Happy lets you control Claude Code sessions from your phone. You run happy instead of claude, scan a QR code, and your session shows up on your phone. I’ve been using it for a few days — approving permissions on the go, watching output while making coffee, or talking to it with voice input. It’s open source (MIT) and free to use — there’s an optional £19.99/month subscription that gets you early access to new features.
The encryption is real Link to heading
I was curious whether the encryption actually holds up, so I pointed Claude at the source.
When you scan the QR code, your phone and CLI establish a shared secret. Per-session AES-256-GCM keys are derived from this — the QR payload contains the seed material, both sides derive the same key independently, and it never touches the server. Everything is encrypted client-side before leaving either device.
The server is just a relay shuffling ciphertext. It genuinely cannot read your messages. The key material never reaches it, so even a compromised server would only see noise. I wasn’t expecting the crypto to be this solid for a side project.
What I found under the hood Link to heading
I had Claude go through the source more carefully and reported a few things upstream as GitHub issues. Most turned out to be theoretical or low-impact.
The one that matters: QR pairing requests never expire. If someone photographs your QR code — screen share, unlocked laptop — they could pair with your session later. Narrow scenario, but it should have a TTL.
The other findings — an auth challenge replay that’s mitigated by HTTPS, a subscription check bypass that only gates a voice feature, and a Mermaid rendering issue — all turned out to be low-impact once I looked at the actual threat model.
Verdict Link to heading
The crypto is solid, the app works, and the one real gap (QR expiry) is narrow. I’m happy enough using it for personal stuff.
I’ll post an update on the reported issues if anything interesting comes of them. Repo is here.