You open a teammate’s pull request and there it is, stapled to the bottom of the description:
🔗 https://claude.ai/code/session_01SBzqph11q7ZSHA5QEGgtu5
Nobody typed that. Nobody chose to publish it. But it’s in the PR body now, and on the commits underneath it, sitting in your repo’s history where every contributor — and on a public repo, the whole internet — can read it.
If you’ve been running Claude Code from the web or over Remote Control, that line comes from a default you never opted into. As of v2.1.183 (June 2026) there’s finally a single setting to turn it off. Here’s that setting, what the link actually exposes (less than the panic suggests), and how to decide your team’s policy.
The fix #
Add this to your settings:
{
"attribution": {
"sessionUrl": false
}
}
attribution.sessionUrl
is a boolean nested under attribution
. It defaults to true
. Set it to false
and Claude Code stops appending the claude.ai/code/session_…
link to your commits and PRs. That’s the whole fix.
One caveat up front: this only affects web sessions and Remote Control sessions. Local CLI sessions never added the link, so the setting is a no-op there. The v2.1.183 changelog puts it plainly — “Added attribution.sessionUrl
setting to omit the claude.ai session link from commits and PRs in web and Remote Control sessions.”
What’s actually being added #
Since around v2.1.179, commits Claude makes in a web session carry a Claude-Session:
git trailer pointing at the session URL, and PR bodies get the same URL on its own line. It looks like attribution — same neighborhood as the 🤖 Generated with Claude Code
line and the Co-Authored-By
trailer — but until v2.1.183 it had no off switch of its own.
That last part is why people were annoyed. Developers who’d already set attribution.commit: ""
for clean commits found the session URL still showed up (issue #41873). The attribution-text setting didn’t touch it. That issue was closed “not planned,” and a separate request to make the link opt-in (#66504) is where the v2.1.183 setting eventually came from. So if you tried to kill this a while back and failed: you weren’t crazy — the knob didn’t exist yet.
Is this a leak? #
Short answer: no, not in the “you dumped a credential” sense. Be honest with yourself about the actual cost before you treat it like an incident.
What the link is: a deep link to your Claude Code session. It’s generally only resolvable by the account that owns the session. A stranger who finds https://claude.ai/code/session_01SB…
in your git log can’t open your transcript. It is not a public API key, not a token, not your prompt history exposed to the world.
So what is the cost? Three real ones, none of them a CVE:
History clutter. On a public or OSS repo, every agent-authored commit now carries an internal SaaS URL that means nothing to outside contributors. It’s noise ingit log
, forever.Minor information disclosure. The line signalswhichcommits were agent-authored and exposes an internal link surface — the URL pattern, the fact that you’re driving from web or Remote Control. That’s metadata, not secrets, but on a public repo it’s metadata you’re publishing by default.A policy gap. It shipped on-by-default with no opt-in prompt. For a team or an org, “a tool changed our commit format and nobody decided to” is the thing worth fixing — more than the URL itself.
Frame it as cleanliness and governance, not breach response. If you sell your team a “we’re leaking secrets” story, the first person who clicks the link, hits an auth wall, and realizes it’s account-scoped will quietly discount your next security call. Get this one right. (This is the same config-hygiene muscle as locking down permissions or picking an auto-review posture — boring settings that decide what your team ships by default.)
Where to set it #
Same precedence as every other Claude Code setting — most specific wins:
User—~/.claude/settings.json
. Affects only you, across every repo. Good for personal preference.Project—.claude/settings.json
, committed to the repo.This is how a team standardizes: one commit, and everyone who runs Claude Code in that repo inheritssessionUrl: false
.Enterprise managed settings— org-enforced, overrides the others. Use this when “off” isn’t a suggestion — public repos under a company org, say.
For a shared repo, set it at the project level. Relying on every contributor to fix their own ~/.claude
is how you end up with half your commits clean and half not.
It’s not the only attribution knob #
While you’re in there, know the rest of the surface so you configure the whole thing, not just the URL:
attribution.sessionUrl
— theclaude.ai/code/session_…
link (this post).includeCoAuthoredBy
— theCo-Authored-By: Claude <noreply@anthropic.com>
trailer. Boolean, defaulttrue
; setfalse
to drop it.attribution.commit
/attribution.pr
— the human-readable “Generated with Claude Code” text on commits and PRs. Set to""
to remove.
These are independent. Turning off the session URL leaves the co-author trailer in place, and vice versa. Decide all three in one sitting, or you’ll be back here next month for the one you missed.
A team policy in three tiers #
Solo / private repo: leavesessionUrl
on. The link is a genuinely useful audit trail — click a commit, land back in the session that produced it. Nobody outside sees it. Keep the signal.Shared team repo: setsessionUrl: false
at the project level, and settle yourCo-Authored-By
policy in the same PR. Standardize once so the history stays consistent.Public / OSS repo:sessionUrl: false
, enforced via managed settings if you have an org that can. External contributors don’t need your internal links in the canonical history.
Bottom line #
The session link is an audit feature wearing a privacy scare’s clothing. On a repo where you’re the only reader, it’s useful; on a repo strangers read, it’s clutter you didn’t choose — and now it’s one boolean to remove. Default-on with no prompt was the real miss; attribution.sessionUrl: false
is the fix. Set it at the level that matches who can see your history.
In your repos — is the session link useful audit signal, or noise you turned off the day you found it?