Authentication: API Keys, Subscriptions, and SSO

You have Claude Code installed, you type claude in your terminal, and it immediately asks you to log in. Do you use the Claude Max subscription your company just bought? The API key from the Anthropic Console? The AWS Bedrock credentials your DevOps team configured? The wrong choice means either unexpected bills or a broken setup that wastes your morning.

This guide walks through every authentication path, explains the trade-offs, and gets you logged in on the first try.

What You’ll Walk Away With

• A working authentication that lets you run claude without errors
• Understanding of which auth method fits your billing and team structure
• Knowledge of how credentials are stored and refreshed
• The ability to switch between accounts when needed

Authentication Methods at a Glance

Method	Best For	How Billing Works	Setup Time
Claude Pro/Max subscription	Individual developers	Flat monthly fee, unlimited usage (Max)	2 minutes
Claude for Teams/Enterprise	Organizations with SSO	Per-seat pricing, centralized billing	5 minutes
Anthropic Console (API key)	Pay-as-you-go usage	Token-based billing with prepaid credits	3 minutes
Amazon Bedrock	AWS-native teams	AWS billing	10 minutes
Google Vertex AI	GCP-native teams	GCP billing	10 minutes
Microsoft Foundry	Azure-native teams	Azure billing	10 minutes

Option 1: Claude Subscription (Recommended)

The simplest path. If you have a Claude Pro or Max subscription at claude.ai, you can log in directly with your existing account.

1. Start Claude Code:

   claude

2. Select “Claude.ai” when prompted for login method.

3. A browser tab opens — sign in with your Claude account credentials. If you are already logged in at claude.ai, the authorization is nearly instant.

4. Return to your terminal — Claude Code confirms the connection and you are ready to go.

# Verify authentication worked
claude -p "Hello, confirm you can respond"

Note

Claude Max ($100/mo or $200/mo) provides the best Claude Code experience with higher rate limits and no per-token charges. Claude Pro ($20/mo) works but has tighter rate limits that can throttle heavy usage. For serious daily development work, Max is worth the upgrade.

Option 2: Anthropic Console (API Key)

For developers who prefer pay-as-you-go billing or need fine-grained cost control.

1. Get your API key from the Anthropic Console. If you do not have an account, create one and add billing credits.

2. Start Claude Code and select “Anthropic Console” as your login method:

   claude
   # Select "Anthropic Console" at the login prompt

3. Authenticate via browser — the Console OAuth flow opens in your browser.

Alternatively, you can set the API key as an environment variable to skip the interactive flow entirely:

# Add to your shell profile (~/.zshrc, ~/.bashrc, etc.)
export ANTHROPIC_API_KEY='sk-ant-your-key-here'

# Then start claude normally
claude

Caution

When you first log in via Console, Claude Code automatically creates a “Claude Code” workspace for centralized cost tracking. Monitor your spending at console.anthropic.com — heavy sessions can use significant tokens, especially with Claude Opus 4.6.

Tip

Copy-paste prompt to check your billing setup:

/cost

This slash command shows token usage for the current session. Use it periodically if you are on API billing to avoid surprises.

Option 3: Claude for Teams or Enterprise

For organizations that need centralized user management, SSO, and shared billing.

Claude for Teams (self-service):

1. Subscribe at claude.ai/pricing under the Teams plan.

2. Invite team members from the admin dashboard.

3. Each team member installs Claude Code and logs in with their Claude.ai account. Select “Claude.ai” at the login prompt.

Claude for Enterprise (contact sales):

Enterprise adds SSO (SAML), domain capture, role-based permissions, compliance APIs, and managed policy settings for organization-wide Claude Code configuration.

1. Contact Anthropic sales at anthropic.com/contact-sales.

2. IT configures SSO and invites users through the enterprise admin panel.

3. Developers install Claude Code and log in. SSO redirects are handled automatically.

For enterprise deployments, you can restrict login methods using settings.json:

// In managed-settings.json (deployed by IT)
{
  "forceLoginMethod": "claudeai",
  "forceLoginOrgUUID": "your-org-uuid-here"
}

This forces all users on the machine to authenticate through your organization’s Claude.ai account.

Option 4: Cloud Provider Authentication

For teams that route all AI traffic through their cloud provider.

Amazon Bedrock

Set the required environment variables and start Claude Code:

# Add to your shell profile
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-west-2
export AWS_ACCESS_KEY_ID=your-access-key
export AWS_SECRET_ACCESS_KEY=your-secret-key

# Or use AWS SSO / IAM roles (preferred)
aws sso login --profile your-profile
export CLAUDE_CODE_USE_BEDROCK=1

claude

Your IAM role needs access to the anthropic.claude-* model family in Bedrock.

Google Vertex AI

# Authenticate with Google Cloud
gcloud auth application-default login

# Set environment variables
export CLAUDE_CODE_USE_VERTEX=1
export CLOUD_ML_REGION=us-east5
export ANTHROPIC_VERTEX_PROJECT_ID=your-project-id

claude

Microsoft Foundry

# Set environment variables
export CLAUDE_CODE_USE_FOUNDRY=1
export ANTHROPIC_FOUNDRY_RESOURCE=your-resource-name
export ANTHROPIC_FOUNDRY_API_KEY=your-foundry-key

claude

Note

Cloud provider authentication routes requests through your provider’s infrastructure. This means billing goes through your cloud account, and you may have different model availability depending on your region and provider agreements.

Credential Storage and Security

Claude Code stores credentials securely:

• macOS: API keys and OAuth tokens go into the encrypted macOS Keychain
• Linux/Windows: Credentials are stored in ~/.claude.json (ensure appropriate file permissions)
• Tokens refresh automatically — you should not need to re-authenticate under normal use

To see your current authentication status, start claude and check the welcome screen. It displays your account email and organization.

Switching Accounts

If you need to switch between accounts (personal vs. work, different organizations):

# Inside a Claude Code session
/login
# Follow the prompts to switch accounts

The /login command is a REPL slash command and must be run inside an active Claude Code session.

Tip

Copy-paste prompt to verify your account and permissions:

What account am I logged in with? What model are you using?
What organization am I part of?

Custom Credential Scripts

For advanced setups where credentials need to come from a vault or rotate automatically, use the apiKeyHelper setting:

// In ~/.claude/settings.json
{
  "apiKeyHelper": "/path/to/your/credential-script.sh"
}

The script should output a valid API key to stdout. Claude Code calls it on startup and every 5 minutes (or on HTTP 401). You can customize the refresh interval:

export CLAUDE_CODE_API_KEY_HELPER_TTL_MS=300000  # 5 minutes

When This Breaks

“Login failed” or browser tab does not open — Ensure your default browser is set correctly. On headless servers or SSH sessions, there is no browser to open. Use the ANTHROPIC_API_KEY environment variable instead of the OAuth flow.

“Rate limit exceeded” on Claude Pro — Claude Pro has lower rate limits than Max. If you hit limits during heavy usage, either upgrade to Max or wait for the rate limit to reset (usually within minutes).

“Invalid API key” after it was working — API keys can be revoked from the Console. Check console.anthropic.com to confirm your key is still active. If using apiKeyHelper, verify the script returns a valid key.

“Authentication expired” with cloud providers — AWS SSO sessions and Google auth tokens expire. Re-run aws sso login or gcloud auth application-default login and restart Claude Code.

Credentials not persisting between terminal sessions — Make sure environment variables are in your shell profile file (.zshrc, .bashrc), not just exported in the current session.

What’s Next

With authentication working, the next step is configuring Claude Code’s permissions, model selection, and auto-approve behavior to match your workflow.

Configuration Permissions, models, and auto-approve rules

IDE Integration Set up VS Code or JetBrains integration