Authentication options

CLI, SDKs, and librariesant CLI

CLI authentication options

Authenticate the ant CLI with interactive login, API keys, named profiles, and Workload Identity Federation.

The ant CLI supports several credential sources. The Quickstart covers the one-command happy path (ant auth login). This page covers every option in full.

Interactive login

ant auth login lets you call the API without creating or managing an API key. It opens a browser-based OAuth flow against the Claude Console and stores the resulting credentials under $ANTHROPIC_CONFIG_DIR (see Configuration directory for the OS-specific default). On a remote host or in any environment without a local browser, pass --no-browser to print the authorize URL and paste the returned code back into the terminal.

CLI

ant auth login

# On a remote host without a browser:
ant auth login --no-browser

# Bind to a specific workspace and skip the browser picker:
ant auth login --workspace-id wrkspc_01...

# If the named profile you pass with --profile doesn't exist,
# a new named profile will be created with that name.
ant auth login --profile <profile-name>

During the browser flow, you select an organization and then a workspace. The issued token is scoped to that workspace, so the CLI can only see resources that belong to it. Pass --workspace-id to bind directly and skip the picker. To work in more than one workspace, see Switch between workspaces.

Interactive login is intended for local development and scripting on your own machine. For non-interactive workloads such as CI, servers, and containers, use Workload Identity Federation instead.

Login writes credentials to credentials/<profile>.json. The first login for a profile also creates configs/<profile>.json and sets it as the active profile. To remove stored credentials, run ant auth logout, or ant auth logout --all to clear every profile.

API key

The CLI also reads your API key from the ANTHROPIC_API_KEY environment variable. Get a key from the Claude Console.

To override the key for a single invocation, pass --api-key. To point at a different API host, set ANTHROPIC_BASE_URL or pass --base-url.

Check authentication status

ant auth status prints the credential source the CLI selected (API key environment variable, OAuth login, federation, or profile), the active profile, the workspace the active token is bound to, and the configuration directory paths. Use it to diagnose why a workload picked the wrong credential or workspace.

CLI

ant auth status

Active profile:  default
Config dir:      ~/.config/anthropic
Profile config:  ~/.config/anthropic/configs/default.json
Credentials:     ~/.config/anthropic/credentials/default.json

Credentials
  (active) * Profile (user_oauth) [via active_config]       sk-ant-oat01-EXA...
...

Workspace
  (active) * Workspace                                      wrkspc_01... (Engineering)

Read the (active) rows to see which credential source and workspace won. The command reports status rather than performing a health check, so don't script against the exit status. For the full ordering of credential sources, see Credential precedence.

Switch between workspaces

An interactive-login token is bound to a single workspace. To use the CLI against more than one workspace, log in to each under its own named profile, then switch between them:

CLI

# 1. Create the profile (interactive; pick the other workspace in the
#    browser, or pass --workspace-id to skip the picker):
# ant auth login --profile other-ws

# 2. Make it the default for subsequent commands:
ant profile activate other-ws

# 3. Or select it for a single command without changing the default:
ant --profile other-ws models list
ANTHROPIC_PROFILE=other-ws ant models list

Run ant auth status to confirm which profile and workspace are active.

Profiles are only consulted when no API key is set. If ANTHROPIC_API_KEY is present in your environment, it overrides every profile and these commands all use whatever workspace that key is scoped to. Unset it before switching profiles.

Manage profiles

The ant profile subcommands inspect and edit profile state directly:

CLI

ant profile list
ant profile get --profile other-ws
ant profile set workspace_id wrkspc_01... --profile other-ws

The writable keys for ant profile set are workspace_id, base_url, organization_id, scope, client_id, and console_url. Setting workspace_id records the target workspace in the profile config but does not rebind credentials that were already issued; run ant auth login again under that profile to mint a token for the new workspace.

For the profile file schema and the federation block, see Profile configuration file. For Workload Identity Federation, see the Authentication overview and the WIF reference.

Was this page helpful?

CLI, SDKs, and librariesant CLI

CLI authentication options

Authenticate the ant CLI with interactive login, API keys, named profiles, and Workload Identity Federation.

The ant CLI supports several credential sources. The Quickstart covers the one-command happy path (ant auth login). This page covers every option in full.

Interactive login

CLI

ant auth login

# On a remote host without a browser:
ant auth login --no-browser

# Bind to a specific workspace and skip the browser picker:
ant auth login --workspace-id wrkspc_01...

# If the named profile you pass with --profile doesn't exist,
# a new named profile will be created with that name.
ant auth login --profile <profile-name>

Interactive login is intended for local development and scripting on your own machine. For non-interactive workloads such as CI, servers, and containers, use Workload Identity Federation instead.

API key

The CLI also reads your API key from the ANTHROPIC_API_KEY environment variable. Get a key from the Claude Console.

To override the key for a single invocation, pass --api-key. To point at a different API host, set ANTHROPIC_BASE_URL or pass --base-url.

Check authentication status

CLI

ant auth status

Active profile:  default
Config dir:      ~/.config/anthropic
Profile config:  ~/.config/anthropic/configs/default.json
Credentials:     ~/.config/anthropic/credentials/default.json

Credentials
  (active) * Profile (user_oauth) [via active_config]       sk-ant-oat01-EXA...
...

Workspace
  (active) * Workspace                                      wrkspc_01... (Engineering)

Switch between workspaces

An interactive-login token is bound to a single workspace. To use the CLI against more than one workspace, log in to each under its own named profile, then switch between them:

CLI

# 1. Create the profile (interactive; pick the other workspace in the
#    browser, or pass --workspace-id to skip the picker):
# ant auth login --profile other-ws

# 2. Make it the default for subsequent commands:
ant profile activate other-ws

# 3. Or select it for a single command without changing the default:
ant --profile other-ws models list
ANTHROPIC_PROFILE=other-ws ant models list

Run ant auth status to confirm which profile and workspace are active.

Manage profiles

The ant profile subcommands inspect and edit profile state directly:

CLI

ant profile list
ant profile get --profile other-ws
ant profile set workspace_id wrkspc_01... --profile other-ws

For the profile file schema and the federation block, see Profile configuration file. For Workload Identity Federation, see the Authentication overview and the WIF reference.

Was this page helpful?