LearnHow-To Guides
How-To Guide Secrets June 03, 2026

How to Set Up and Secure Claude Code API Keys

Claude Code is an AI coding agent that runs in your terminal, and it needs credentials to call the Anthropic API. Understanding how to set up and protect your claude code api key correctly keeps your account secure and prevents billing surprises.

Quick Answer: Claude Code supports two authentication methods: OAuth login (recommended for personal use) and a manually configured claude code api key via the `ANTHROPIC_API_KEY` environment variable. For most individual users, OAuth is the simpler and safer option because it does not require you to manage a key. If you use an API key, store it as an environment variable, never in a config file.

What is a Claude Code API key?

A Claude Code API key is an Anthropic API credential that authorizes Claude Code to call the Claude model on your behalf. It is the same type of key you would use to call the Anthropic API directly, created through console.anthropic.com. Claude Code reads it from the ANTHROPIC_API_KEY environment variable or through its OAuth flow. Because it is linked to your Anthropic account, it controls both access and billing.

Why does Claude Code API key security matter?

Claude Code runs directly on your machine with access to your terminal, file system, and development environment. If the credential it uses is exposed, an attacker can run inference against your account. Unlike a web application where credentials live on a server, Claude Code's credentials exist on your local machine alongside your code and project files. In 2025, over 24,000 secrets were found in MCP configuration files on public GitHub, with more than 2,100 confirmed active. Coding agent credentials are a common leak vector because they often end up in configuration files that developers commit without reviewing.

How do I set up a Claude Code API key securely?

Option 1: OAuth (recommended for personal use). Run /login inside Claude Code. This opens a browser-based authentication flow that generates a short-lived token. You do not manage a key directly. This is the simplest and most secure approach for individual developers.

Option 2: API key via environment variable. If you prefer a persistent key or need it for automation:

  1. Go to console.anthropic.com and navigate to API Keys.
  2. Click Create Key and give it a descriptive name (for example, claude-code-dev-machine).
  3. Set the environment variable in your shell profile: add export ANTHROPIC_API_KEY=your_key_here to ~/.bashrc, ~/.zshrc, or equivalent. Do not put the actual key in a .env file that might be committed.
  4. Run /status inside Claude Code to verify authentication is working.

Restrict the key. Use the project-scoping features in the Anthropic console to limit what the key can access. Create one key per machine or context rather than reusing the same key everywhere.

Set a monthly budget. Configure a spending limit in the Anthropic console. This limits the financial exposure if the key is misused before you notice.

Check configuration. Run /config inside Claude Code to review how your key and preferences are set. The apiKeyHelper setting lets you configure a script to retrieve credentials dynamically from a secrets manager.

What are common mistakes to avoid?

  • Storing the key in a .env file inside a project directory that might be committed
  • Using the same key for Claude Code and other applications or automation
  • Not setting a spending limit on the key
  • Forgetting to revoke keys from machines that are decommissioned or shared

Frequently Asked Questions

What is a Claude Code API key?
A Claude Code API key is an Anthropic API credential that authorizes Claude Code to call the Claude model on your behalf. It is the same type of key you would use to call the Anthropic API directly, created through console.anthropic.com. Claude Code reads it from the ANTHROPIC_API_KEY environment variable or through its OAuth flow. Because it is linked to your Anthropic account, it controls both access and billing.
Why does Claude Code API key security matter?
Claude Code runs directly on your machine with access to your terminal, file system, and development environment. If the credential it uses is exposed, an attacker can run inference against your account. Unlike a web application where credentials live on a server, Claude Code's credentials exist on your local machine alongside your code and project files. In 2025, over 24,000 secrets were found in MCP configuration files on public GitHub, with more than 2,100 confirmed active. Coding agent credentials are a common leak vector because they often end up in configuration files that developers commit without reviewing.
How do I set up a Claude Code API key securely?
**Option 1: OAuth (recommended for personal use).** Run /login inside Claude Code. This opens a browser-based authentication flow that generates a short-lived token. You do not manage a key directly. This is the simplest and most secure approach for individual developers. **Option 2: API key via environment variable.** If you prefer a persistent key or need it for automation: 1. Go to console.anthropic.com and navigate to API Keys. 2. Click Create Key and give it a descriptive name (for example, claude-code-dev-machine). 3. Set the environment variable in your shell profile: add export ANTHROPIC_API_KEY=your_key_here to ~/.bashrc, ~/.zshrc, or equivalent. Do not put the actual key in a .env file that might be committed. 4. Run /status inside Claude Code to verify authentication is working. **Restrict the key.** Use the project-scoping features in the Anthropic console to limit what the key can access. Create one key per machine or context rather than reusing the same key everywhere. **Set a monthly budget.** Configure a spending limit in the Anthropic console. This limits the financial exposure if the key is misused before you notice. **Check configuration.** Run /config inside Claude Code to review how your key and preferences are set. The apiKeyHelper setting lets you configure a script to retrieve credentials dynamically from a secrets manager.
What are common mistakes to avoid?
- Storing the key in a .env file inside a project directory that might be committed - Using the same key for Claude Code and other applications or automation - Not setting a spending limit on the key - Forgetting to revoke keys from machines that are decommissioned or shared

Know When Agents Touch Your Credentials

AgentGuard360 tracks credential access in real time—API keys, tokens, and secrets that agents read or transmit during a session. Git pre-commit hooks prevent accidental exposure before it reaches your repository.

Coming Soon

Related How Tos

How to Manage OpenRouter API Keys Safely
OpenRouter is a popular routing layer that lets you call models from multiple providers through o...
4 min read
How to Store API Keys Securely in AI Projects
Every AI project that calls an external model needs credentials, and those credentials need to be...
4 min read
How to Set Up Perplexity API Keys Securely
Perplexity AI is increasingly used in AI agents that need real-time web search alongside language...
3 min read
← Back to Learn