Anthropic Ships Keyless Auth for Claude API: Workload Identity Federation Now GA
Summary: Anthropic's Workload Identity Federation (WIF) is now generally available, replacing long-lived sk-ant-* API keys with short-lived OIDC tokens sourced from enterprise identity providers.
Key facts
- Supported identity providers: AWS IAM, Google Cloud, GitHub Actions, Kubernetes, SPIFFE, Microsoft Entra ID, and Okta — any standards-compliant OIDC issuer
- Tokens expire in minutes, not never — no static secrets to store in CI, rotate on a schedule, or worry about leaking
- New Admin API endpoints let organizations manage issuers, service accounts, and federation rules programmatically, making this viable at scale
- API keys remain supported in parallel — teams can migrate one workload at a time without a hard cutover
Why it matters
As AI agents move deeper into production workflows, credential management becomes a new attack surface. Static API keys stuffed into environment variables or CI secrets are a well-known failure mode. WIF closes that gap by aligning Claude authentication with the zero-trust posture that enterprise security teams already enforce for cloud workloads. For organizations deploying Claude in automated pipelines, this removes a blocker that previously required compensating controls.
Read more
- WIF now GA (official post) — Anthropic
- WIF security analysis — Security Boulevard