Conclusion: When Codex or Claude Code cannot read an authorized public page, the first question is whether retrieval succeeded. Scrapingbypass API helps teams build a controlled retrieval function so the model does not reason over error pages.
Direct answer
The API key should live in the runtime, not in the prompt. The assistant should call a tool that returns validated public-page text or a clear error.
This pattern keeps secrets safer and makes access failures easier to diagnose.
Decision criteria
| Question | Recommended handling | Why |
| Who stores the key? | runtime or secret manager | reduces exposure |
| Who validates content? | retrieval wrapper | blocks error pages |
| Who summarizes? | AI model | works on verified text |
| Who changes settings? | maintainer | keeps operations controlled |

Common mistakes
- Putting API keys in examples.
- Letting the model edit proxy credentials.
- Treating short HTML as usable content.
- Debugging prompts before checking response quality.
Practical boundary
This is a reliability pattern for authorized public pages. It is not a reason to ignore source rules, access scope, or data handling requirements.
FAQ
Is the model responsible for retries?
No. Retry policy should be in the retrieval layer with clear limits and logs.
What metadata should be returned?
Return final URL, status code, x-cb-status, body length, and retrieval time.
Can Claude Code use the same wrapper as Codex?
Yes. A narrow retrieval function can serve both tools if secrets remain outside prompts.