Is the Claude Code SDK the same as the Claude Agent SDK?

Anthropic has used both names for the package family. Verify the current published package name against the Anthropic docs and npm/PyPI before pinning a dependency. The CLI binary in my installation is `claude`.

Should I use the Claude Code SDK or roll my own agent loop with the Messages API?

The SDK is worth its weight when the loop wants hooks, subagents, MCP, plan mode, and permission gating. A small loop on top of the Messages API is the saner choice for two or three tools and no opinionated dependencies.

How does the Claude Code SDK compare to LangGraph for production agents?

Different shapes. The Claude Code SDK is a single-provider harness optimized for code-touching agents. LangGraph is a provider-neutral graph runtime. LangGraph wins when the workload spans Anthropic plus OpenAI plus Gemini. The Claude Code SDK wins when the team has committed to Anthropic and wants the harness without writing it.

Does the SDK lock me into Anthropic?

Materially yes. The harness is built around Anthropic Messages API semantics, tool blocks, and Claude-specific features. Migration to another provider is a rewrite, not a config flip.

Can I run untrusted user input through it safely?

Only with explicit sandboxing. The SDK ships permission modes and hook gates, but tool execution still happens in the host process unless something like Vercel Sandbox, Modal, or a Firecracker microVM is wired in. The default posture is operator-trusted, not end-user-trusted.

Does it work with custom models or proxies?

It accepts a custom base URL, which means routing through LiteLLM or OpenRouter is technically possible, but only models that respect Anthropic's Messages API surface and tool block format will work. Most third-party translations break on prompt caching or tool_use_id round-tripping in my experience.

Claude Code SDK: What Operators Actually Need to Know (2026)

The first time I shipped a production agent on the Claude Code SDK, I assumed it was a thin wrapper around the Messages API. It is not. It is the Claude Code harness exposed as a library, with the same loop, the same hook system, the same subagent dispatcher, and the same permission posture the CLI uses. That distinction matters more than the docs convey, and it changes who should pick this SDK and who should not.

TL;DR

Pick the Claude Code SDK when the team has committed to Anthropic models, wants an opinionated agent loop with hooks, subagents, MCP, and permission controls without writing it, and can accept hard provider lock-in. Skip it when the workload needs provider-portable routing, when the agent does not touch code or filesystems, or when a graph-shaped workflow already fits LangGraph's shape. The SDK is the right choice for code-adjacent agents (CI bots, repo-scanning agents, internal dev tooling) and the wrong choice for chat applications that happen to call a few tools.

The mental model

The Claude Code SDK is not an agent framework in the LangGraph or LlamaIndex sense. It is a runtime, factored into a library that can be embedded. Calling it does not orchestrate an agent loop. It hands a session to the harness and receives back a stream of events.

Directionally, that harness covers an agentic loop, a tool registry with first-class filesystem and shell support, a hook system that fires at lifecycle points, a subagent dispatcher, a skills mechanism for progressive context loading, MCP client integration, and permission modes that gate tool execution. The exact set of hook event names, permission mode strings, and SDK surface details have shifted across releases; verify against the installed version before relying on any specific name. This is a larger surface than many narrow tool-calling agents need. The right question is not "is it good" but "is the whole harness wanted in the host process, or does a smaller primitive fit better."

A note on naming. The package family has been referred to as both the Claude Code SDK and the Claude Agent SDK. People still call it the Claude Code SDK in conversation, and that is the keyword most operators search. Confirm the current published package name against the official Anthropic documentation before adding a dependency.

The landscape

The space of "library to embed for running an LLM agent" splits into roughly four shapes:

Provider-native harnesses. Claude Code SDK (Anthropic), the OpenAI Agents SDK, and Google's ADK. These ship the loop, the tool ABI, and the production patterns the provider uses internally. The coupling is deep: model semantics, tool-call ABI, lifecycle hook shapes, and authentication all assume one provider.

Provider-neutral graph frameworks. LangGraph, LlamaIndex Workflows, Haystack agents. These model the agent as a graph or state machine and let providers swap. More flexibility, more code to write, more failure modes that belong to the implementer.

Lightweight loops. Smolagents, instructor, plain Anthropic() or OpenAI() clients with a small tool dispatcher. The "no framework" choice. Right for narrow agents.

Hosted agent platforms. OpenAI Responses API plus the OpenAI Agents SDK, Vercel Agents, Mastra Cloud, AWS Bedrock Agents. The provider runs or strongly shapes the loop. Less loop-hosting burden, less control over runtime behavior, lock-in to the hosting layer.

The Claude Code SDK is the production-grade end of provider-native. It resembles the Claude Code harness exposed to developers as a library. That gives it real advantages over rolling a loop from scratch: edge cases around tool_use_id correlation, prompt caching, parallel tool calls, and streaming partial JSON are already handled. It also means the API shape is dictated by what works for the harness it descends from, not by what is cleanest for any one use case.

What actually matters operationally

Vendor pages emphasize features. Operators care about a different list. The dimensions that drive production decisions for an agent SDK:

Tool-call observability. When a 12-step agent loop fails on step 9, can the operator see exactly what the model received as input to step 8 and what tool result came back? The Claude Code SDK exposes this through its event stream and through hooks, but the events have to be wired into a host observability layer (OpenTelemetry, Langfuse, Braintrust). It does not ship a console. The OpenAI Agents SDK has built-in tracing and a hosted trace dashboard by default, while its docs also describe custom trace processors for exporting to other destinations. That is convenient when starting and constraining when a no-hosted-trace or ZDR posture is required.

Cost control at scale. Prompt caching is the biggest single cost lever for agent workloads, because the system prompt and tool definitions repeat on every turn. The Claude Code SDK respects Anthropic's prompt caching headers in my testing. Routing through a third-party gateway that does not preserve cache breakpoints can multiply spend silently. In my own development environment I observed a meaningful, not subtle, drop in cache hit rate when the same workload ran through a self-hosted gateway versus direct to the Anthropic API. This was an ad-hoc observation, not a controlled benchmark, and it is worth measuring on the workload at hand before drawing conclusions.

Hook ergonomics. Production agents need pre-flight gates: refuse a destructive command, redact secrets before tool execution, audit filesystem writes. The Claude Code SDK's hook system runs as JSON-over-stdin subprocesses, which is portable across runtimes but verbose. LangChain callbacks are cleaner inside Python. For hooks in a non-Python service mesh, the subprocess design ages better.

Permission posture for end-user input. This is the trap. The SDK's default posture is operator-trusted: it assumes the engineer running it controls the machine and the tools. Putting end-user input into a session with permissions disabled grants that user the ability to run shell commands as the host service account. The SDK does not stop that. The operator stops that, by setting a permission mode and wiring hooks. Headless and programmatic services need an explicit deny-by-default policy and non-interactive enforcement. Treating an interactive prompt as a production safety control does not work outside an interactive session.

MCP integration. Model Context Protocol is becoming a common shape for exposing tools to agents across vendors. The Claude Code SDK ships MCP client support, which means fewer custom adapters when the target integration already has an MCP server. If MCP is not on the roadmap, this advantage is invisible.

Lock-in risk. Already covered, but worth stating plainly. Once the harness is in production, switching providers is a rewrite, not a config change. Provider price increases or partial-traffic shifts to a different model family are hard to execute under that coupling, and that risk should be priced in at the build decision.

Detailed teardowns

Claude Code SDK (TypeScript and Python)

The package ships in both TypeScript and Python flavors, both first-party Anthropic packages. The two language SDKs may not expose identical surfaces at every release; check the installed version's docs for the exact entry point shape. Both expose a query-style entry point and an event-stream return type at a high level.

Architecture: the SDK runs an agentic loop, maintains conversation state, dispatches tool calls in parallel where the model emits them in parallel, and surfaces events for model turns, tool start, tool end, hook fire, and session boundaries. The host consumes the events; the SDK runs the loop. Iteration can be interrupted by closing the iterator, or left to run to its natural stop.

Cost and scale tradeoffs: per-token pricing is the underlying Anthropic Messages API pricing. The SDK adds no margin. Operationally, the bill is whatever Anthropic model is selected at standard list pricing. Prompt caching reduces per-turn cost on multi-turn loops noticeably; in my own development environment cache hit rates have been high on stable system prompts, but the actual rate depends entirely on workload stability and is worth treating as an SLO rather than a constant. The SDK does not throttle, batch, or otherwise mediate pricing.

Right call when:

The agent edits code, runs shell commands, or operates on filesystems
The team wants hooks, subagents, plan mode, and MCP without writing them
The organization has committed to Anthropic models for the planning horizon
A Claude-Code-shaped experience needs to ship inside the host product

Wrong call when:

Provider portability is a requirement (LangGraph fits better)
The agent is a chatbot with two or three tool calls (use the Messages API directly)
The deployment is in a regulated jurisdiction with residency requirements that have not been reconciled against the provider's regional posture
The team cannot accept the lock-in

OpenAI Agents SDK (for comparison)

Architecturally similar shape, different provider. The current OpenAI Agents SDK docs describe tracing as enabled by default, with OpenAI's trace dashboard as the default backend and custom trace processors available for alternative or secondary destinations. The tool ABI is OpenAI's tool-call format, not Anthropic's tool blocks. Strong handoff and guardrail primitives. The reason to pick it over Claude Code SDK is a commitment to GPT-class and Realtime models. The reason to skip it: different MCP maturity and tighter coupling to OpenAI's hosted ecosystem.

LangGraph

Provider-neutral graph runtime. Models agents as state machines with explicit nodes and edges, which makes complex multi-step workflows easier to reason about than a tool-calling loop. The cost: the team writes the graph, writes the tool wiring, and writes (or pays for) the persistence layer. For a code-touching agent, LangGraph plus Claude is more code than Claude Code SDK plus Claude, and the production patterns that ship with the harness do not come along. For a multi-provider workflow with conditional routing across model families, LangGraph wins decisively.

Roll your own

For agents with two or three tools and a well-bounded scope, a small loop calling client.messages.create() directly is the right call. The team skips the entire framework debate, owns every line, and can read the source of every behavior. The threshold where this stops working is roughly: when hooks become wanted, when subagents become wanted, or when MCP becomes wanted. At that point, the framework needed to support those features starts to look like the harness Anthropic already maintains.

The MCP layer

Model Context Protocol is an open standard for exposing tools to agents. It is provider-neutral by design; the spec lives at modelcontextprotocol.io. For the Claude Code SDK specifically, MCP is the recommended way to expose tools that live outside the host process: a database tool, a Linear or GitHub integration, an internal API.

Directionally, MCP covers tool discovery, tool invocation, prompt templates, and resource fetching. The exact 2026 coverage of sampling, authentication patterns beyond bearer tokens, and cross-server orchestration has been moving and should be checked against the current spec at https://modelcontextprotocol.io/specification before treating any advanced capability as portable.

The practical implication for a Claude Code SDK build: any tool that more than one agent system might want to consume is better written as an MCP server than as a Claude-Code-SDK-specific tool. The MCP server can be reused later if the workload migrates to LangGraph, or if a teammate builds against a different provider's SDK. It is the cheapest hedge against lock-in I have found.

Things nobody talks about

Operational realities I learned the painful way, that the docs and vendor blog posts skip.

1. Permission posture depends on tool exposure, not vibes. The SDK's current TypeScript reference says allowedTools auto-approves listed tools; it does not restrict the model to only those tools. Use tools and disallowedTools to bound the available surface, set permissionMode explicitly, and avoid bypassPermissions unless the runtime is sandboxed and disposable. Interactive mode can show confirmation prompts. Headless and programmatic mode is a different story: an explicit permission policy is required, and disabling permissions because it was the easiest path to a working demo is a category of incident I have seen repeatedly.

2. Prompt caching breaks silently on system-prompt or tool-list churn. The cache key is the prefix. Re-ordering tools, swapping a tool's description, or changing a single character in the system prompt invalidates the cache for that turn. Cost regressions of several multiples are realistic when a tool description gets templated with a timestamp. Assert that the system prompt and tool list are stable across a session, and audit cache hit rate as an SLO. The Anthropic Messages API surfaces cache-related fields in usage metadata; the exact field names and behavior should be confirmed against the installed SDK version's docs rather than copied from memory.

3. Subagent token costs are easy to miss. When a parent session dispatches a subagent, the child runs its own loop with its own tokens. Those tokens roll up into the account spend. Whether and how the parent's usage object reflects child usage depends on the SDK and telemetry integration in use; do not assume the parent's usage tells the whole story. Log subagent dispatches as their own spans in the observability stack and tag them with the parent session id.

4. The hooks API is JSON-over-stdin subprocess, which is portable but slow. Each hook fires a subprocess. A PreToolUse hook that fires on every tool call adds subprocess startup cost on every step of the loop. On a long loop, that adds noticeable wall-clock time. Keep hook scripts in a fast-startup runtime (Python with no heavy imports, Go, Rust, shell), and short-circuit hooks that only need to run on specific tool names.

5. "Self-hosted" is misleading when the model is hosted. Running the SDK in a private VPC does not mean prompt data stays in that VPC. The model runs at Anthropic. Every prompt, every tool result, every system message is sent to Anthropic as a sub-processor. ZDR and enterprise data-handling postures may be available; verify the specific plan, contract, and control framework against current Anthropic documentation rather than assuming a generic posture. Use the precise term "data processor" or "sub-processor" in data flow diagrams; do not write "data does not leave our infrastructure" unless a local model is actually running.

Implementation patterns

The snippets below are illustrative shapes, not tested production code. SDK event shapes, field names, and entry points have shifted across releases; verify each pattern against the installed package's docs and types before deploying. Pin exact package versions in production; do not use floating tags.

Pattern 1: Headless agent with permission gating

// Illustrative shape. Verify against the installed SDK version's
// types and docs. Field names below may differ between releases.
async function main() {
  const { query } = await import("@anthropic-ai/claude-agent-sdk");

  const session = query({
    prompt: "Audit the dependencies in package.json and report any with known CVEs.",
    options: {
      permissionMode: "dontAsk",
      tools: ["Read", "Grep", "Glob"],
      disallowedTools: ["Bash", "Edit", "Write"],
      maxTurns: 12,
    },
  });

  for await (const event of session) {
    // Assistant content in modern message SDKs is typically a structured
    // block array, not a plain string. Render via the SDK's documented
    // helper or extract text blocks explicitly. Treat the body of this
    // loop as pseudo-code for the event shape.
    if (event.type === "assistant_message") {
      // render assistant text blocks per the installed SDK's documented surface
    }
    if (event.type === "tool_use") {
      // log tool dispatch for observability
    }
  }
}

main().catch(err => {
  console.error(err);
  process.exitCode = 1;
});

The shape that matters: do not confuse allowedTools with a restriction boundary. In the current TypeScript reference, allowedTools auto-approves matching tools and unlisted tools can still fall through to permission mode and canUseTool. A read-only tools list plus explicit disallowedTools is the safer shape for this kind of audit agent. maxTurns is a hard stop against runaway loops. Always set it.

Pattern 2: Hook for tool-call audit logging (Python, illustrative)

# audit_hook.py
# Illustrative. Logs raw tool input verbatim, which is exactly where
# secrets, shell arguments, file paths, and customer data appear.
# This pattern is NOT a redaction layer. Pair it with a real redactor
# (regex sweep for tokens, allowlist of fields, structured argument
# parsing) before pointing it at production traffic.
import json, sys, datetime, os

event = json.load(sys.stdin)
log_path = os.environ.get("AUDIT_LOG", "/var/log/agent-audit.jsonl")

with open(log_path, "a") as f:
    f.write(json.dumps({
        "ts": datetime.datetime.utcnow().isoformat() + "Z",
        "session_id": event.get("session_id"),
        "tool_name": event.get("tool_name"),
        "tool_input": event.get("tool_input"),  # RAW; redact upstream
    }) + "\n")

print(json.dumps({"continue": True}))

Wired as a PreToolUse-style hook, every tool call is logged before it executes. To block a call (a destructive shell command, a write to a forbidden path), return a continue-false response with a reason and the SDK aborts the dispatch. Pre-tool hooks are a useful enforcement point for policy, not a substitute for a redaction layer or a sandbox.

Pattern 3: Subagent dispatch for isolation

The Claude Code SDK supports spawning subagents with their own system prompts, tool allowlists, and contexts. The use case: a parent agent that needs to delegate a sensitive operation (running tests, accessing a production database) to a child with a tightly-scoped permission set, then receive the result. The shape: the parent dispatches via a subagent tool with an explicit child tool allowlist, the child runs its own loop, and the parent receives a final result message. Subagent token usage rolls up to the account spend; track it as a separate observability span so cost attribution is not lost.

A companion code repository for these patterns can live alongside the article; verify any specific URL against the current state of my GitHub before relying on it.

What I would instrument first

Before adding more telemetry than is needed, the small set worth wiring on day one, using only concepts already discussed above:

Turn count per session
Tool-call count per session and per tool name
Cache read tokens and cache creation tokens per turn
Hook latency per hook name (subprocess wall-clock)
Permission denials, by tool and by reason
Subagent dispatches, as their own spans, tagged with the parent session id

Those six are enough to spot runaway loops, cache regressions, hook hot-paths, and unattributed subagent spend without a heavy observability lift.

Decision framework

Criteria to walk through when a team is deciding whether to build on the Claude Code SDK:

Has the team committed to Anthropic models for the planning horizon? If not, LangGraph or a thin Messages-API wrapper fits better. The lock-in cost exceeds the convenience benefit when migration is on the table.
Does the agent touch code, files, or shell? If yes, the harness was built for this shape and the patterns are well-worn. If the agent is a pure conversational tool-caller (search, summarize, lookup), the Messages API with a small loop is the saner choice.
Does the workload need hooks, subagents, plan mode, or MCP? Yes to any of these earns the SDK its weight. No to all of them means there is more framework here than the workload needs.
Is the deployment in a regulated jurisdiction with residency requirements? If yes, validate the provider's regional posture against the specific control framework before adopting. The SDK does not change the data flow; it just provides a nicer client. The compliance question is identical to "should this team use the Anthropic API at all."
Can the organization absorb the lock-in? If yes, the SDK is a reasonable default candidate after normal security, cost, and compliance review. If no, build on a smaller primitive and accept the implementation cost.

The honest take: this SDK is the right call for code-adjacent production agents at organizations that have already chosen Anthropic. It is overkill for chatbots and underkill for multi-provider workflows. The lock-in is real and underdiscussed. The harness is genuinely good, and Anthropic is the team most likely to keep it good, because they ship it themselves. Where I would bet directionally: MCP becomes more interoperable over time and that erodes some of the lock-in penalty. Where I would not bet: that the SDK becomes provider-neutral. It will not. That is not what it is for.