Anthropic
The Anthropic integration monitors your Claude Console organization — members and their roles, workspaces and workspace memberships, and API keys — and, when configured, service accounts and workload identity federation, the Claude Enterprise directory (linked organizations, users, groups, roles), and the Compliance Activity Feed for last-activity insights and security detections.
Before starting
- You need the admin role (or owner/primary owner) in your Anthropic organization to create an Admin API key.
- Optional: a Claude Enterprise plan if you want directory visibility via a Compliance Access Key.
- Optional: access to Claude Console → Settings → Workload identity if you want service-account and federation visibility.
1. Create an Admin API key
- In the Claude Console, go to Settings → API keys
and create an Admin API key (it starts with
sk-ant-admin...). Only organization members with the admin role can provision one. - Copy the key — it is shown once.
The Admin API key can read organization members, workspaces, and API keys, and manage them. SlashID only reads. The key cannot create new API keys.
2. Find your organization ID
Your organization ID is a UUID shown in Claude Console → Settings → Organization, or returned by:
curl https://api.anthropic.com/v1/organizations/me \
--header "anthropic-version: 2023-06-01" \
--header "x-api-key: $ANTHROPIC_ADMIN_KEY"
SlashID validates at connection time that the organization ID matches the admin key's organization.
3. (Optional) Create a Compliance Access Key — Claude Enterprise only
If your organization uses Claude Enterprise, create a Compliance Access Key in claude.ai (see Set up the Compliance API) with the directory read scopes. This unlocks linked organizations, directory users, groups, and custom roles, and richer Activity Feed access.
Without it, SlashID still reads the Activity Feed with the Admin API key when
your organization has the read:compliance_activities scope enabled for it.
4. (Optional) Enable service-account & federation visibility (WIF)
The service-account and federation endpoints do not accept Admin API keys —
they require an org:admin OAuth token minted through workload identity
federation. This setup stores no secret with SlashID; trust is configured
on Anthropic's side against the SlashID scanner's workload identity.
- In Claude Console → Settings → Workload identity, select Connect workload and choose Google Cloud.
- Register Google's OIDC issuer and create a new service account with the Admin organization role.
- Under Advanced rule options, set the rule's OAuth scope to
org:adminand pin the subject to the SlashID scanner's service-account identity (provided by SlashID support for your deployment). - Note the rule ID (
fdrl_...) and service account ID (svac_...) — you will enter both in the SlashID Console.
Never use a trailing-wildcard subject_prefix for an org:admin rule. As
Anthropic's own documentation warns, a broad pattern lets unintended workloads
(for example fork pull-request CI runs) mint organization-admin tokens. Pin the
subject to one exact identity.
5. Create your Anthropic ↔ SlashID integration
Go to the SlashID Console integrations page and create an Anthropic connection:
| SlashID Console field | Description | Example |
|---|---|---|
| Name of the connection | Arbitrary name for this connection | Anthropic Production |
| Organization ID | Your Anthropic organization UUID (step 2) | b3053f8f-4432-4d3d-... |
| Admin API key | The key you created in step 1 | sk-ant-admin... |
| Compliance access key | Optional — the Claude Enterprise key from step 3 | sk-ant-api01-... |
| Federation rule ID | Optional — the WIF rule from step 4; requires the service account ID | fdrl_... |
| Service account ID | Optional — the WIF target service account from step 4; requires the federation rule ID | svac_... |
| Authoritative status | Whether Anthropic identities are the primary source of truth when reconciling across sources | Primary or Secondary |
Verification
After the first sync, SlashID shows:
- Users (organization members and, with a compliance key, directory users) with their console roles and last-activity data,
- Workspaces with per-user workspace roles,
- API keys with status, expiry, and workspace scope,
- with WIF configured: service accounts, federation issuers, and federation rules, including which workloads can mint tokens as which service accounts.
Connection preflight checks validate each credential and permission; optional slices (compliance directory, activity feed, WIF) degrade gracefully when not configured.
Troubleshooting
admin_key_validpreflight fails / 401 — the Admin API key is invalid or revoked. Create a new one (step 1). Admin keys start withsk-ant-admin.organization_id_matchespreflight fails — the organization ID entered does not match the admin key's organization. Re-run thecurlin step 2 and use the returnedidverbatim.compliance_directoryfails with 403 — the key is not a Compliance Access Key, lacks the directory scopes, or your organization is not on Claude Enterprise. The sync continues without directory data.activity_feedfails — the key lacks theread:compliance_activitiesscope. Last-activity enrichment and activity-based detections are skipped.wif_service_accountsfails — the federation rule's scope is notorg:admin, the target service account lacks the Admin role, or the rule's subject does not match the SlashID scanner identity. Review step 4; the sync continues without service-account and federation data.