Skip to content

docs: auth.mdx incorrectly states ANTHROPIC_API_KEY is the "only" auth method for Claude — Anthropic WIF is missing #39237

Closed
Closed
docs: auth.mdx incorrectly states ANTHROPIC_API_KEY is the "only" auth method for Claude — Anthropic WIF is missing#39237
Assignees
pelikhancopilot-swe-agent
Labels
ai-inspectedcommunity
@benissimo

Description

@benissimo
benissimo
opened on Jun 14, 2026

Problem

reference/auth.mdx contains a statement that is no longer accurate:

"The only supported authentication method for the Claude engine is ANTHROPIC_API_KEY."

Anthropic Workload Identity Federation (WIF) was added as a first-class auth path in
#35939 and #36005,
merging on 2026-05-31 and working end-to-end as of v0.79.6. In WIF mode, ANTHROPIC_API_KEY is
neither required nor used — authentication is via a short-lived GitHub OIDC token
exchanged through a federation rule. The compiler suppresses the static-key requirement
when engine.auth.type: github-oidc with provider: anthropic is detected.

Two user-facing pages currently omit this path entirely and state or imply ANTHROPIC_API_KEY
is the only option.

Files to edit

1. docs/src/content/docs/reference/auth.mdx

Change 1 — "Which secret do I need?" Claude bullet:

Current:

### Claude

- **Required secret:** [`ANTHROPIC_API_KEY`](#anthropic_api_key)
- **Alternative:** None
- **Notes:** API key from Anthropic Console

Replace with:

### Claude

- **Standard:** [`ANTHROPIC_API_KEY`](#anthropic_api_key) — static API key from Anthropic Console
- **Keyless alternative:** [`engine.auth` Anthropic WIF](#anthropic-workload-identity-federation-wif) — short-lived OIDC token via federation rule; no long-lived secret on the repo

Change 2 — ANTHROPIC_API_KEY section — fix the false "only" claim:

In the ### ANTHROPIC_API_KEY section, the paragraph currently reads:

"CLAUDE_CODE_OAUTH_TOKEN is not supported by GitHub Agentic Workflows. The only supported
authentication method for the Claude engine is ANTHROPIC_API_KEY."

Replace the second sentence with:

"For keyless authentication via Workload Identity Federation, see
Anthropic WIF below."

Change 3 — Add a new ### Anthropic Workload Identity Federation (WIF) subsection

Add this section after the ### ANTHROPIC_API_KEY section:

Anthropic Workload Identity Federation (WIF)

Workload Identity Federation lets workflows authenticate with Anthropic using short-lived
GitHub OIDC tokens instead of a long-lived ANTHROPIC_API_KEY secret. When WIF is active,
the compiler suppresses the static-key requirement and emits AWF_AUTH_ANTHROPIC_* environment
variables consumed by the AWF firewall api-proxy sidecar.

This is the Claude equivalent of the Copilot Azure WIF path in engines.md.

Prerequisites:

  • An Anthropic federation rule configured in your Anthropic workspace (obtain the IDs from your Anthropic Console)
  • permissions: id-token: write in the workflow job

Frontmatter:

permissions:
  contents: read
  id-token: write

engine:
  id: claude
  auth:
    type: github-oidc
    provider: anthropic
    federation-rule-id: fdrl_xxxxxxxxxxxx
    organization-id: org_xxxxxxxxxxxx
    service-account-id: svac_xxxxxxxxxxxx
    workspace-id: ws_xxxxxxxxxxxx

Fields:

Field Description
federation-rule-id ID of the Anthropic WIF federation rule (prefix fdrl_)
organization-id Anthropic organization ID (prefix org_)
service-account-id Anthropic service account ID (prefix svac_)
workspace-id Anthropic workspace ID (prefix ws_)

Emitted environment variables:

The compiler maps each field to an env var passed to the AWF api-proxy sidecar:

Field Env var
provider: anthropic AWF_AUTH_PROVIDER=anthropic
federation-rule-id AWF_AUTH_ANTHROPIC_FEDERATION_RULE_ID
organization-id AWF_AUTH_ANTHROPIC_ORGANIZATION_ID
service-account-id AWF_AUTH_ANTHROPIC_SERVICE_ACCOUNT_ID
workspace-id AWF_AUTH_ANTHROPIC_WORKSPACE_ID

2. docs/src/content/docs/reference/engines.md

Change 1 — "Available Coding Agents" table — Claude row:

Current:

| [Claude by Anthropic (Claude Code)](https://www.anthropic.com/index/claude) | `claude` | [ANTHROPIC_API_KEY](/gh-aw/reference/auth/#anthropic_api_key) |

Replace with:

| [Claude by Anthropic (Claude Code)](https://www.anthropic.com/index/claude) | `claude` | [`ANTHROPIC_API_KEY`](/gh-aw/reference/auth/#anthropic_api_key) (standard) or [`engine.auth` Anthropic WIF](/gh-aw/reference/auth/#anthropic-workload-identity-federation-wif) (keyless) |

Implementation notes for the agent

  • The Anthropic WIF implementation mirrors the existing Azure WIF structure. Reference
    docs/adr/35939-anthropic-wif-support-in-compiler.md for the full design rationale and
    the normative spec.
  • The canonical fixture is at pkg/cli/workflows/test-claude-wif-anthropic.md and the
    integration test at pkg/cli/compile_wif_anthropic_integration_test.go — use these as
    ground truth for the frontmatter values and emitted env vars.
  • Do not alter the "only supported method" language for CLAUDE_CODE_OAUTH_TOKEN — that
    claim remains accurate. Only the claim that ANTHROPIC_API_KEY is the sole path needs
    correction.
  • Available since: v0.79.6 (2026-06-11).
  • Anthropic's own WIF docs for GitHub Actions are at https://platform.claude.com/docs/en/manage-claude/wif-providers/github-actions — worth linking from the new subsection as the canonical source for federation rule setup.

Follow-on suggestion

Once the gh-aw docs cover Anthropic WIF, it would be worth lobbying Anthropic to add a reciprocal link (or a dedicated section) in their GitHub Actions WIF guide pointing to gh-aw as the structured path for agentic workflows specifically. Right now their docs describe the raw GitHub Actions flow with no mention of gh-aw; users building agentic workflows would benefit from knowing the engine.auth abstraction exists.

Metadata

Metadata

Assignees

Labels

ai-inspectedcommunity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions