Skip to main content

Anthropic

The Anthropic integration monitors your Claude Console organization — members and their roles, workspaces and workspace memberships, and API keys — and, when configured, service accounts and workload identity federation, the Claude Enterprise directory (linked organizations, users, groups, roles), and the Compliance Activity Feed for last-activity insights and security detections.

Before starting

  • You need the admin role (or owner/primary owner) in your Anthropic organization to create an Admin API key.
  • Optional: a Claude Enterprise plan if you want directory visibility via a Compliance Access Key.
  • Optional: access to Claude Console → Settings → Workload identity if you want service-account and federation visibility.

1. Create an Admin API key

  1. In the Claude Console, go to Settings → API keys and create an Admin API key (it starts with sk-ant-admin...). Only organization members with the admin role can provision one.
  2. Copy the key — it is shown once.
note

The Admin API key can read organization members, workspaces, and API keys, and manage them. SlashID only reads. The key cannot create new API keys.

2. Find your organization ID

Your organization ID is a UUID shown in Claude Console → Settings → Organization, or returned by:

curl https://api.anthropic.com/v1/organizations/me \
--header "anthropic-version: 2023-06-01" \
--header "x-api-key: $ANTHROPIC_ADMIN_KEY"

SlashID validates at connection time that the organization ID matches the admin key's organization.

3. (Optional) Create a Compliance Access Key — Claude Enterprise only

If your organization uses Claude Enterprise, create a Compliance Access Key in claude.ai (see Set up the Compliance API) with the directory read scopes. This unlocks linked organizations, directory users, groups, and custom roles, and richer Activity Feed access.

Without it, SlashID still reads the Activity Feed with the Admin API key when your organization has the read:compliance_activities scope enabled for it.

4. (Optional) Enable service-account & federation visibility (WIF)

The service-account and federation endpoints do not accept Admin API keys — they require an org:admin OAuth token minted through workload identity federation. This setup stores no secret with SlashID; trust is configured on Anthropic's side against the SlashID scanner's workload identity.

  1. In Claude Console → Settings → Workload identity, select Connect workload and choose Google Cloud.
  2. Register Google's OIDC issuer and create a new service account with the Admin organization role.
  3. Under Advanced rule options, set the rule's OAuth scope to org:admin and pin the subject to the SlashID scanner's service-account identity (provided by SlashID support for your deployment).
  4. Note the rule ID (fdrl_...) and service account ID (svac_...) — you will enter both in the SlashID Console.
danger

Never use a trailing-wildcard subject_prefix for an org:admin rule. As Anthropic's own documentation warns, a broad pattern lets unintended workloads (for example fork pull-request CI runs) mint organization-admin tokens. Pin the subject to one exact identity.

5. Create your Anthropic ↔ SlashID integration

Go to the SlashID Console integrations page and create an Anthropic connection:

SlashID Console fieldDescriptionExample
Name of the connectionArbitrary name for this connectionAnthropic Production
Organization IDYour Anthropic organization UUID (step 2)b3053f8f-4432-4d3d-...
Admin API keyThe key you created in step 1sk-ant-admin...
Compliance access keyOptional — the Claude Enterprise key from step 3sk-ant-api01-...
Federation rule IDOptional — the WIF rule from step 4; requires the service account IDfdrl_...
Service account IDOptional — the WIF target service account from step 4; requires the federation rule IDsvac_...
Authoritative statusWhether Anthropic identities are the primary source of truth when reconciling across sourcesPrimary or Secondary

Verification

After the first sync, SlashID shows:

  • Users (organization members and, with a compliance key, directory users) with their console roles and last-activity data,
  • Workspaces with per-user workspace roles,
  • API keys with status, expiry, and workspace scope,
  • with WIF configured: service accounts, federation issuers, and federation rules, including which workloads can mint tokens as which service accounts.

Connection preflight checks validate each credential and permission; optional slices (compliance directory, activity feed, WIF) degrade gracefully when not configured.

Troubleshooting

  • admin_key_valid preflight fails / 401 — the Admin API key is invalid or revoked. Create a new one (step 1). Admin keys start with sk-ant-admin.
  • organization_id_matches preflight fails — the organization ID entered does not match the admin key's organization. Re-run the curl in step 2 and use the returned id verbatim.
  • compliance_directory fails with 403 — the key is not a Compliance Access Key, lacks the directory scopes, or your organization is not on Claude Enterprise. The sync continues without directory data.
  • activity_feed fails — the key lacks the read:compliance_activities scope. Last-activity enrichment and activity-based detections are skipped.
  • wif_service_accounts fails — the federation rule's scope is not org:admin, the target service account lacks the Admin role, or the rule's subject does not match the SlashID scanner identity. Review step 4; the sync continues without service-account and federation data.