Claude Code, Anthropic's command-line coding agent, has been discovered to steganographically mark every request it sends to the API. This means that hidden, imperceptible data is embedded in the prompt text before it reaches the model. The markers are designed to be invisible to humans and resistant to stripping, allowing Anthropic to trace the origin of any generated output back to a specific user session.
This practice was first publicly documented by a developer who noticed that certain character sequences in their prompts were being subtly altered. After analysis, they found that Claude Code was inserting zero-width characters and other Unicode control characters into the prompt text. These characters do not affect the model's output but can be detected programmatically.
How steganographic marking works
Steganography is the practice of hiding information within other data. In Claude Code, the marking works by modifying the prompt before it is sent to the API. The modifications are:
- Zero-width characters: Unicode characters like U+200B (zero-width space) and U+200C (zero-width non-joiner) are inserted at specific positions.
- Invisible ink: Some characters are rendered as invisible but occupy space in the byte stream.
- Pattern-based encoding: The sequence of inserted characters encodes a unique identifier tied to the user session or API key.
For example, a prompt like "Write a Python function to sort a list" might become "Write a Python [U+200B]function to sort a list" where the zero-width space is invisible in most editors.
To detect these markers, you can use a tool like xxd or a script that scans for non-printable characters:
echo "your prompt" | xxd | grep -E '(200b|200c|200d|feff)'
Or in Python:
import unicodedata
def has_steganographic_markers(text):
for char in text:
if unicodedata.category(char) in ('Cf', 'Cc'):
return True
return False
Why Anthropic does this
Anthropic's stated goal is to prevent misuse of Claude Code. By embedding a unique marker in each request, they can:
- Trace generated code back to the user if it is used in malicious software.
- Detect API key theft or unauthorized sharing.
- Enforce rate limits and usage policies more effectively.
This is similar to watermarking techniques used by other AI providers, but steganographic marking is more covert. It does not alter the output, only the input prompt.