Multi-Platform Portability & Model Upgrades

Authentication Across Platforms: x-api-key, SigV4, ADC, and Entra ID

The request body barely changes between Claude platforms. The credential that gets it through the front door changes completely — because each platform reuses its own cloud's identity system.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Authentication is where "same API, different platform" stops being literally true. Anthropic's first-party API wants an API key in a header. Amazon's platforms want cryptographically signed requests. Google wants a short-lived OAuth token from its credential chain. Azure wants either a resource key or a Microsoft Entra ID token. The good news: the platform-specific SDK clients absorb almost all of it, so the differences live in configuration rather than code.

What each platform expects

PlatformPrimary mechanismWhat travels on the wire
Claude API (1P)API key, or Workload Identity Federationx-api-key header (sk-ant-api...) or short-lived bearer token
Claude Platform on AWSAWS IAM + SigV4 (primary); AWS-issued API keysSigV4 signature, service name aws-external-anthropic
Amazon Bedrock (current surface)IAM service role / assumed role; bearer tokens (least preferred)SigV4 signature for bedrock-mantle, or a token in x-api-key
Google Vertex AIApplication Default Credentials (ADC)Authorization: Bearer Google access token
Microsoft FoundryAzure API key or Microsoft Entra IDapi-key / x-api-key header, or Authorization: Bearer Entra token

The four mechanisms in plain English

API key (1P). A long-lived secret created in the Claude Console and sent in the x-api-key header. Keys have no expiry, so Anthropic's guidance is to keep them in a secrets manager, rotate periodically, and revoke on suspected leak. For production cloud workloads, Anthropic recommends Workload Identity Federation instead: your workload exchanges an identity token from its own IdP for a short-lived Claude API token, and the SDK refreshes it automatically.

SigV4 (both AWS routes). SigV4 is AWS's request-signing scheme: rather than sending a secret, the client computes a signature over each request using AWS credentials, and the service verifies it. There is no Anthropic key at all — access is granted by IAM policy. Claude Platform on AWS signs with service name aws-external-anthropic; the current Bedrock surface signs for bedrock-mantle, where the relevant IAM action is bedrock-mantle:CreateInference. Both platforms also offer time-limited bearer tokens (capped at 12 hours) for components that can only speak "API key," but if a process can mint the token locally it already has SigV4 credentials, so plain SigV4 is usually simpler.

Application Default Credentials (Vertex). ADC is Google Cloud's standard credential-resolution chain: locally it is typically set up with gcloud auth application-default login; in production it resolves to the attached service account. The SDK turns whatever ADC finds into a bearer token on each request. Making calls requires the aiplatform.endpoints.predict permission, included in the Vertex AI User role.

Azure API key or Entra ID (Foundry). Every Foundry resource has Azure-issued keys, shown on the deployment's Details tab, passed in the api-key or x-api-key header. The enterprise-grade alternative is Microsoft Entra ID: a bearer token acquired through Azure's identity libraries, which brings Azure RBAC and centralized identity management. A 403 under Entra ID usually means a missing role assignment such as Cognitive Services User. Some gated models (Claude Mythos 5 and Mythos Preview) accept Entra ID only — no API keys.

What the SDK clients do for you

Each provider client hides its platform's mechanics behind the same client.messages.create(...) interface:

from anthropic import (AnthropicAWS, AnthropicBedrockMantle,
                       AnthropicVertex, AnthropicFoundry)

aws     = AnthropicAWS()                                  # SigV4 + workspace header
bedrock = AnthropicBedrockMantle(aws_region="us-east-1")  # SigV4, AWS cred chain
vertex  = AnthropicVertex(project_id="my-proj", region="global")  # ADC
foundry = AnthropicFoundry(api_key="...", resource="example-resource")

AnthropicAWS and AnthropicBedrockMantle both walk the standard AWS credential provider chain — environment variables, shared config files (including SSO), web identity, container credentials, instance metadata — and handle signing plus session-token headers automatically. AnthropicAWS additionally injects the required anthropic-workspace-id header and refuses to construct without a region and workspace ID. AnthropicVertex goes through the standard Google auth flow. AnthropicFoundry also accepts an Entra ID token provider instead of a key.

Watch out: credentials do not travel between doors. A first-party sk-ant-api... key does not work on Claude Platform on AWS — its API keys are generated in the AWS Console, and bearer-token callers there need the aws-external-anthropic:CallWithBearerToken IAM action.

Where to go next

Authentication is one of the two request-level deltas between platforms; the other is covered in the request-shape matrix. To wire all four credentials into one deployable config, see the environment-variable matrix.

Sources