ Memorise the fine-t o-send list: aggregated metrics, strategy, briefs, marketing copy

☐ Apply the mental filter: "would I be okay with this in a log file?"

☐ If you slip up, rotate the credential immediately and move on Next lesson: Prompt injection.

Resources

env-template.txt

Exercises

  1. Review the concepts covered in this lesson: What never to send.
  2. Write down your key takeaway from this lesson.
  3. Practice running any commands or prompts mentioned above inside your terminal.