Anthropic isn't catching third-party LLM clients the way everyone assumed. On April 9, security researcher mrcattusdev showed that detection of tools like OpenCode, Aider, and Cline comes down to system prompt content. Not HTTP headers. Not TLS fingerprints. The researcher proved this by elimination. Claude Code's request body sent with OpenCode headers sailed through. A Node.js proxy normalizing TLS changed nothing. But the moment they swapped in Claude Code's official system prompt, the detection vanished.
Anthropic examines the structured system prompt array that clients send, focusing on the static instruction block at index 2. Roughly 30,000 characters of agent instructions and orchestration rules. When it doesn't match Claude Code's known prompt structure, the server returns a 400 error: "Third-party apps now draw from your extra usage." Runtime sections like environment variables, directory listings, and custom AGENTS.md content pass through untouched. The researcher binary-searched through the 30K prompt looking for a trigger phrase. Found nothing. That suggests Anthropic uses embedding comparison or a classifier to judge the overall shape of the text.
This is security through obscurity. Claude Code's system prompt is already publicly extractable. Just ask Claude Code to print its instructions. Once someone has the prompt, the detection falls apart. Updates to Claude Code's system prompt also invalidate cached copies, creating a cat-and-mouse game. The real question is why Anthropic doesn't validate OAuth client IDs. Third-party tools currently use the same client ID as Claude Code. Separate client IDs for official versus unofficial clients would eliminate this entire class of bypass.