Claude Code v2.1.86 — 2 New Environment Variables: Trusted Devices and the Final OAuth Override#

Published on March 27, 2026

Part of the Claude Code Version Tracker series. | Official Env Vars | Official Changelog

Claude Code v2.1.86 adds 2 new environment variables. The count is modest, but one addition — CLAUDE_TRUSTED_DEVICE_TOKEN — signals a meaningful step in the enterprise authentication story that's been building across the last three releases.

What Changed#

	v2.1.85	v2.1.86
Environment variables	202	204 (+2)

New Environment Variables#

Variable Likely Purpose

CLAUDE_TRUSTED_DEVICE_TOKEN Provides a pre-authenticated device token that persists trust across sessions. In enterprise SSO flows, "trusted device" tokens let a client skip re-authentication when running on a machine that has already been verified — the same pattern used by corporate MDM (Mobile Device Management) and conditional access policies in Azure Entra ID and Okta. For Claude Code, this likely means headless or CI/CD environments can present a device token instead of going through an interactive OAuth flow each time, reducing friction for automated pipelines that run Claude Code on pre-approved infrastructure.

CLAUDE_LOCAL_OAUTH_CONSOLE_BASE Overrides the base URL for the OAuth console interface. This is the third OAuth endpoint override in as many releases — joining CLAUDE_LOCAL_OAUTH_API_BASE (token exchange) and CLAUDE_LOCAL_OAUTH_APPS_BASE (app registry) from v2.1.85. The "console" is typically where users authorize applications, manage connected apps, and review permissions. Enterprise deployments can now redirect this to their own admin portal, completing the picture: every user-facing part of the OAuth flow can run on corporate infrastructure.

Variable	Likely Purpose
`CLAUDE_TRUSTED_DEVICE_TOKEN`	Provides a pre-authenticated device token that persists trust across sessions. In enterprise SSO flows, "trusted device" tokens let a client skip re-authentication when running on a machine that has already been verified — the same pattern used by corporate MDM (Mobile Device Management) and conditional access policies in Azure Entra ID and Okta. For Claude Code, this likely means headless or CI/CD environments can present a device token instead of going through an interactive OAuth flow each time, reducing friction for automated pipelines that run Claude Code on pre-approved infrastructure.
`CLAUDE_LOCAL_OAUTH_CONSOLE_BASE`	Overrides the base URL for the OAuth console interface. This is the third OAuth endpoint override in as many releases — joining `CLAUDE_LOCAL_OAUTH_API_BASE` (token exchange) and `CLAUDE_LOCAL_OAUTH_APPS_BASE` (app registry) from v2.1.85. The "console" is typically where users authorize applications, manage connected apps, and review permissions. Enterprise deployments can now redirect this to their own admin portal, completing the picture: every user-facing part of the OAuth flow can run on corporate infrastructure.

What These Tell Us#

The OAuth decomposition is now complete. Over three releases, Anthropic has exposed five separate OAuth endpoint overrides: the main auth origin^[1], the token API and app registry^[2], and now the console and a trusted device token. Each targets a different leg of the OAuth flow. Taken together, an enterprise can now run Claude Code where every authentication touchpoint — login screen, token exchange, app authorization, and device trust — routes through corporate infrastructure without touching Anthropic's servers. This is the "bring your own identity provider" capability that the v2.1.85 analysis predicted was coming. The addition of CLAUDE_TRUSTED_DEVICE_TOKEN is particularly telling: device trust is a requirement for conditional access policies (Intune, Okta Device Trust, CrowdStrike Falcon), suggesting Anthropic is working directly with enterprise customers who need Claude Code to participate in zero-trust architectures.

v2.1.86 is a stability release with surgical fixes. The changelog^[3] lists over 20 bug fixes and zero new user-facing features. Notable fixes include --resume failures caused by tool_use ID errors (a frustrating regression for anyone using session continuity), out-of-memory crashes when using /feedback on long sessions, masked input leaking tokens on narrow terminals (a security-adjacent fix), and startup stalls when connecting to multiple MCP servers simultaneously. The X-Claude-Code-Session-Id header addition for proxy aggregation is a quiet infrastructure change that helps corporate proxies correlate requests across a single Claude Code session — another enterprise-focused improvement that doesn't show up as a new env var but matters for observability.

Sources#

Claude Code v2.1.84 — 6 New Environment Variables — introduced CLAUDE_AI_ORIGIN auth origin override
Claude Code v2.1.85 — 6 New Environment Variables — introduced CLAUDE_LOCAL_OAUTH_API_BASE and CLAUDE_LOCAL_OAUTH_APPS_BASE
Claude Code Official Changelog — bug fixes and release notes

This analysis is conducted for independent security research and interoperability purposes under fair use principles. All trademarks belong to their respective owners. The information presented here documents publicly observable behavior of installed software and is not intended to circumvent any technological protection measures, infringe on intellectual property rights, or encourage unauthorized use. Use these findings at your own discretion.

Claude Code v2.1.85 — 6 New Environment Variables — MCP server config, yoga-layout removal, OAuth endpoint overrides
Claude Code v2.1.84 — 6 New Environment Variables — idle management, PowerShell tool, Bedrock parity
Claude Code v2.1.83 — 8 New Environment Variables — managed-settings.d/, transcript search, 40+ fixes
Claude Code v2.1.81 — 1 New Environment Variable — --bare flag, concurrent OAuth fix
Claude Code v2.1.80 — Channels, Plugin Simplification, and a Bug Fix Sprint — --channels research preview

Let's Connect

Bluesky LinkedIn Threads