What Is Claude Code and Why Does It Use Cookies?
Claude Code is Anthropic's agentic coding tool. It runs in your terminal, inside VS Code and JetBrains IDEs, and through a web interface at claude.ai/code. It can read your codebase, edit files, execute commands, handle git workflows, and submit pull requests - all through natural language.
When you use Claude Code through the web interface or sign in via OAuth from the CLI, your browser interacts with claude.ai. That interaction sets cookies. Some are strictly necessary for authentication and security. Others track usage patterns or support Anthropic's marketing.
For developers using Claude Code, understanding these cookies matters for two reasons. First, if you build websites that embed Anthropic's services or link to Claude, third-party cookies from Anthropic's partners may appear on your domain. Second, if your organisation uses Claude Code on a team or enterprise plan, your IT and compliance teams need to know what data is stored locally in the browser.
The Full Cookie Inventory on Claude.ai
Anthropic publishes its cookie list on its Privacy Centre. The cookies fall into three categories: necessary, analytics, and marketing. Here is the complete breakdown.
Necessary Cookies
These cookies keep Claude Code and claude.ai functional. They handle authentication, remember your preferences, and protect against security threats. Anthropic classifies them as non-optional - they cannot be refused.
| Cookie | Purpose | Set By | Lifespan |
|---|---|---|---|
sessionKey | Authentication - keeps you logged in | First-party (.claude.ai) | 1 month |
activitySessionId | Authentication - tracks active session | First-party (claude.ai) | 12 hours |
CH-prefers-color-scheme | Stores dark/light mode preference | First-party (claude.ai) | 1 year |
lastActiveOrg | Remembers your last active organisation | First-party (claude.ai) | 1 year |
__ssid | Security identifier | First-party (.claude.ai) | 13 months |
anthropic-device-id | Device identification for security | First-party (claude.ai) | 10 months |
anthropic-consent-preferences | Stores your cookie consent choices | First-party (.claude.ai) | 1 year |
__stripe_mid | Stripe fraud prevention | Stripe (third-party) | 1 year |
__cf_bm | Cloudflare bot management | Cloudflare (third-party) | 30 minutes |
cf_clearance | Cloudflare challenge clearance | Cloudflare (third-party) | 1 year |
intercom-device-id-* | Support chat device identification | Intercom (third-party) | 9 months |
intercom-session-* | Support chat session | Intercom (third-party) | 1 week |
The sessionKey cookie is the most critical. When Claude Code's CLI authenticates through OAuth, it opens your browser to claude.ai, where this cookie is set. The CLI then uses the resulting session to communicate with Anthropic's API. Without it, Claude Code cannot function.
Analytics Cookies
Anthropic uses analytics cookies to measure how people interact with claude.ai and Claude Code's web interface. These are not strictly necessary and can be refused through Anthropic's cookie preferences panel.
| Cookie | Purpose | Set By | Lifespan |
|---|---|---|---|
ajs_anonymous_id | Anonymous visitor identification for analytics | First-party (claude.ai) | 1 year |
ajs_user_id | Identified user tracking for analytics | First-party (claude.ai) | 1 year |
li_giant | LinkedIn conversion tracking | LinkedIn (third-party) | 7 days |
oribi_cookie_test | LinkedIn conversion analytics test | LinkedIn (third-party) | Session |
oribili_user_guid | LinkedIn analytics user identifier | LinkedIn (third-party) | 1 year |
| Google Analytics cookies | Performance and usage analytics | Google (third-party) | Various |
The ajs_anonymous_id and ajs_user_id cookies come from Segment, a customer data platform. They assign a persistent identifier to track sessions and usage patterns across visits. If you decline analytics cookies through Anthropic's consent panel, these should not be set.
Marketing Cookies
Claude.ai also sets marketing cookies from major advertising platforms. These help Anthropic measure the effectiveness of its ad campaigns and target potential users.
| Cookie | Purpose | Set By | Lifespan |
|---|---|---|---|
_fbp | Meta Pixel - tracks visits for ad targeting | Facebook (third-party) | 90 days |
_fbc | Meta click identifier for conversions | Facebook (third-party) | 2 years |
_rdt_uuid | Reddit ad conversion tracking | Reddit (third-party) | 1 year |
_ttclid | TikTok click identifier | TikTok (third-party) | 90 days |
guest_id | Twitter/X visitor identification | Twitter (third-party) | 348 days |
personalization_id | Twitter/X personalised content | Twitter (third-party) | 348 days |
| Google Advertising cookies | Targeted marketing | Google (third-party) | Various |
These marketing cookies are set across both .anthropic.com and claude.ai domains. They are not necessary for Claude Code to function and exist purely for Anthropic's advertising measurement. Under GDPR and the ePrivacy Directive, these require explicit opt-in consent before being placed.
How Claude Code Authenticates via Cookies
Claude Code's CLI does not store cookies itself. When you run claude for the first time, it opens a browser window pointing to claude.ai for OAuth authentication. The browser handles the login flow, sets the sessionKey cookie, and passes authentication tokens back to the CLI.
This matters from a compliance angle. The cookies are set in the browser, not in the terminal application. If your organisation audits browser storage as part of its security policy, Claude Code's authentication flow will leave sessionKey, activitySessionId, __cf_bm, and other necessary cookies on the machine.
The sessionKey cookie has a one-month lifespan. Third-party tools have emerged that extract this cookie from browser storage to build unofficial Claude API integrations - a practice that raises obvious security concerns. Keep your browser's cookie storage protected, and avoid sharing sessionKey values.
Privacy Implications for Website Owners
If you are reading this as a website owner rather than a Claude Code user, the question is different: do Anthropic's cookies appear on your site?
They will not, unless you embed content from anthropic.com or claude.ai (such as YouTube videos hosted on Anthropic's channel, which set YouTube cookies). The cookies listed above are scoped to Anthropic's own domains. Your visitors will not receive sessionKey or _fbp from Anthropic just by visiting your website.
Where it gets relevant is if your site uses AI-powered features built on Anthropic's API. The API itself is server-to-server and does not set browser cookies. But if your implementation redirects users to claude.ai for authentication (as some OAuth-based integrations do), cookies will be set on Anthropic's domain during that redirect.
For your own site's cookie consent obligations, what matters is the cookies you set - not those set by third-party sites your users might also visit. Use a cookie scanner to audit your own domain and ensure your consent banner covers everything your site actually places.
How Anthropic Handles Cookie Consent
Anthropic provides cookie controls on claude.ai through a "Your privacy choices" link in the interface menu. Users can accept or decline analytics and marketing cookies. Necessary cookies cannot be turned off.
The anthropic-consent-preferences cookie stores the user's choice for one year. This is a standard approach - the consent preference itself is treated as a necessary cookie since it records the user's decision.
For European users, this setup needs to comply with Article 5(3) of the ePrivacy Directive, which requires informed consent before setting non-essential cookies. The CNIL and other European DPAs have been particularly active in enforcing cookie consent rules - the CNIL fined Google 150 million euros in 2022 for making cookie rejection harder than acceptance. Anthropic's current implementation offers a clear opt-out path, but the marketing cookies from Meta, Reddit, TikTok, and Twitter/X mean the platform carries a significant third-party tracking footprint when all cookies are accepted.
Claude Code Cookies vs Other AI Platforms
How does Claude's cookie footprint compare to competing AI coding tools? All major platforms set authentication and analytics cookies. The differences lie in the volume of marketing trackers.
| Platform | Necessary Cookies | Analytics | Marketing Trackers |
|---|---|---|---|
| Claude.ai / Claude Code | ~17 (incl. Cloudflare, Stripe, Intercom, YouTube) | Segment, Google Analytics, LinkedIn | Meta, Reddit, TikTok, Twitter/X, Google Ads |
| ChatGPT (openai.com) | Session, Cloudflare, auth tokens | Various analytics tools | Varies by region |
| GitHub Copilot | GitHub session cookies | GitHub analytics | Microsoft advertising ecosystem |
Claude.ai carries more marketing trackers than some competitors, spanning five separate advertising platforms. Website owners who care about minimising cookie categories on their own sites should audit whether any of these third-party scripts load if they embed Anthropic-related content.
What Developers Should Know
If you use Claude Code daily, here are the practical takeaways.
Authentication happens via sessionKey on claude.ai, set with a one-month expiry. If you clear your browser cookies, you will need to re-authenticate the CLI. Safari's ITP restrictions can cap JavaScript-set cookies at seven days, but since sessionKey is set server-side via a Set-Cookie header, it is not affected by ITP's JavaScript cookie limits.
The __cf_bm cookie from Cloudflare expires after 30 minutes and is refreshed on each request. It exists to distinguish human users from bots. If you see Cloudflare challenges when accessing claude.ai, clearing this cookie and cf_clearance may help.
On enterprise deployments, the lastActiveOrg cookie remembers which organisation you last used. If you switch between personal and team accounts, this cookie determines which context loads by default.
For those building applications on the Anthropic API: the API does not set cookies. It uses API keys or OAuth tokens passed in headers. Cookies only enter the picture when a browser is involved - either through claude.ai directly or through the OAuth flow that Claude Code uses for CLI authentication.
Frequently Asked Questions
Does Claude Code set cookies on my computer?
Claude Code's CLI does not set cookies directly. When it opens your browser for authentication, claude.ai sets cookies in the browser, including the sessionKey cookie that lasts one month and several security cookies from Cloudflare and Stripe.
Can I use Claude Code without accepting marketing cookies?
Yes. Marketing cookies from Meta, Reddit, TikTok, and Twitter/X are not required for Claude Code to function. You can decline them through the "Your privacy choices" option on claude.ai without affecting authentication or functionality.
Does the Anthropic API set cookies on my website visitors?
No. The Anthropic API is a server-to-server communication channel that uses API keys or OAuth tokens in HTTP headers. It does not place cookies in your visitors' browsers. Only direct interaction with claude.ai or anthropic.com sets cookies.
How long does the Claude Code session cookie last?
The sessionKey cookie has a one-month lifespan. After it expires, Claude Code will prompt you to re-authenticate through your browser.
What third-party cookies does Claude.ai set?
Claude.ai sets third-party cookies from Cloudflare (bot management), Stripe (fraud prevention), Intercom (support chat), Google (analytics and ads), LinkedIn (conversion tracking), Meta/Facebook, Reddit, TikTok, and Twitter/X (all marketing).
Is Claude.ai GDPR compliant with its cookie usage?
Anthropic provides a cookie consent mechanism on claude.ai and publishes a full cookie list on its Privacy Centre. Non-essential analytics and marketing cookies can be refused. Whether the implementation fully meets GDPR and ePrivacy Directive standards depends on factors like consent timing and banner design, which may vary by region.
Should I list Claude Code cookies in my website's cookie policy?
Only if your website sets them. If your site redirects users to claude.ai or embeds content from Anthropic's domains, you should disclose any resulting cookies. If you use the Anthropic API server-to-server with no browser redirect, no Anthropic cookies are set on your domain.
Audit Your Own Cookie Footprint
Whether you use Claude Code or any other AI tool, your website's GDPR compliance depends on knowing exactly which cookies your domain sets. Kukie.io scans your site, identifies every cookie by name, origin, and purpose, and maps them to the right consent categories - so your visitors get a genuine choice.
