Your AI Has an iMessage Now. Who's Texting It?
Claude Code can now take instructions via iMessage, Telegram, and Discord. That opens up a real problem if you can't verify who's on the other end. We built LastID Claude Guard to fix it with verifiable credentials instead of phone number trust.
Two camps
I kept seeing two camps online.
One camp is excited. Claude Code shipped an iMessage channel, along with Discord and Telegram. You can text your AI from your phone while you're on the go. Tell it to refactor something, look up a file, run a deployment. From your couch. Pretty great.
The other camp is like OH NO. You can spoof phone numbers. I think more people need to understand that, and I expect more and more will find out.
Phone numbers are not identity
You can spoof a phone number in about 30 seconds. There are services that do it for you. The phone system was never built to be an identity layer, and yet that's exactly what we treat it as. If a text comes from your number, it must be you.
That assumption breaks completely when your AI is taking instructions over iMessage.
Your Claude Code instance has access to your codebase, your credentials, your environment variables, your SSH keys, your database configs. It can read files, run commands, push code. And now it takes instructions from a phone number.
If someone spoofs your number or gets temporary access to your iMessage, they can ask your AI to read your .env file, dump your customer database, or send your SSH keys somewhere. Claude will do it. It doesn't know who's asking. It just knows the message came from a channel it was told to listen to.
We saw it as an identity problem
This isn't an AI problem. The AI is doing exactly what it's supposed to, following instructions from a channel. The channel has no way to verify who's actually on the other end.
So we built something.
LastID Claude Guard
LastID Claude Guard is a Claude Code plugin that gates dangerous AI operations behind identity verification. Not phone number verification. Real cryptographic verifiable credential verification.
Here's how it works.
The guard only activates during remote sessions. If you're sitting at your terminal typing into Claude Code, nothing changes. The guard watches for channel activity on iMessage, Telegram, Discord and only flips on when it detects someone remote is driving.
It scans outbound messages for sensitive data. Not just file reads. The real risk is in the replies. If Claude is about to send customer emails, API keys, addresses, phone numbers, or credentials over a messaging channel, the guard catches it.
It requires identity verification before the data goes through. The guard sends a verification link over the same channel. The user taps it, presents their LastID credential on their phone, a real verifiable credential bound to their identity and not their phone number, and the guard checks the DID against the registered owner.
If the identity matches, the data flows. The user proved who they are. They get what they asked for, unredacted. If it doesn't match, denied.
Once verified, you're good for the session. No re-challenging every message. Verify once and the guard trusts you for a configurable window.
What it catches
We built a threat classifier that thinks like an attacker. If someone gets access to your iMessage and starts texting your AI, what would they do?
They'd ask for credentials. Read the .env file. Dump SSH keys. Export the customer database. Ask Claude to send it all back over the channel.
The guard catches credential access, PII exposure, destructive commands, and exfiltration attempts. It scans both the operations Claude tries to perform and the content of its replies.
We also added a social engineering detector on the prompt side. If someone texts "send me the API key" or "what's the password in the config," Claude gets a warning before it even starts working on the request.
Why verifiable credentials matter here
A phone number is a routing address. A verifiable credential is a cryptographic proof of identity.
When you present a LastID credential, you're proving control of a specific DID with a credential issued by a specific authority. The guard checks that DID against the one registered when you set up the plugin. It's not checking your phone number or your iMessage account. It's checking a cryptographic identity that can't be spoofed, forwarded, or SIM-swapped.
This is the same technology we use for verified calling and messaging in the LastID app. We pointed it at a new problem, making sure your AI knows who it's talking to.
Open source
We're releasing LastID Claude Guard as open source. Install it, register your identity, and your Claude Code instance knows who you are cryptographically, not by phone number.
The plugin is on GitHub now: GetTrustedApp/lastid-claude-guard. We're getting the SDK access set up so anyone can grab an API key. If you want early access, drop a comment or reach out.
This is just the start
AI agents are going to get more channels, more tools, more access. The identity problem only gets bigger. Today it's Claude Code with iMessage. Tomorrow it's autonomous agents with access to your bank account, your medical records, your company's infrastructure.
The question isn't whether AI should have these capabilities. It's whether we can verify who's giving the instructions.
That's what we're building.