The Sandbox Slip: How a Security Audit Unearthed Perplexity’s Exposed Claude Code Tokens

Perplexity Computer is a cloud-based computing environment unveiled by the AI search vanguard Perplexity. This system integrates sophisticated instruments such as Claude Code to empower users in manifesting their creative visions; naturally, as the platform solictis generative AI models, the orchestration of API tokens becomes a fundamental necessity.

Intrigued by the possibility that exfiltrating these tokens might expose a profound architectural frailty, a security researcher subjected the Perplexity Computer sandbox to a rigorous audit. This inquiry proved fruitful, as they unearthed both the endpoint addresses and the active API tokens nestled within the .npmrc configuration file.

Strikingly, these credentials were not merely confined to the Perplexity environment; the investigator successfully configured them within auxiliary software, facilitating unadulterated model calls that, curiously, initially appeared absent from any billing ledger.

This discovery ignited concerns of a severe security lapse, as the exposure of such tokens could ostensibly allow any unauthorized entity to plunder Perplexity’s model quotas. The subsequent report, provocatively titled “I hacked Perplexity Computer and got unlimited Claude Code,” catalyzed a swift fervor across X/Twitter. This viral traction compelled Perplexity to intervene with alacrity, revoking the leaked tokens.

However, the rationale behind this revocation was not to halt a systemic “freeloading” of Perplexity’s corporate resources, but rather to safeguard the user. Perplexity elucidated that the system generates distinct, session-bound tokens for every user. While the tokens can indeed be used externally, they remain inextricably tethered to the individual’s account; thus, all kinetic activity is accurately metered and billed to that specific patron.

The perceived “infinite quota” was merely a byproduct of asynchronous billing—a temporal lag where fiscal telemetry often takes upwards of eighteen hours to manifest within the user dashboard. Consequently, the proactive revocation was a protective measure to shield the researcher from a staggering, unexpected financial burden, as the tokens would have persisted until the eventual dissolution of the session.

Perplexity further defended the visibility of these tokens within environment variables, asserting that because these short-lived credentials belong exclusively to the user, there is no mandate to veil them from their rightful owner. In a defiant riposte, the researcher argued that this architecture remains fundamentally perilous. Since tokens can be extracted via sophisticated prompt injection, a malicious actor could usurp these credentials to inflict astronomical debts upon unsuspecting victims. Thus, the researcher maintains that this paradigm is a profound design flaw that necessitates immediate remediation.