SDKs & Developer Experience

Rotating API Keys Without Downtime

Claude API keys never expire on their own — rotation is your job. Done in the right order, it's invisible to users; done in the wrong order, it's an outage you scheduled yourself.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Anthropic's authentication documentation states it plainly: first-party API keys have no expiry, so the operational advice is to store them in a secrets manager, rotate them periodically, and revoke them immediately on suspected leak. "Rotate periodically" is easy to say and easy to botch — the classic failure is revoking the old key before every consumer has picked up the new one. The fix is the same blue-green choreography used for any credential: create, validate, cut over, wait, revoke — in that order, never compressed.

The five-step rotation

1. Create the new key alongside the old. Keys are created in the Claude Console under Settings → API keys. Both keys are now valid simultaneously — that overlap is the whole trick. Because workspaces can scope keys by project or environment, a sane setup has one key per service per environment, so each rotation touches exactly one consumer and the key's usage is separately attributable.

2. Validate the new key before anything depends on it. Don't assume a freshly issued credential works in your specific context (right workspace, right environment, correctly copied into the secret store). Prove it with a minimal real call:

from anthropic import Anthropic

candidate = Anthropic(api_key=new_key)  # explicit arg overrides env
resp = candidate.messages.create(
    model="claude-haiku-4-5",
    max_tokens=16,
    messages=[{"role": "user", "content": "Reply with: ok"}],
)
assert resp.content[0].text  # authenticated and served

A Haiku 4.5 call this small costs a fraction of a cent; the API also exposes a token-counting endpoint if you want a validation probe that generates no output at all. Run the check from the environment that will actually use the key, not from your laptop — that's how you catch network policy and configuration differences.

3. Cut over consumers. Update the value in your secrets manager and let consumers pick it up: a rolling restart for services that read ANTHROPIC_API_KEY at startup, or an automatic re-fetch for services that pull from the manager on a TTL (see secrets handling patterns). Because the old key still works, a slow rollout is safe — pods running old and new keys can coexist for hours.

4. Wait out the grace period, watching the old key. Anthropic sets no deadline (the old key would work forever), so the grace period is a policy you choose — long enough to cover your slowest deploy cadence, scheduled jobs, and that one cron box everyone forgot. The end-of-grace signal is empirical: per-key attribution (one key per service per workspace) means continued traffic on the old key identifies exactly which consumer hasn't migrated.

5. Revoke the old key. Only now. Revocation is the step that actually delivers the security benefit; the previous four exist so this one is boring.

Leak response is different from rotation. If a key may have leaked, skip the choreography: revoke first, accept the outage, then re-issue. The grace period is an availability nicety for routine rotation, not a courtesy you extend to an attacker.

Platform wrinkles

Claude Platform on AWS: API keys for this platform are generated and managed in the AWS Console (Claude Platform on AWS → API keys), not the Claude Console, and first-party sk-ant-api... keys do not work against it. It also supports short-term API keys minted from AWS credentials via Anthropic-documented token-generator libraries — lifetime capped at 12 hours — but note the SDK does not auto-refresh them: on expiry you generate a new token and construct a new client, so your code needs its own refresh hook. Better still, SigV4 auth via IAM roles removes the key entirely.

Bedrock and Vertex AI: there is no Anthropic key to rotate — authentication rides on AWS credentials and Google Application Default Credentials, whose rotation is your existing cloud IAM story. Foundry: resource-scoped API keys rotate with the same blue-green pattern above.

Or retire rotation altogether

Workload Identity Federation replaces the long-lived key with short-lived tokens the SDK refreshes automatically — Anthropic recommends it for production workloads, CI/CD, and Kubernetes. Every service you move to WIF is a service deleted from your rotation calendar. See the WIF guide.

Where to go next

Pair this with CI/CD credential injection so pipelines survive rotations too, and API key authentication basics if you're setting up keys for the first time.

Sources