The ant CLI supports the same credential sources as the SDKs, plus one option the SDKs alone can't give you: an interactive browser login that means you never handle an API key at all. Which path you pick depends on whether you are a developer at a laptop or a pipeline in CI.
The easy path: browser login
For local development, run:
ant auth login
This opens a browser-based OAuth flow against the Claude Console and stores credentials locally — no key to create, copy, or accidentally commit. On a headless host, ant auth login --no-browser prints the authorize URL and accepts the code back in the terminal. Two properties of this login are worth knowing: the token is bound to a single organization and workspace (the API will only show resources belonging to that workspace), and OAuth scopes are requested at login time via --scope and persist on the profile — privileged scopes like org:admin are not in the default set and must be requested explicitly.
Interactive login is a development-machine convenience. For CI, servers, and containers, use Workload Identity Federation (WIF) instead — it exchanges your platform's identity token (AWS IAM, Google Cloud, GitHub Actions, Kubernetes service accounts, Entra ID, Okta, or any standards-compliant OIDC issuer) for a short-lived Claude token with nothing long-lived to store. See the WIF article.
Or: an API key in the environment
If you already have a key from the Claude Console (Settings → API keys), export it as ANTHROPIC_API_KEY and the CLI — like the SDKs — picks it up automatically. Keys are long-lived sk-ant-api... secrets with no expiry, so store them in a secrets manager, rotate periodically, and revoke on suspected leak.
How the CLI decides which credential wins
Credential resolution follows the same order as the SDKs, first match wins:
| Priority | Source |
|---|---|
| 1 | Explicit flags |
| 2 | ANTHROPIC_API_KEY |
| 3 | ANTHROPIC_AUTH_TOKEN |
| 4 | ANTHROPIC_PROFILE-selected or active profile |
| 5 | WIF environment variables |
| 6 | Default profile on disk |
ANTHROPIC_API_KEY — even an empty one — silently overrides every profile. If ant auth login succeeded but calls still fail or hit the wrong workspace, unset the variable (or run env -u ANTHROPIC_API_KEY ant ...) before suspecting anything else. ant auth status tells you which credential source and profile actually won.Profiles for multi-workspace work
Consultants and platform teams often juggle several organizations or workspaces. Named profiles keep them separate: ant auth login --profile staging (optionally with --workspace-id wrkspc_01...), then switch with ant profile activate staging, per-command ant --profile staging ..., or ANTHROPIC_PROFILE=staging. ant profile list shows what exists, and ant profile set <key> <value> --profile <name> adjusts settings. Profiles live under $ANTHROPIC_CONFIG_DIR (default ~/.config/anthropic/ on Linux/macOS, %APPDATA%\Anthropic on Windows) — settings in configs/<profile>.json, tokens in credentials/<profile>.json. ant auth logout clears the active profile; add --all to clear every profile.
To hand a credential to another process, ant auth print-credentials --access-token prints a bare token for an Authorization: Bearer header, and --env emits it as ANTHROPIC_AUTH_TOKEN=... for sourcing into scripts.
What about cloud provider credentials?
The ant CLI authenticates against the Claude API from Anthropic. Cloud credentials enter the picture in two ways: as a WIF identity source (AWS IAM and Google Cloud identities can be exchanged for Claude API tokens, as above), and indirectly on Claude Platform on AWS, where authentication is AWS SigV4 or platform-issued API keys and OAuth is not supported — so browser login does not apply there. For Bedrock, Vertex AI, and Foundry, use each cloud's own CLI and credential tooling, and check the official documentation for current guidance.
Where to go next
With auth working, move on to scripting with the ant CLI. For the broader credential picture, see API key authentication patterns and the full list of SDK environment variables.