Loading...
    • Messages
    • Managed Agents
    • Admin
    Search...
    ⌘K
    Organization
    Admin API overviewWorkspaces
    Authentication
    OverviewWorkload Identity FederationWIF reference
    Monitoring
    Usage and Cost APIRate Limits APIClaude Code Analytics API
    Data & compliance
    Data residencyAPI and data retention
    Log in
    Overview
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...

    Solutions

    • AI agents
    • Code modernization
    • Coding
    • Customer support
    • Education
    • Financial services
    • Government
    • Life sciences

    Partners

    • Amazon Bedrock
    • Google Cloud's Vertex AI

    Learn

    • Blog
    • Courses
    • Use cases
    • Connectors
    • Customer stories
    • Engineering at Anthropic
    • Events
    • Powered by Claude
    • Service partners
    • Startups program

    Company

    • Anthropic
    • Careers
    • Economic Futures
    • Research
    • News
    • Responsible Scaling Policy
    • Security and compliance
    • Transparency

    Learn

    • Blog
    • Courses
    • Use cases
    • Connectors
    • Customer stories
    • Engineering at Anthropic
    • Events
    • Powered by Claude
    • Service partners
    • Startups program

    Help and security

    • Availability
    • Status
    • Support
    • Discord

    Terms and policies

    • Privacy policy
    • Responsible disclosure policy
    • Terms of service: Commercial
    • Terms of service: Consumer
    • Usage policy
    Admin/Authentication

    Authentication

    Authenticate to the Claude API with API keys or Workload Identity Federation.

    The Claude API supports two ways to authenticate requests:

    MethodCredentialBest for
    API keyLong-lived sk-ant-api... secret in the x-api-key headerLocal development, prototyping, scripts, and single-tenant servers where you control secret storage
    Workload Identity FederationShort-lived bearer token exchanged from your identity provider's identity tokenProduction workloads on cloud platforms (AWS, Google Cloud, Azure), CI/CD pipelines, and Kubernetes, where you want to eliminate static secrets

    Both methods grant the same access to Claude API endpoints. Choose API keys to get started quickly, and move to Workload Identity Federation when your workload already has a platform-issued identity you can federate.

    API keys

    API keys are static secrets that you generate in the Claude Console and pass on every request.

    • Create a key: Go to Settings → API keys in the Claude Console. Use workspaces to scope keys by project or environment.
    • Send the key: Set the x-api-key header on direct HTTP requests, or set the ANTHROPIC_API_KEY environment variable and the client SDKs pick it up automatically.
    POST /v1/messages
x-api-key: YOUR_API_KEY
anthropic-version: 2023-06-01
content-type: application/json

    API keys have no expiry. Store them in a secrets manager, rotate them periodically, and revoke any key you suspect has leaked.

    client = Anthropic(api_key="my-anthropic-api-key")
# or, with ANTHROPIC_API_KEY set in the environment:
client = Anthropic()

    Workload Identity Federation

    Workload Identity Federation (WIF) lets a workload authenticate with a short-lived identity token issued by an identity provider (IdP) you already trust, such as AWS IAM, Google Cloud, or any standards-compliant OIDC issuer (such as GitHub Actions, Kubernetes service accounts, Microsoft Entra ID, or Okta). The workload exchanges its IdP-issued JWT at POST /v1/oauth/token for a short-lived Claude API access token, and the SDK refreshes that token automatically before it expires. There is no sk-ant-api... string to mint, distribute, or rotate.

    Federation removes long-lived Claude API keys from your environment, which shrinks the blast radius of a leaked credential and lets you manage access with the same IdP controls you already use for cloud resources. It does not, on its own, guarantee end-to-end security: the trust chain is only as strong as your identity provider's configuration, and a long-lived secret one hop upstream (for example, a static cloud credential that can mint IdP tokens) can still undermine it. Pair federation with your provider's controls, such as IP allowlists, MFA, and audit logging.

    To configure federation, you create three resources in the Claude Console (a service account, a federation issuer, and a federation rule) and then point your SDK at the rule. See Workload Identity Federation for the full setup walkthrough.

    Next steps

    Set up Workload Identity Federation

    Configure issuers, rules, and service accounts, then exchange tokens

    Identity provider guides

    Step-by-step guides for AWS, Google Cloud, Azure, GitHub Actions, Kubernetes, and Okta

    WIF reference

    Environment variables, validation rules, profile configuration, and error reference

    Client SDKs

    Python, TypeScript, Go, Java, C#, Ruby, PHP, and the CLI

    Was this page helpful?

    • API keys
    • Workload Identity Federation
    • Next steps