SDKs & Developer Experience

OAuth and Browser-Based Login for Claude SDKs

Developers shouldn't have to copy long-lived secrets onto their laptops just to make a test call. Browser-based OAuth login gives each engineer a personal, revocable credential — no API key required.

Claude 3P 101 · Updated July 2026 · Unofficial guide

OAuth is the web-standard protocol for delegated login: instead of pasting a static secret into a config file, you sign in through a browser and the tool stores a token issued to you. For the Claude ecosystem, the front door for this flow is the ant CLI. Run ant auth login and it opens a browser-based OAuth flow against the Claude Console, then stores credentials locally — you can call the API without ever creating or managing an API key.

How the login flow works

On a development machine, ant auth login pops the browser, you authenticate to the Claude Console, and the resulting credentials land on disk under $ANTHROPIC_CONFIG_DIR (default ~/.config/anthropic/ on Linux and macOS, %APPDATA%\Anthropic on Windows). Settings go in configs/<profile>.json; tokens go in credentials/<profile>.json. On a headless host — a remote dev box with no browser — ant auth login --no-browser prints the authorize URL so you can complete the flow elsewhere and paste the code back into the terminal.

Two properties of the resulting token matter for planning. First, an interactive-login token is bound to a single organization and workspace; the API only shows resources belonging to that workspace. Engineers who work across several workspaces use named profiles: ant auth login --profile staging --workspace-id wrkspc_01..., then switch with ant profile activate staging, a per-command --profile flag, or the ANTHROPIC_PROFILE environment variable. Second, OAuth scopes — the permission slices the token carries — are requested at login with --scope and persist on the profile. Privileged scopes such as org:admin are not in the default set and must be requested explicitly, which is exactly the least-privilege behavior you want for everyday development.

The classic gotcha: a set ANTHROPIC_API_KEY — even an empty one — silently overrides every profile. If ant auth status shows the wrong credential source winning, unset the variable (or run env -u ANTHROPIC_API_KEY ant ...) before blaming your profile.

Using the OAuth credential outside the CLI

Scripts and other tools can borrow the logged-in credential. ant auth print-credentials --access-token prints the bare token for use in an Authorization: Bearer header, and --env emits it as ANTHROPIC_AUTH_TOKEN=... in KEY=value form ready for an export. (With no flags it prints the full credentials JSON, which is not header-safe.) If you make raw HTTP requests with an OAuth token, use Authorization: Bearer rather than x-api-key, and include the anthropic-beta: oauth-2025-04-20 header. In the SDKs' credential resolution order, ANTHROPIC_AUTH_TOKEN sits just below ANTHROPIC_API_KEY and above profile-based credentials, so the handoff composes cleanly. When you're done, ant auth logout clears the active profile (--all clears every profile).

When OAuth is the right choice — and when it isn't

SituationRecommended auth
Engineer's laptop, interactive developmentOAuth login (ant auth login)
CI pipelines, servers, containers, KubernetesWorkload Identity Federation
Quick scripts, prototypes, single-tenant serversAPI key
Claude Platform on AWS (any workload)SigV4 or platform API key — OAuth not supported

The reasoning: interactive login requires a human at a browser, so it belongs on development machines. For unattended workloads, Anthropic's guidance is Workload Identity Federation, where the SDK exchanges your platform's identity token for a short-lived Claude token and refreshes it automatically before expiry — the same "no static secret" benefit, minus the human. Static API keys remain the pragmatic choice for prototypes and simple scripts.

One platform caveat deserves emphasis: OAuth authentication is not supported on Claude Platform on AWS. There, the two options are AWS SigV4 signing (the primary method) or platform-issued API keys — see the SDK setup guide for that platform. Bedrock, Vertex AI, and Foundry likewise authenticate with their own cloud's mechanisms rather than Anthropic OAuth.

Where to go next

For the keyless production pattern, continue to Workload Identity Federation. For the CLI itself — commands, output formats, scripting — see the ant CLI introduction, and check the env var list for the full credential precedence order.

Sources