There are two distinct reasons to log Claude API traffic, and they want different designs. Debugging wants maximum detail for a short time on one developer's machine. Audit wants a durable, structured record of who called what, when, at what cost — with the sensitive parts deliberately absent. Conflating the two is how prompts and keys end up in a log aggregator with a seven-year retention policy.
Debugging: see the wire
For interactive debugging, the ant CLI sets the standard: its global --debug flag streams the full HTTP request and response to stderr with the API key redacted, leaving stdout clean for your pipeline. Reproducing a failing SDK call as a one-line ant command with --debug is often the fastest way to see exactly what the API receives and returns.
Within the SDKs, verbose logging hooks vary by language — the fact sheets behind this guide don't enumerate a per-SDK logging flag, so consult the README of your SDK's repository (for example, Python or TypeScript) for its supported mechanism. Two portable fallbacks always work: point the SDK's base URL at a local logging proxy during development, or log at your application boundary — you construct the request parameters and receive the response object, which is everything worth recording anyway.
Audit: log identifiers and numbers, not content
A useful audit line for a Claude call is small. Log the timestamp, the calling service and tenant, the model ID, the request ID, the token usage from the response, and the outcome (stop_reason or error status). Token counts matter because they are your cost record: the response's usage block reports input tokens plus, when caching is on, cache_read_input_tokens and cache_creation_input_tokens — the numbers you need to reconcile a bill or spot a runaway prompt.
Request IDs deserve special care on third-party platforms. On Claude Platform on AWS, every response carries two: x-amzn-requestid (the primary one, indexed in CloudTrail — quote it to AWS support) and request-id (Anthropic's — quote it to Anthropic support). Log both. Also on that platform, CloudTrail captures workspace, vault, and webhook operations as management events by default, while inference, file, skill, and batch calls are data events that require explicitly enabled (paid) data-event logging — so don't assume your model calls are being audited by the cloud unless someone turned that on.
Redaction: the non-negotiables
Claude API keys are long-lived secrets with no expiry — a key leaked into logs is a live credential until someone notices and revokes it. Concretely: never log the x-api-key or Authorization headers; scrub ANTHROPIC_API_KEY and ANTHROPIC_AUTH_TOKEN from any environment dumps in crash reports; and add a log-scanning pattern for the documented key prefixes (sk-ant-api... for API keys, sk-ant-oat01-... for WIF-minted access tokens) so a leak trips an alert instead of aging quietly. Prefer short-lived credentials where the platform offers them — WIF tokens on the Claude API, and on Claude Platform on AWS the short-term API keys generated from AWS credentials (capped at 12 hours) — because a leaked short-lived token has a bounded blast radius.
Make it structured from day one
Emit log lines as JSON with stable field names (model, request_id, input_tokens, output_tokens, stop_reason, latency_ms) rather than prose. Structured logs turn "how much did team X spend on Fable 5 last week" from an archaeology project into a query, and they let you alert on the interesting anomalies: 429 spikes, refusal-rate changes, or a model ID that shouldn't be in production anymore.
Where to go next
Credential hygiene continues in secrets handling patterns in SDK code and rotating API keys without downtime. For the debugging side, scripting with the ant CLI covers --debug in pipelines.