HeadsUpAI

Anthropic Launches Keyless Authentication to Secure Claude API Workloads

· Updated

Anthropic launched Workload Identity Federation (WIF) for the Claude Platform, enabling applications to authenticate using short-lived OpenID Connect (OIDC) tokens instead of static API keys. This system introduces service accounts—non-human identities that act as principals—and allows the Claude API to trust identity providers like GitHub Actions.
Availability
All Claude Platform users
Supported providers
AWS, Google Cloud, Azure, and others
Token lifetime
60 to 86400 seconds
Authentication protocol
OpenID Connect (OIDC)
Credential type
Short-lived access tokens

Static credentials are a primary security vulnerability, often leaked in logs or code repositories. By shifting to federated identity, Anthropic replaces permanent keys with tokens that expire in minutes. This update aligns with the authentication patterns described in Anthropic's production playbook for cloud agents for securing autonomous workloads.

You can configure WIF in the Claude Console to map cloud identities to service accounts. The Anthropic SDKs now handle the exchange and refresh of these temporary tokens automatically. This feature is available now for all Claude Platform users, with native presets for major cloud providers to simplify setup.

View the full update on platform.claude.com
ClaudeDevs
ClaudeDevs
@ClaudeDevs
X

Managing API keys is one of the top security concerns we hear from customers. Today we’re introducing keyless auth for Claude Platform: authenticate via browser with the CLI, or let workloads use their existing cloud identity (AWS, GCP, Azure, or any OIDC token provider). https://t.co/uyuAB14lNJ

548retweets5.3klikes
View on X

Still wondering? A few quick answers below.

Anthropic Workload Identity Federation is a security feature for the Claude Platform that lets automated applications authenticate using temporary identity tokens instead of permanent API keys. It uses the OpenID Connect standard to verify identities from providers like AWS or Google Cloud, ensuring that credentials expire quickly and reducing the risk of a security breach from leaked keys.

Your cloud provider issues a signed identity token to your application, which the Anthropic SDK then exchanges for a short-lived access token. Anthropic verifies the token against rules you configure in the Claude Console. This process removes the need to store static secrets in your code or environment variables, as tokens are minted on demand by the system.

Anthropic supports any identity provider that is compliant with the OpenID Connect standard. This includes major cloud platforms like Amazon Web Services, Google Cloud, and Microsoft Azure. It also works with developer tools and infrastructure such as GitHub Actions, Kubernetes service accounts, Microsoft Entra ID, and Okta for secure, programmatic access to Claude models across different environments.

Service accounts are non-human identities created within an Anthropic organization to represent automated workloads. Unlike standard user accounts, they do not have passwords or email addresses. Instead, they act as the identity that federated tokens represent, allowing you to assign specific permissions, rate limits, and usage tracking to automated agents or background processes within your workspaces.

To migrate, you first register your identity provider and create a service account in the Claude Console. You then update your application to use the latest Anthropic SDK without a static API key. Once you verify that the workload is successfully authenticating via the new federated identity, you can safely revoke and delete the old static API keys.

Share this update