How to Get and Manage Your Claude API Key

Claude Opus 4.8 costs $25 per million output tokens, and a leaked API key with no spending cap can burn through that at scale in minutes. Anthropic responds to this risk aggressively: any key detected in a public GitHub repository gets automatically deactivated through a partnership with GitHub's secret scanning program. This guide covers not just where to click in the Console, but how to secure, scope, rotate, and programmatically manage your Claude API keys.

A Claude API key is a credential that authenticates requests to the Anthropic API. Every call to a Claude model requires a valid key, whether the request comes from a chat application, an autonomous agent, or a batch processing pipeline. Keys follow the format sk-ant-api03- followed by an alphanumeric string, and each key is tied to a specific workspace within your organization.

The Anthropic Console at console.anthropic.com is where you create and manage keys. This is separate from claude.ai, which is the consumer chat product. You need a Console account with active billing to generate API keys and make authenticated requests. The Console is also accessible at platform.claude.com.

Getting a working API key takes about five minutes. Here is the process from account creation to your first authenticated request.

1. Create an account on the Anthropic Console

Go to console.anthropic.com and sign up. You can register with an email address, Google SSO, or GitHub SSO.

2. Set up billing

Open Settings, then Billing, and add a payment method. This step is required before your key will work. A newly created key returns authentication errors on API calls until billing is configured. Anthropic offers a small credit for new accounts to test the API, but a payment method on file is still necessary for ongoing use.

3. Navigate to API Keys

Click "API Keys" in the left sidebar of the Console. You can also navigate directly to platform.claude.com/settings/keys.

4. Create a new key

Click "Create Key." Enter a descriptive name like my-app-dev or production-agent-v1. If your organization has multiple workspaces, select the workspace this key should be scoped to.

5. Copy the key immediately

Anthropic displays the full key exactly once. After you close the creation dialog, only a partial hint like sk-ant-api03-R2D...igAA remains visible. If you lose the key before saving it, you need to generate a new one.

6. Test your key

Run a quick API call to confirm everything works:

curl https://api.anthropic.com/v1/messages \
  -H "content-type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -d '{
    "model": "claude-sonnet-4-6-20250514",
    "max_tokens": 256,
    "messages": [{"role": "user", "content": "Hello"}]
  }'

A successful response returns a JSON object with Claude's reply. A 401 error means either billing is not active or the key was copied incorrectly.

Never hardcode your API key in source code. Use environment variables or a secret manager so the key stays out of version control and application logs.

Environment variables for local development

Set the variable in your shell profile or a .env file:

export ANTHROPIC_API_KEY="sk-ant-api03-your-key-here"

The official Anthropic SDKs for Python, TypeScript, Java, and Go all read ANTHROPIC_API_KEY automatically. No extra configuration is needed:

import anthropic
client = anthropic.Anthropic()  # reads ANTHROPIC_API_KEY from the environment

If you use a .env file with a library like dotenv, add .env to your .gitignore immediately. This is the single most common way keys end up in public repositories.

Secret managers for production

For deployed applications, use your cloud provider's secret management service:

• AWS Secrets Manager or Systems Manager Parameter Store
• Google Cloud Secret Manager
• Azure Key Vault
• HashiCorp Vault for multi-cloud setups

These services encrypt keys at rest, provide audit trails for access, and support automatic rotation policies.

Separate keys per environment

Create distinct API keys for development, staging, and production. Per-environment keys make it straightforward to track spending, identify anomalies, and revoke access without disrupting other environments. If your development key leaks, production traffic continues unaffected.

For AI agents that need persistent file storage alongside their Claude API access, platforms like Fast.io provide workspace environments where agents can read and write files through the MCP server. You configure ANTHROPIC_API_KEY for Claude and a separate Fast.io API key for storage, keeping each credential scoped to its own service.

Put your Claude API key to work in a shared agent workspace

Fast.io gives AI agents 50GB of free storage, built-in RAG, and MCP access at mcp.fast.io. No credit card required.

Sign Up Free

Anthropic workspaces let organizations segment API access by team, project, or environment. Each workspace gets its own set of API keys, rate limits, and usage tracking.

When you create an API key, you assign it to a specific workspace. That key can only access resources billed against that workspace. A key scoped to your "Research" workspace cannot generate charges on your "Production" workspace. This boundary is enforced at the API level, not just in the Console UI.

When to use workspace scoping

• Separate billing: track costs by team or project without parsing usage logs
• Rate limit isolation: one team hitting their rate ceiling does not throttle another
• Access control: developers only see and manage keys for their assigned workspaces
• Compliance boundaries: restrict certain models or features to specific workspaces

Organization roles and key creation

Not everyone can create API keys. Anthropic defines five organization-level roles: user, claude_code_user, developer, billing, and admin. Only members with the developer role or higher can create and manage API keys. Admins can manage workspace membership and organizational settings on top of that.

If a team member needs a key but lacks the developer role, you can either grant them the role in their workspace or create the key yourself and share it through a secure channel like a password manager. Never send API keys over email, Slack, or any unencrypted medium.

The Admin API gives organizations programmatic control over API keys, members, and workspaces. For teams managing dozens of keys across multiple workspaces, this is more practical than clicking through the Console one key at a time.

Authentication

The Admin API accepts two credential types:

• An Admin API key (prefix sk-ant-admin) sent in the x-api-key header
• An OAuth bearer token with org:admin scope sent in the authorization: Bearer header

Only organization admins can provision Admin API keys. Individual accounts do not have access to the Admin API.

Listing and filtering keys

Retrieve all active keys, optionally filtered by workspace:

curl "https://api.anthropic.com/v1/organizations/api_keys?limit=20&status=active" \
  -H "anthropic-version: 2023-06-01" \
  -H "x-api-key: $ANTHROPIC_ADMIN_KEY"

Each key object includes its id, name, status, workspace_id, expires_at, created_by, and a partial_key_hint for identification.

Key statuses

Every API key has one of four statuses:

• active: the key is working and accepting requests
• inactive: manually disabled but can be reactivated
• archived: permanently retired, cannot be reactivated
• expired: past its expires_at timestamp

Updating a key

Change a key's name or status through the update endpoint:

curl -X POST \
  "https://api.anthropic.com/v1/organizations/api_keys/apikey_01Rj2N8SVvo6BePZj99NhmiT" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  -H "x-api-key: $ANTHROPIC_ADMIN_KEY" \
  -d '{"status": "inactive", "name": "deprecated-prod-key"}'

Key creation is Console-only

You cannot create new API keys through the Admin API. Key creation is restricted to the Console UI as a security measure. The Admin API handles listing, retrieving, updating, and archiving existing keys.

Rotation workflow

A solid rotation practice follows this sequence: create a new key in the Console, update your deployment to use it, verify the new key works in production, then set the old key to inactive via the Admin API. Wait a grace period (one week is typical) before archiving the old key, in case a forgotten service still references it.

Anthropic recommends rotating keys every 90 days as a baseline. Rotate immediately after any staff departure, suspected exposure, or migration between environments.

Responding to a leaked key

If you suspect a key is compromised, deactivate it immediately through the Console or Admin API. For keys pushed to public GitHub repositories, Anthropic's secret scanning partnership handles this automatically: the key is deactivated and your organization is notified. For keys exposed through other channels, you need to act manually. Generate a replacement, update all services, and archive the compromised key.