SDKs & Developer Experience

Logging SDK Requests for Debugging and Audit

Good request logging pays for itself the first time a support ticket asks "which request was that, exactly?" — but a careless log line can leak a credential that never expires.

Claude 3P 101 · Updated July 2026 · Unofficial guide

There are two distinct reasons to log Claude API traffic, and they want different designs. Debugging wants maximum detail for a short time on one developer's machine. Audit wants a durable, structured record of who called what, when, at what cost — with the sensitive parts deliberately absent. Conflating the two is how prompts and keys end up in a log aggregator with a seven-year retention policy.

Debugging: see the wire

For interactive debugging, the ant CLI sets the standard: its global --debug flag streams the full HTTP request and response to stderr with the API key redacted, leaving stdout clean for your pipeline. Reproducing a failing SDK call as a one-line ant command with --debug is often the fastest way to see exactly what the API receives and returns.

Within the SDKs, verbose logging hooks vary by language — the fact sheets behind this guide don't enumerate a per-SDK logging flag, so consult the README of your SDK's repository (for example, Python or TypeScript) for its supported mechanism. Two portable fallbacks always work: point the SDK's base URL at a local logging proxy during development, or log at your application boundary — you construct the request parameters and receive the response object, which is everything worth recording anyway.

Audit: log identifiers and numbers, not content

A useful audit line for a Claude call is small. Log the timestamp, the calling service and tenant, the model ID, the request ID, the token usage from the response, and the outcome (stop_reason or error status). Token counts matter because they are your cost record: the response's usage block reports input tokens plus, when caching is on, cache_read_input_tokens and cache_creation_input_tokens — the numbers you need to reconcile a bill or spot a runaway prompt.

Request IDs deserve special care on third-party platforms. On Claude Platform on AWS, every response carries two: x-amzn-requestid (the primary one, indexed in CloudTrail — quote it to AWS support) and request-id (Anthropic's — quote it to Anthropic support). Log both. Also on that platform, CloudTrail captures workspace, vault, and webhook operations as management events by default, while inference, file, skill, and batch calls are data events that require explicitly enabled (paid) data-event logging — so don't assume your model calls are being audited by the cloud unless someone turned that on.

Prompts and completions are data, not logs. Message content can contain customer PII, contract text, source code — whatever your users typed. If the business needs content retention, store it in a governed data store with access control and a retention policy, keyed by request ID. Keep it out of general-purpose application logs.

Redaction: the non-negotiables

Claude API keys are long-lived secrets with no expiry — a key leaked into logs is a live credential until someone notices and revokes it. Concretely: never log the x-api-key or Authorization headers; scrub ANTHROPIC_API_KEY and ANTHROPIC_AUTH_TOKEN from any environment dumps in crash reports; and add a log-scanning pattern for the documented key prefixes (sk-ant-api... for API keys, sk-ant-oat01-... for WIF-minted access tokens) so a leak trips an alert instead of aging quietly. Prefer short-lived credentials where the platform offers them — WIF tokens on the Claude API, and on Claude Platform on AWS the short-term API keys generated from AWS credentials (capped at 12 hours) — because a leaked short-lived token has a bounded blast radius.

Make it structured from day one

Emit log lines as JSON with stable field names (model, request_id, input_tokens, output_tokens, stop_reason, latency_ms) rather than prose. Structured logs turn "how much did team X spend on Fable 5 last week" from an archaeology project into a query, and they let you alert on the interesting anomalies: 429 spikes, refusal-rate changes, or a model ID that shouldn't be in production anymore.

Where to go next

Credential hygiene continues in secrets handling patterns in SDK code and rotating API keys without downtime. For the debugging side, scripting with the ant CLI covers --debug in pipelines.

Sources