Claude Code wraps user-visible codes in bold markdown formatting (e.g. **ABCD-1234**) when displaying them in messages. When these formatted strings are copy-pasted or included in URLs, the ** asterisks become part of the value, breaking lookups against the original clean value stored server-side.
This affects any system where an agent displays a code to the user and the user (or frontend) later submits it back — device codes, verification codes, invite codes, etc. The formatting characters *, _, backticks, quotes, brackets are all potential artifacts from different markdown renderers.
Defense in depth: strip at every layer (backend lookup functions, OAuth authorize endpoint, frontend URL param parsing) rather than trusting any single layer to produce clean input.
Create a shared strip_formatting function that removes markdown/formatting artifacts (*_\"'()[]<>) plus leading/trailing whitespace, preserving hyphens and alphanumerics. Apply it at every layer: backend lookup functions (get_device_code_by_user_code), OAuth authorize endpoint (on user_codeandinvite_codeparams), and frontend URL param parsing. The regex is simple:/[*_`"'()\[\]<>]/g(JS) orre.compile(r'[*_`"\'()\[\]<>]')` (Python).