SDKs & Developer Experience

Authenticating the ant CLI

Browser login, API keys, profiles, and the one environment variable that silently overrides all of them.

Claude 3P 101 · Updated July 2026 · Unofficial guide

The ant CLI supports the same credential sources as the SDKs, plus one option the SDKs alone can't give you: an interactive browser login that means you never handle an API key at all. Which path you pick depends on whether you are a developer at a laptop or a pipeline in CI.

The easy path: browser login

For local development, run:

ant auth login

This opens a browser-based OAuth flow against the Claude Console and stores credentials locally — no key to create, copy, or accidentally commit. On a headless host, ant auth login --no-browser prints the authorize URL and accepts the code back in the terminal. Two properties of this login are worth knowing: the token is bound to a single organization and workspace (the API will only show resources belonging to that workspace), and OAuth scopes are requested at login time via --scope and persist on the profile — privileged scopes like org:admin are not in the default set and must be requested explicitly.

Interactive login is a development-machine convenience. For CI, servers, and containers, use Workload Identity Federation (WIF) instead — it exchanges your platform's identity token (AWS IAM, Google Cloud, GitHub Actions, Kubernetes service accounts, Entra ID, Okta, or any standards-compliant OIDC issuer) for a short-lived Claude token with nothing long-lived to store. See the WIF article.

Or: an API key in the environment

If you already have a key from the Claude Console (Settings → API keys), export it as ANTHROPIC_API_KEY and the CLI — like the SDKs — picks it up automatically. Keys are long-lived sk-ant-api... secrets with no expiry, so store them in a secrets manager, rotate periodically, and revoke on suspected leak.

How the CLI decides which credential wins

Credential resolution follows the same order as the SDKs, first match wins:

PrioritySource
1Explicit flags
2ANTHROPIC_API_KEY
3ANTHROPIC_AUTH_TOKEN
4ANTHROPIC_PROFILE-selected or active profile
5WIF environment variables
6Default profile on disk
The classic trap: a set ANTHROPIC_API_KEY — even an empty one — silently overrides every profile. If ant auth login succeeded but calls still fail or hit the wrong workspace, unset the variable (or run env -u ANTHROPIC_API_KEY ant ...) before suspecting anything else. ant auth status tells you which credential source and profile actually won.

Profiles for multi-workspace work

Consultants and platform teams often juggle several organizations or workspaces. Named profiles keep them separate: ant auth login --profile staging (optionally with --workspace-id wrkspc_01...), then switch with ant profile activate staging, per-command ant --profile staging ..., or ANTHROPIC_PROFILE=staging. ant profile list shows what exists, and ant profile set <key> <value> --profile <name> adjusts settings. Profiles live under $ANTHROPIC_CONFIG_DIR (default ~/.config/anthropic/ on Linux/macOS, %APPDATA%\Anthropic on Windows) — settings in configs/<profile>.json, tokens in credentials/<profile>.json. ant auth logout clears the active profile; add --all to clear every profile.

To hand a credential to another process, ant auth print-credentials --access-token prints a bare token for an Authorization: Bearer header, and --env emits it as ANTHROPIC_AUTH_TOKEN=... for sourcing into scripts.

What about cloud provider credentials?

The ant CLI authenticates against the Claude API from Anthropic. Cloud credentials enter the picture in two ways: as a WIF identity source (AWS IAM and Google Cloud identities can be exchanged for Claude API tokens, as above), and indirectly on Claude Platform on AWS, where authentication is AWS SigV4 or platform-issued API keys and OAuth is not supported — so browser login does not apply there. For Bedrock, Vertex AI, and Foundry, use each cloud's own CLI and credential tooling, and check the official documentation for current guidance.

Where to go next

With auth working, move on to scripting with the ant CLI. For the broader credential picture, see API key authentication patterns and the full list of SDK environment variables.

Sources