How to Secure Claude API Workloads With Identity Federation

Anthropic’s new Workload Identity Federation allows non-human workloads to access Claude API endpoints, SDKs, and the Claude Code CLI without using static access keys. The system replaces long-lived credentials with short-lived tokens derived from external Identity Providers. This architecture secures agentic workloads against credential exfiltration and centralizes access control within your existing security perimeter.

The Authentication Flow

Workload Identity Federation replaces static API keys with a standardized JSON Web Token exchange. A workload authenticates by presenting a signed JWT from its native Identity Provider to Anthropic. Anthropic validates the token against pre-configured trust rules defined in your organization settings.

If the validation succeeds, Anthropic returns a short-lived access token. The workload then uses this temporary token to execute requests against the Claude API or Agent SDK. This mechanism ensures that no static secrets exist within the application environment, source code, or CI/CD pipelines.

The system is compatible with any OIDC-compliant issuer. Anthropic provides native support and streamlined configuration paths for AWS IAM, Google Cloud, GitHub Actions, Kubernetes, SPIFFE, Microsoft Entra ID, and Okta.

Service Accounts and Billing

To map external identities to the Claude Platform, the feature introduces Service Accounts. These are named, non-human identities established at the organization level. They are identifiable by the svac_ prefix.

Service Accounts do not possess passwords or console login capabilities. You must add them as members of specific workspaces to grant them access to models and tools. The Service Account inherits the rate limits and billing configurations of the workspace it joins.

Effective June 15, 2026, programmatic usage via the Claude Agent SDK and Claude Code transitioned off subscription rate-limit pools. Workloads authenticated via Service Accounts now draw from separate, dollar-denominated credits at standard API pricing. You must provision these credits in the billing console before federated workloads can execute API calls.

Okta Integration and Enterprise Authorization

Okta operates as a featured identity provider for the Claude Platform. Organizations utilizing Okta can manage Claude access policies directly through their primary identity directory.

This partnership includes a beta release for Enterprise-Managed Authorization. Administrators can authorize Model Context Protocol (MCP) connectors once via Okta. Employees and downstream Service Accounts automatically inherit this access without triggering individual OAuth prompts. This centralized authorization model accelerates the deployment of agent fleets across enterprise domains while maintaining strict compliance boundaries.

Securing Claude Code Workloads

Automated development workflows frequently rely on static keys stored in environment variables, creating substantial security vulnerabilities. The release of Claude Code v2.1.121 introduces direct support for Workload Identity Federation and X.509 certificate-based federation.

Build pipelines running on GitHub Actions can now use short-lived GitHub tokens to authenticate Claude Code instances. This enables automated repository triage and bug deduplication without exposing persistent credentials. When managing workflows across large teams, the CLI automatically requests the necessary ephemeral tokens via the native identity provider, assuming the executing environment holds the correct role assumptions.

Security Tradeoffs and Mitigations

Eliminating static secrets directly mitigates the risk of credential theft in compromised AI coding tools. Systems utilizing Workload Identity Federation contain no static keys for malicious payloads to extract.

However, this architecture shifts the security burden entirely to the upstream Identity Provider. Security teams must recognize that compromising the IdP grants immediate access to the attached Claude Service Accounts.

Federated authentication requires pairing with strict conditional access policies and per-agent behavioral baselines. Agentic workloads generate API call volumes and execution speeds that routinely trigger human-centric anomaly detections. Security administrators must configure specific logging profiles and alert thresholds tailored to non-human identities to prevent false positives while maintaining visibility into potential abuse.

Update your identity provider trust rules to restrict access by repository, branch, or specific cluster namespace before provisioning production Service Accounts.