Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Claude Enterprise organizations have self-service access to the full API. Claude Console organizations are enabled on request; contact your account team. This page describes how to request access and create API keys.
Required role: organization admin (Claude Console) or primary owner (claude.ai).
The Compliance API uses two key types, and which one you create depends on which Claude product your organization uses. Primary owners create Compliance Access Keys in claude.ai; these keys unlock the full Compliance API. Organization admins create Admin API keys in Claude Console; these keys unlock the Activity Feed only.
| Key type | Created in | Used for | Works with the Compliance API? |
|---|---|---|---|
Compliance Access Key (sk-ant-api01-...) | claude.ai > Organization settings > API | Activity Feed, chats, files, projects, users, organization metadata, and organization settings | Yes (all endpoints) |
Admin API key (sk-ant-admin01-...) | Claude Console > Settings > Admin keys | The Admin API and the Compliance API Activity Feed | Activity Feed only |
| Analytics API key | claude.ai > Analytics > API keys | The Claude Enterprise Analytics API (see Analytics APIs) | No |
Claude API key (sk-ant-api03-...) | Claude Console > Settings > API keys | Calling Claude models through the Claude API | No |
A Claude Enterprise tenant has one parent organization that centralizes identity, SSO, and SCIM for every workload organization beneath it. These workload organizations are the parent's linked organizations.
Claude Enterprise parent organizations do not appear in Claude Console (platform.claude.com). The parent carries no workloads, no Claude API keys, and no Admin API keys. Create Compliance Access Keys in claude.ai Organization settings, not in Claude Console.
Claude Enterprise primary owners can enable the Compliance API directly in claude.ai. Claude Console organizations should contact their account team to request access. In either case, enablement happens at the parent organization level and cascades to every linked organization, both claude.ai and Claude Console. What changes after enablement depends on which Claude product your organization uses.
Once the Compliance API is enabled for your parent organization, the primary owner can create Compliance Access Keys from the Keys section at claude.ai > Organization settings > API.
After Anthropic enables the Compliance API for your parent organization, Admin API keys created from then on carry the read:compliance_activities scope. Admin API keys created before enablement continue to work with the Admin API, but calling the Activity Feed with one returns 403 Forbidden; create a new Admin API key to pick up the scope.
The Compliance API must already be enabled for your claude.ai parent organization before a Compliance Access Key can be created.
A Compliance Access Key with read:compliance_user_data can read every chat,
file, and project in every linked organization, including content the primary
owner has not seen. A key with delete:compliance_user_data can permanently
delete that content. Treat Compliance Access Keys like production database
credentials: store them in a secrets manager, never in source control or SIEM
forwarder configuration.
Sign in as the primary owner
Only the primary owner of the parent organization can create Compliance Access Keys. If the API page described in the next step is not visible, or compliance scopes are unavailable when creating a key, either you are not the primary owner, or the Compliance API has not been enabled for your organization yet (see Request Compliance API access).
Open API settings
Go to claude.ai > Organization settings > API and find the Keys section.
Create the key
Click Create key, name the key, and select one or more scopes from the following table. Click Create.
| Scope | Grants |
|---|---|
read:compliance_activities | Read the Activity Feed for the parent organization and all linked organizations |
read:compliance_user_data | Read user chats, messages, files, projects, organization users, and group members |
delete:compliance_user_data | Delete user chats, files, and projects |
read:compliance_org_data | Read organization metadata (names, types, roles, and groups). User listings and group membership require read:compliance_user_data. |
read:compliance_org_settings | Read the effective settings in force for organizations under the parent organization |
Choose the smallest scope set that your integration needs:
read:compliance_activities.delete:compliance_user_data.Compliance Access Key scopes are immutable after creation. To change scopes, create a new key with the scopes you want, then delete the old one.
Copy and store the secret
Copy the displayed secret key (starting with sk-ant-api01-) and store it in your secrets manager. The full secret is displayed only once.
Export the key for the examples in this guide
Set the key as an environment variable so the shell samples in this guide can read it:
export ANTHROPIC_COMPLIANCE_ACCESS_KEY=sk-ant-api01-...The Compliance API must already be enabled for your Claude Console organization before an Admin API key can call the Activity Feed.
Sign in as an organization admin
Only an organization member with the admin role can create Admin API keys. See Organization roles and permissions for the full role list.
Open Admin keys settings
Create the key
Click Create key, name the key, and click Create.
Copy and store the secret
Copy the displayed secret key (starting with sk-ant-admin01-) and store it in your secrets manager. The full secret is displayed only once.
Export the key for use with the Activity Feed
Set the key as an environment variable:
export ANTHROPIC_ADMIN_KEY=sk-ant-admin01-...The distinct variable name keeps the Admin API key from overwriting a Compliance Access Key if you provision both. The cURL examples in this guide read the key from $ANTHROPIC_COMPLIANCE_ACCESS_KEY; substitute $ANTHROPIC_ADMIN_KEY when calling the Activity Feed with an Admin API key.
Admin API keys carry the read:compliance_activities scope only when the Compliance API was enabled for the organization before the key was created; see After enablement: Claude Console organizations. They cannot be granted any other Compliance API scope, so calls to any endpoint other than the Activity Feed return 403 Forbidden.
For the same key's role in managing your Claude Console organization, see Admin API.
To inspect the scopes on a key you already have, use one of the following signals.
sk-ant-admin01- is an Admin API key (carries read:compliance_activities only, subject to the enablement timing in the preceding section). sk-ant-api01- is a Compliance Access Key; its scopes are the subset you selected at creation.Missing required scopes. Got: [<scopes the key carries>] Needed: [<scopes the endpoint requires>]. See Handle Compliance API errors for the full error catalog.{
"error": {
"type": "permission_error",
"message": "Missing required scopes. Got: ['read:compliance_activities'] Needed: ['read:compliance_user_data']"
}
}Delete a Compliance Access Key from the same Keys table where you created it: go to claude.ai > Organization settings > API. Delete an Admin API key from Claude Console > Settings > Admin keys.
Deleting a key takes effect on the next request: there is no grace period. Compliance Access Keys do not expire on their own.
To rotate a key without an outage:
Pagination cursors stored before a rotation remain valid: cursors are scoped to the organization, not the key.
If a Compliance Access Key leaks, delete it immediately, audit the Activity Feed for compliance_api_accessed activities by the compromised key, and rotate any downstream credentials that the leaked key could reach. Pass activity_types[]=compliance_api_accessed to scope the query, then in your client, keep the activities whose actor.type is api_actor and whose actor.api_key_id matches the compromised key; see Understand the Activity object for the actor schema.
Read organization-wide activity events with any key that has read:compliance_activities.
Use a Compliance Access Key with read:compliance_user_data to retrieve claude.ai content, and delete:compliance_user_data to delete it.
Was this page helpful?