Claude Code Silently Bills API Account When Project .env Contains API Key

$187. That's what one developer lost before discovering that Claude Code was billing their pay-per-use API account instead of their flat-rate Max plan - all because of a single line in a project .env file.

The behavior: if Claude Code finds an ANTHROPIC_API_KEY environment variable in your project directory (typically inside a .env file), it picks up that key and routes all usage through it, bypassing your Max subscription entirely. Anthropic confirmed this is intentional, describing it as expected behavior for developers who want to use their own API credentials in specific project contexts.

The problem is that most people with an API key sitting in a .env file put it there for a completely different purpose - building an app that calls Claude directly, running integration tests, experimenting with the API. They never intended for Claude Code itself to grab that key and start charging per token (per small chunk of text processed, at rates that add up fast during longer sessions).

The risk is highest for automated setups. Running Claude Code via Windows Task Scheduler, a cron job, or a CI/CD pipeline (a system that runs code checks and deployments automatically) means there's no UI, no pop-up, and nothing alerting you that billing has quietly switched from your subscription to pay-per-use. The $187 figure came from scheduled headless runs accumulating over several days - not a single runaway session.

What to Do Right Now

• Search any project where you run Claude Code for .env files containing ANTHROPIC_API_KEY
• Remove the key from .env if Claude Code - not your own app - is the primary process running in that directory
• If you genuinely need both (your app AND Claude Code in the same project), set the API key via shell environment variables at the session level rather than storing it in a file Claude Code will scan
• Check your Anthropic billing dashboard for unexpected API charges going back 30 days

Anthropic hasn't indicated plans to change this behavior or add a warning. Until there's a clearer signal at startup when API key billing takes over from a subscription, this will keep catching people.