Skip to content
claude-share

claude-share

Securely share your Claude Code with friends

0

Created on 3rd June 2026

claude-share

claude-share

Securely share your Claude Code with friends

Carousel Gallery Item: 1
Carousel Gallery Item: 2
Carousel Gallery Item: 3

The problem claude-share solves

A Claude Code subscription is tied to a single account, but developers constantly want to let a teammate, a friend, or a second machine use their plan temporarily — without ever handing over login credentials.

Today there's no safe way to do that. Sharing an OAuth token directly exposes the account indefinitely, can't be scoped, and can't be revoked cleanly.

claude-share solves this with two binaries shipped in one npm package:

  • claude-share

    (sharer) exposes its Claude credentials through a local MITM proxy that injects the sharer's OAuth token per-request, entirely in memory. The token is read from the macOS Keychain at startup and is never written to disk and never transmitted to the receiver.

  • claude-connect

    (receiver) routes Claude Code through that proxy and uses it as if it had its own subscription.

Only Anthropic API calls are intercepted; everything else is tunneled opaquely. Sessions auto-expire after a chosen duration (6h / 24h / 1 week), so access is always temporary and bounded.

Challenges I ran into

Single public port, three protocols. A byte-sniffing detector multiplexes one port:

CONNECT

requests go to the MITM proxy, a TLS ClientHello is terminated and piped to the Hono API, and plain HTTP is routed locally. One port, exposed publicly via a

bore

tunnel.

Selective interception. The MITM only decrypts traffic for a minimal allowlist of Anthropic domains (

api.anthropic.com

,

platform.anthropic.com

, etc.). Every other CONNECT is transparently TCP-piped and its plaintext is never touched — keeping the trust surface tiny.

Pairing where the code IS the key. The connect URL embeds a base58-encoded 32-byte session key that doubles as the private decryption key. Only the first 5 characters are ever sent over HTTP (for session lookup); the receiver decrypts the response blob locally with the full key, so the secret never crosses the wire.

Token isolation. The sharer's OAuth token lives only in memory inside the proxy and is injected per request — the receiver gets working Claude access but never sees a credential.

TUI plumbing. Mixing clack's setup prompts with an Ink-based live TUI without clack tearing down stdin in a way Ink can't recover from — order of initialization matters and was carefully sequenced.

Technologies used

Cryptography

React

Node.js

OAuth

TypeScript

Hono

ink

bun

Discussion

Builders also viewed

See more projects on Devfolio