The first-party Claude API supports two authentication methods: long-lived API keys and Workload Identity Federation (short-lived tokens exchanged from your identity provider). This article covers the first. API keys are secrets that start with sk-ant-api..., are created in the Claude Console under Settings → API keys, and are sent on every request in the x-api-key header. They are the recommended choice for local development, prototyping, scripts, and single-tenant servers; for production workloads on cloud platforms, Anthropic recommends Workload Identity Federation instead.
One environment variable, every SDK
You rarely set the header yourself. Set the ANTHROPIC_API_KEY environment variable and the official client SDKs pick it up automatically — this is consistent across all seven official SDKs. In Python:
import os
from anthropic import Anthropic
# Explicit — or omit the argument entirely:
# Anthropic() with no args reads ANTHROPIC_API_KEY
client = Anthropic(api_key=os.environ.get("ANTHROPIC_API_KEY"))
message = client.messages.create(
model="claude-sonnet-5",
max_tokens=1024,
messages=[{"role": "user", "content": "Hello, Claude"}],
)
The same convention holds elsewhere: TypeScript's new Anthropic({...}), Java's AnthropicOkHttpClient.fromEnv() (which also accepts the anthropic.apiKey system property), Go's anthropic.NewClient(), Ruby's Anthropic::Client.new, C#'s new AnthropicClient(), and PHP's new Client() all read ANTHROPIC_API_KEY when no key is passed explicitly. A constructor argument, where provided, always beats the environment variable.
Pitfalls worth knowing in advance
An empty variable still counts. In the SDK credential precedence chain, a credential env var set to an empty string still occupies its slot: ANTHROPIC_API_KEY="" selects the API-key path with an empty key rather than falling through to a profile or federation. Unset unused variables; don't blank them. The ant CLI has the same trap — a set ANTHROPIC_API_KEY silently overrides every stored profile.
API keys shadow everything else. ANTHROPIC_API_KEY (or ANTHROPIC_AUTH_TOKEN) sits above profiles and federation env vars in the precedence order. If a machine has both a key exported in its shell profile and WIF configured, the key wins — which can quietly defeat a keyless-auth rollout.
Not every platform takes the same key. First-party sk-ant-api... keys work against the Claude API but do not work against Claude Platform on AWS, which generates its own API keys in the AWS Console and reads them from ANTHROPIC_AWS_API_KEY. Bedrock, Vertex AI, and Foundry each use their own cloud's credentials entirely. Match the key to the door.
Rotating keys cleanly
Because keys never expire on their own, rotation is your job. Workspaces make this manageable: you can scope keys by project or environment, so dev, staging, and production each hold distinct keys that can be rotated (or revoked) independently without touching the others. A low-drama rotation looks like this:
1) Create the new key in the Console for the same workspace. 2) Update the secret in your secrets manager — since applications read ANTHROPIC_API_KEY at startup or per-request from the secret store, no code changes are needed. 3) Verify traffic succeeds with the new key. 4) Revoke the old key. Running both keys briefly in parallel is what makes the cutover downtime-free; the API accepts any currently valid key for the workspace. For deeper patterns (blue-green rotation, validation gates), see Rotating API Keys Without Downtime.
If you skip the SDK
Direct HTTP requests need the key in the x-api-key header plus two more headers: anthropic-version: 2023-06-01 and content-type: application/json. The SDKs set all three for you — one more reason raw curl is best reserved for debugging.
Where to go next
If static keys make your security team nervous, read the Workload Identity Federation guide for keyless auth, or the OAuth login article for interactive developer workflows. The full env var list documents the complete precedence order.