Overview
Workload Identity Federation (WIF) is now generally available on the Claude Platform, removing the need for static API keys. A workload presents its own OIDC-compliant credentials, the Claude Platform verifies them, and issues short-lived, scoped credentials at request time — so you never have to handle static Anthropic credentials.
Key features
-
No more static API keys — replaced by short-lived credentials
Static API keys have to be created, rotated, and managed, and can be leaked. WIF removes the need to handle static Anthropic credentials entirely, authenticating with short-lived, scoped credentials issued at request time.
-
OIDC-based federation — bind external identities to service accounts
Federation rules bind external identities to service accounts. When a workload requests access, the Claude Platform verifies the signed OIDC token, matches its claims against the federation rules, and issues a short-lived access token bounded by the service account’s roles. All exchanges and requests are recorded in audit logs.
-
Broad identity provider compatibility
WIF works with any OIDC-compliant identity provider, including AWS IAM roles, GCP service accounts, Kubernetes service accounts, Azure managed identities, GitHub Actions tokens, and Okta.
-
Service accounts — its own identity and audit trail instead of a shared key
Rather than many workloads sharing one API key, each gets a service account with its own identity, roles, and audit trail.
-
Covers all Claude API endpoints
WIF covers all Claude API endpoints, including when accessing them through the first-party SDKs and Claude Code.
Notes
- Gradual migration is supported — existing API keys work alongside WIF, so you can move over in stages rather than all at once.
- Guided setup in the Claude Console — the Claude Console offers a guided setup flow with validation and testing to help configure federation rules.
- Audit logging — every token exchange and request is recorded in audit logs, so you can trace which identity accessed the platform and when.