-
Notifications
You must be signed in to change notification settings - Fork 0
Authentication
Claude Code API has two layers of authentication: API authentication (who can access the API) and Claude authentication (how Claude Code CLI authenticates with Anthropic).
Control who can call your API endpoints.
Set API_KEYS in .env with comma-separated keys:
API_KEYS=key-production-abc123,key-staging-xyz789Pass the key in every request:
curl -H "X-API-Key: key-production-abc123" http://localhost:8000/api/v1/sessionsLeave API_KEYS empty to disable authentication (development only):
API_KEYS=Warning: Never run without auth in production.
Each session is scoped to the API key that created it. Key A cannot access sessions created by key B.
How the underlying Claude Code CLI authenticates with Anthropic.
If you've already logged in via Claude Code CLI:
claude auth loginLeave ANTHROPIC_API_KEY empty in .env. The API uses your existing Max/Pro plan — no additional API charges.
Set the Anthropic API key directly:
ANTHROPIC_API_KEY=sk-ant-...This charges against your Anthropic API billing. Useful for server environments where CLI login isn't practical.
| Mode | Billing | Setup |
|---|---|---|
| CLI login | Your Max/Pro plan |
claude auth login on the server |
| API key | Anthropic API billing | Set ANTHROPIC_API_KEY in .env
|
Built-in rate limiter protects against abuse:
RATE_LIMIT_REQUESTS=30 # requests per window
RATE_LIMIT_WINDOW=60 # window in secondsEvery response includes rate limit headers:
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 28
X-RateLimit-Reset: 1716220800
When exceeded, returns 429 Too Many Requests with Retry-After header.
Per-request and per-user cost caps prevent runaway spending:
CLAUDE_MAX_COST_PER_REQUEST=5.0 # max USD per single request
CLAUDE_MAX_COST_PER_USER=50.0 # max USD total per API keyWhen budget is exceeded, returns 429 with explanation.