OAuth is the web-standard protocol for delegated login: instead of pasting a static secret into a config file, you sign in through a browser and the tool stores a token issued to you. For the Claude ecosystem, the front door for this flow is the ant CLI. Run ant auth login and it opens a browser-based OAuth flow against the Claude Console, then stores credentials locally — you can call the API without ever creating or managing an API key.
How the login flow works
On a development machine, ant auth login pops the browser, you authenticate to the Claude Console, and the resulting credentials land on disk under $ANTHROPIC_CONFIG_DIR (default ~/.config/anthropic/ on Linux and macOS, %APPDATA%\Anthropic on Windows). Settings go in configs/<profile>.json; tokens go in credentials/<profile>.json. On a headless host — a remote dev box with no browser — ant auth login --no-browser prints the authorize URL so you can complete the flow elsewhere and paste the code back into the terminal.
Two properties of the resulting token matter for planning. First, an interactive-login token is bound to a single organization and workspace; the API only shows resources belonging to that workspace. Engineers who work across several workspaces use named profiles: ant auth login --profile staging --workspace-id wrkspc_01..., then switch with ant profile activate staging, a per-command --profile flag, or the ANTHROPIC_PROFILE environment variable. Second, OAuth scopes — the permission slices the token carries — are requested at login with --scope and persist on the profile. Privileged scopes such as org:admin are not in the default set and must be requested explicitly, which is exactly the least-privilege behavior you want for everyday development.
ANTHROPIC_API_KEY — even an empty one — silently overrides every profile. If ant auth status shows the wrong credential source winning, unset the variable (or run env -u ANTHROPIC_API_KEY ant ...) before blaming your profile.Using the OAuth credential outside the CLI
Scripts and other tools can borrow the logged-in credential. ant auth print-credentials --access-token prints the bare token for use in an Authorization: Bearer header, and --env emits it as ANTHROPIC_AUTH_TOKEN=... in KEY=value form ready for an export. (With no flags it prints the full credentials JSON, which is not header-safe.) If you make raw HTTP requests with an OAuth token, use Authorization: Bearer rather than x-api-key, and include the anthropic-beta: oauth-2025-04-20 header. In the SDKs' credential resolution order, ANTHROPIC_AUTH_TOKEN sits just below ANTHROPIC_API_KEY and above profile-based credentials, so the handoff composes cleanly. When you're done, ant auth logout clears the active profile (--all clears every profile).
When OAuth is the right choice — and when it isn't
| Situation | Recommended auth |
|---|---|
| Engineer's laptop, interactive development | OAuth login (ant auth login) |
| CI pipelines, servers, containers, Kubernetes | Workload Identity Federation |
| Quick scripts, prototypes, single-tenant servers | API key |
| Claude Platform on AWS (any workload) | SigV4 or platform API key — OAuth not supported |
The reasoning: interactive login requires a human at a browser, so it belongs on development machines. For unattended workloads, Anthropic's guidance is Workload Identity Federation, where the SDK exchanges your platform's identity token for a short-lived Claude token and refreshes it automatically before expiry — the same "no static secret" benefit, minus the human. Static API keys remain the pragmatic choice for prototypes and simple scripts.
One platform caveat deserves emphasis: OAuth authentication is not supported on Claude Platform on AWS. There, the two options are AWS SigV4 signing (the primary method) or platform-issued API keys — see the SDK setup guide for that platform. Bedrock, Vertex AI, and Foundry likewise authenticate with their own cloud's mechanisms rather than Anthropic OAuth.
Where to go next
For the keyless production pattern, continue to Workload Identity Federation. For the CLI itself — commands, output formats, scripting — see the ant CLI introduction, and check the env var list for the full credential precedence order.