Developers often face the challenge of managing multiple Claude Code accounts, whether for personal use, company projects, or various freelance clients. While simple shell aliases offer a basic solution, a more robust and elegant approach involves dynamically loading configurations based on the current project directory. This method ensures that the appropriate Claude Code profile is automatically selected, eliminating the need for manual switching and reducing potential confusion.
The core mechanism behind this solution utilizes direnv in conjunction with the CLAUDE_CONFIG_DIR environment variable. By placing an .envrc file in parent directories like ~/personal, ~/work/company, or ~/clients/acme, every repository within that folder can automatically inherit and reuse the correct Claude account, MCP authentication, interaction history, settings, and tool permissions. This establishes a "trust boundary" where configurations and credentials are inherently tied to the specific context of the work being performed.
The utility of this setup extends far beyond just Claude Code accounts. The same principles can be applied to maintain separate credentials and settings for other critical development tools and services. This includes distinct MCP credentials, GitHub organizations, Slack workspaces, Linear teams, Sentry projects, and various customer-specific tools. By splitting profiles in this manner, developers can prevent the accidental mixing of sensitive data—such as GitHub, Slack, Linear, Sentry, email, database, or customer credentials—across different work contexts.
This approach is particularly crucial for security. Industry discussions highlight the fragility of manual account switching and the risks associated with a single global profile. When all connected services share one profile, it essentially consolidates all keys into a single, large attack surface. Recent security incidents underscore these vulnerabilities: a malicious postmark-mcp npm package was found impersonating Postmark to exfiltrate emails, and Koi Security's analysis warned that AI assistants might unknowingly continue using compromised tools. Furthermore, OX Security reported command injection vulnerabilities in MCP-based systems. While direnv doesn't magically fix malicious packages, it significantly narrows the "blast radius" by ensuring that tools operate within the appropriate trust boundary, thus limiting the potential damage if a tool or service is compromised within a specific project context.
For organizations utilizing MCP, it's recommended to define shared server configurations in a .mcp.json file, while keeping private authentication tokens within the local, project-specific profile. This balance allows for collaboration while maintaining individual security. Ultimately, operating Claude Code and related tools within the same trust boundary as the active folder is a best practice for enhancing both operational efficiency and robust security in complex development environments.
