Skip to content
API Reference
Guides
Access Provider APIs
Anthropic
Guides

Anthropic

Set up credential brokering for Anthropic APIs so your workloads authenticate with Keycard-issued OIDC tokens instead of static API keys

Your application authenticates to Keycard with workload identity and exchanges its token for a Keycard-issued OIDC JWT scoped to Anthropic. The Anthropic SDK uses that JWT to perform Workload Identity Federation (WIF) and get a short-lived access token. No static API keys anywhere in the chain.

Your AppUses credential with Anthropic
Keycard-minted access token
Claude APIShort-lived token, no API keys
Keycard ZoneIssues OIDC JWT for Anthropic
Anthropic WIFValidates JWT, returns access token

Prerequisites

Section titled “Prerequisites”

Keycard setup

Section titled “Keycard setup”
KEYCARD

Create an application, resource, and link them together.

  1. Create the Anthropic resource

    In Keycard Console, go to your zone and navigate to Resources.

    • Click Add Resource
    • Set the Resource Identifier to https://api.anthropic.com
    • Select your Zone Provider as the credentials provider — this tells Keycard to issue OIDC tokens signed by the zone itself rather than brokering through an external OAuth flow
    • Under Advanced Settings, set the Credential Lifetime to 1h

  2. Create an application and link the resource

    Navigate to Applications.

    • Click Add Application
    • Give it a name (e.g. anthropic-workload)
    • Note the Application ID — not yet shown in the UI; open the application and copy the ID from the browser URL bar

    Then open the application and go to Dependencies.

    • Click Add Dependency
    • Select the https://api.anthropic.com resource

    This authorizes the application to request tokens scoped to the Anthropic API.

  3. Create application credentials (local development)

    For local development with keycard run, you need a client ID and secret. In production, applications authenticate with workload identity instead.

    Open your application and go to Application Credentials.

    • Click Add CredentialClient ID & Secret
    • Note the Client ID and Client Secret — the secret is only shown once

  4. Note the zone’s OIDC issuer URL

    Find your zone URL on the zone settings page in Keycard Console. Anthropic needs this as the issuer URL when you register the federation rule in the next section.

    Your zone serves standard OIDC discovery at https://<zone-id>.keycard.cloud/.well-known/openid-configuration — Anthropic fetches this automatically to discover the JWKS and verify token signatures.

Anthropic setup

Section titled “Anthropic setup”
ANTHROPIC

Register Keycard as a trusted issuer and create a federation rule for your workload.

  1. Create a service account

    In the Anthropic Platform Console, go to Settings → Service accounts → Create service account.

    Give it a name (e.g. keycard-workload). Note the service account ID (svac_...).

  2. Create a workspace and link the service account

    The Default Workspace has no ID and can’t be used with WIF. Create a dedicated workspace for your Keycard workloads.

    Go to Settings → Workspaces → Create workspace. Give it a name (e.g. keycard-workloads).

    Note the workspace ID (wrkspc_...) from the workspaces list. You’ll need it in the code examples below.

    Once created, select the workspace from the dropdown in the top navigation, then go to Manage → Service accounts → Add service account and add the service account from step 1. This links it to the workspace and determines which models and rate limits it can use.

  3. Register Keycard as an issuer

    In the org-level Workload Identity Federation settings, on the Issuers tab, click Create issuer.

    FieldValue
    NameA label, e.g. keycard-prod
    Issuer URLhttps://<zone-id>.keycard.cloud — must match the iss claim in the Keycard-issued JWT exactly
    JWKS sourcediscovery — Keycard zones serve .well-known/openid-configuration publicly

  4. Create a federation rule

    On the Rules tab, click New Rule.

    SectionValue
    IssuerSelect the keycard-prod issuer from step 3
    Match → Subject prefixThe Application ID from Keycard (the sub claim in the OIDC token)
    TargetThe service account from step 1
    WorkspacesSelect the workspaces this rule can mint tokens for. The service account from step 1 must be a member of each selected workspace, otherwise token exchanges will fail
    Scopeworkspace:developer (default — grants the same access as an API key)
    Token lifetime3600 seconds (default) — adjust based on your security requirements

    Note the rule ID (fdrl_...). Your workload passes this in every token exchange request.

Use from code

Section titled “Use from code”
USE FROM CODE

Get a Keycard OIDC token and pass it to the Anthropic SDK for automatic WIF exchange.

Your application does two things at runtime:

  1. Gets a Keycard OIDC token scoped to https://api.anthropic.com via client_credentials with a resource parameter
  2. Passes that token to the Anthropic SDK, which handles the WIF exchange and refresh automatically
from keycardai.oauth import Client, BasicAuth
from anthropic import Anthropic, WorkloadIdentityCredentials


# 1. Get a Keycard OIDC token scoped to Anthropic.
with Client(
    "https://<zone-id>.keycard.cloud",
    auth=BasicAuth("<your-client-id>", "<your-client-secret>"),
) as kc:
    token = kc.exchange_token(
        grant_type="client_credentials",
        resource="https://api.anthropic.com",
    )


# 2. Use it with the Anthropic SDK — WIF exchange happens automatically.
client = Anthropic(
    credentials=WorkloadIdentityCredentials(
        identity_token_provider=lambda: token.access_token,
        federation_rule_id="<fdrl_...>",
        organization_id="<anthropic-org-id>",
        service_account_id="<svac_...>",
        workspace_id="<wrkspc_...>",
    ),
)


message = client.messages.create(
    model="claude-sonnet-4-6",
    max_tokens=1024,
    messages=[{"role": "user", "content": "Hello from a Keycard workload"}],
)
print(message.content[0].text)

Verify

Section titled “Verify”
VERIFY

Confirm the federation chain works end-to-end.

In Keycard Console — open Audit Log. You should see:

credentials:issueOIDC token issued for https://api.anthropic.com

In Anthropic Platform Console — go to Settings → Workload identity → Authentication events. You should see the exchange attempt with your zone’s issuer URL and the matched federation rule.

Section titled “Related”
RELATED