Warn on inherited auth token

api/app.py

@@ -38,11 +38,24 @@ async def _best_effort(
         logger.warning(f"Shutdown step failed: {name}: {type(e).__name__}: {e}")
 
 
+def _warn_if_process_auth_token(settings) -> None:
+    """Warn when server auth was implicitly inherited from the shell."""
+    uses_process_token = getattr(settings, "uses_process_anthropic_auth_token", None)
+    if callable(uses_process_token) and uses_process_token():
+        logger.warning(
+            "ANTHROPIC_AUTH_TOKEN is set in the process environment but not in "
+            "a configured .env file. The proxy will require that token. Add "
+            "ANTHROPIC_AUTH_TOKEN= to .env to disable proxy auth, or set the "
+            "same token in .env to make server auth explicit."
+        )
+
+
 @asynccontextmanager
 async def lifespan(app: FastAPI):
     """Application lifespan manager."""
     settings = get_settings()
     logger.info("Starting Claude Code Proxy...")
+    _warn_if_process_auth_token(settings)
 
     # Initialize messaging platform if configured
     messaging_platform = None

config/settings.py

@@ -281,6 +281,12 @@ class Settings(BaseSettings):
             self.anthropic_auth_token = dotenv_value
         return self
 
+    def uses_process_anthropic_auth_token(self) -> bool:
+        """Return whether proxy auth came from process env, not dotenv config."""
+        if _env_file_override(self.model_config, "ANTHROPIC_AUTH_TOKEN") is not None:
+            return False
+        return bool(os.environ.get("ANTHROPIC_AUTH_TOKEN"))
+
     @property
     def provider_type(self) -> str:
         """Extract provider type from the default model string."""

tests/api/test_app_lifespan_and_errors.py

@@ -6,6 +6,27 @@ import pytest
 from fastapi.testclient import TestClient
 
 
+def test_warn_if_process_auth_token_logs_warning():
+    api_app_mod = importlib.import_module("api.app")
+    settings = SimpleNamespace(uses_process_anthropic_auth_token=lambda: True)
+
+    with patch.object(api_app_mod.logger, "warning") as warning:
+        api_app_mod._warn_if_process_auth_token(settings)
+
+    warning.assert_called_once()
+    assert "ANTHROPIC_AUTH_TOKEN" in warning.call_args.args[0]
+
+
+def test_warn_if_process_auth_token_skips_explicit_dotenv_config():
+    api_app_mod = importlib.import_module("api.app")
+    settings = SimpleNamespace(uses_process_anthropic_auth_token=lambda: False)
+
+    with patch.object(api_app_mod.logger, "warning") as warning:
+        api_app_mod._warn_if_process_auth_token(settings)
+
+    warning.assert_not_called()
+
+
 def test_create_app_provider_error_handler_returns_anthropic_format():
     from api.app import create_app
     from providers.exceptions import AuthenticationError

tests/config/test_config.py

@@ -126,6 +126,7 @@ class TestSettings:
         monkeypatch.setitem(Settings.model_config, "env_file", ())
         settings = Settings()
         assert settings.anthropic_auth_token == "process-token"
+        assert settings.uses_process_anthropic_auth_token() is True
 
     def test_empty_dotenv_anthropic_auth_token_overrides_process_env(
         self, monkeypatch, tmp_path
@@ -140,6 +141,7 @@ class TestSettings:
 
         settings = Settings()
         assert settings.anthropic_auth_token == ""
+        assert settings.uses_process_anthropic_auth_token() is False
 
     def test_dotenv_anthropic_auth_token_overrides_process_env(
         self, monkeypatch, tmp_path
@@ -157,6 +159,7 @@ class TestSettings:
 
         settings = Settings()
         assert settings.anthropic_auth_token == "server-token"
+        assert settings.uses_process_anthropic_auth_token() is False
 
     def test_removed_nim_enable_thinking_raises(self, monkeypatch):
         """NIM_ENABLE_THINKING now fails fast with a migration message."""