Networking, Identity & Private Connectivity

Admin API Keys vs. OAuth org:admin Tokens: When to Use Each

The Claude Admin API accepts two different credentials, and they are not interchangeable: some endpoints take either, and some refuse the key outright. Knowing which is which saves an afternoon of confusing 401s.

Claude 3P 101 · Updated July 2026 · Unofficial guide

The Admin API is the programmatic face of Claude organization management — members, invites, workspaces, workspace members, and API keys. Unlike the Messages API, which authenticates with a regular workspace API key, the Admin API accepts two distinct credential types, each with its own issuance path, holder, and coverage. Treating them as synonyms is the root of most Admin API authentication surprises.

The two credentials side by side

Admin API keyOAuth bearer token
Looks likesk-ant-admin...Bearer token with org:admin scope
Sent asx-api-key headerAuthorization: Bearer header
NatureLong-lived provisioned secretScoped token tied to a member's session
Who can obtain itProvisioned by admins onlyAdmin, owner, and primary-owner members
Typical useUnattended automation (offboarding sync, workspace provisioning)Interactive tooling and the endpoints that require it

For context, a Claude organization has five roles: user, claude_code_user, developer, billing, and admin — with owners and primary owners holding all admin permissions plus the ability to manage admins themselves. Only the admin tier (and above) touches either Admin API credential; developers and billing members have no path to organization-level automation, by design.

Where the key stops working

Most classic Admin API operations — listing members, managing invites (which expire after 21 days), creating and archiving workspaces, managing workspace membership, renaming API keys — accept either credential. But the newer identity-federation surface draws a harder line: the endpoints for service accounts, federation issuers, and federation rules require an org:admin OAuth token; Admin API keys are not accepted there at all.

The pattern to internalize: the static key covers the traditional org-management surface, while the credential-issuing machinery of Workload Identity Federation demands the stronger, member-bound token. If you are scripting WIF setup, budget for an OAuth flow — a vaulted sk-ant-admin key won't get you through.

The deliberate gap: no key creation

By design: new API keys cannot be created through the Admin API — key creation happens in the Claude Console only, "for security reasons" per the documentation. Existing keys can be renamed or set to inactive programmatically, but never minted.

This asymmetry is worth appreciating rather than working around. Revocation is the action you want automatable at machine speed: an offboarding pipeline or incident responder should be able to flip every relevant key to inactive in seconds. Creation is the action you want slow and human: a stolen Admin API key that could mint fresh workspace keys would be a credential-forging machine. Because it can't, the blast radius of a leaked admin key is bounded — it can disrupt (deactivate keys, rearrange workspaces) but it cannot quietly grant itself new inference credentials. If your automation "needs" programmatic key creation, the documented alternative is Workload Identity Federation, where short-lived tokens are minted against pre-registered trust rules instead of stored keys being created on demand.

One more scoping note: platforms

All of this describes the first-party Claude API. On Claude Platform on AWS, most Admin API endpoints are unavailable — only the workspace endpoints work, and access to them is governed by AWS IAM rather than organization membership. Bedrock, Vertex AI, and Foundry have no Claude Admin API at all; org-style administration there is done with each cloud's native IAM and governance tooling.

Where to go next

For what these credentials administer, read the workspace isolation deep dive; for eliminating long-lived secrets from workloads entirely, continue to Anthropic's Workload Identity Federation. The broader governance picture is in the audit logging overview.

Sources