Home › Sources › Authentication

Authentication

Tags

official-docs claude-code-cli

Content

Documentation Index

Fetch the complete documentation index at: https://code.claude.com/docs/llms.txt Use this file to discover all available pages before exploring further.

Authentication

Log in to Claude Code and configure authentication for individuals, teams, and organizations.

Claude Code supports multiple authentication methods depending on your setup. Individual users can log in with a Claude.ai account, while teams can use Claude for Teams or Enterprise, the Claude Console, or a cloud provider like Amazon Bedrock, Google Vertex AI, or Microsoft Foundry.

Log in to Claude Code

After installing Claude Code, run claude in your terminal. On first launch, Claude Code opens a browser window for you to log in.

If the browser doesn't open automatically, press c to copy the login URL to your clipboard, then paste it into your browser.

If your browser shows a login code instead of redirecting back after you sign in, paste it into the terminal at the Paste code here if prompted prompt.

You can authenticate with any of these account types:

To log out and re-authenticate, type /logout at the Claude Code prompt.

If you're having trouble logging in, see authentication troubleshooting.

Set up team authentication

For teams and organizations, you can configure Claude Code access in one of these ways:

Claude for Teams or Enterprise

Claude for Teams and Claude for Enterprise provide the best experience for organizations using Claude Code. Team members get access to both Claude Code and Claude on the web with centralized billing and team management.

Subscribe to Claude for Teams or contact sales for Claude for Enterprise.

Invite team members from the admin dashboard.

Team members install Claude Code and log in with their Claude.ai accounts.

Claude Console authentication

For organizations that prefer API-based billing, you can set up access through the Claude Console.

Use your existing Claude Console account or create a new one.

You can add users through either method:

* Bulk invite users from within the Console: Settings -> Members -> Invite
* [Set up SSO](https://support.claude.com/en/articles/13132885-setting-up-single-sign-on-sso)

When inviting users, assign one of:

* **Claude Code** role: users can only create Claude Code API keys
* **Developer** role: users can create any kind of API key

Each invited user needs to:

* Accept the Console invite
* [Check system requirements](https://code.claude.com/en/setup#system-requirements)
* [Install Claude Code](https://code.claude.com/en/setup#install-claude-code)
* Log in with Console account credentials

Cloud provider authentication

For teams using Amazon Bedrock, Google Vertex AI, or Microsoft Foundry:

Follow the Bedrock docs, Vertex docs, or Microsoft Foundry docs.

Distribute the environment variables and instructions for generating cloud credentials to your users. Read more about how to manage configuration here.

Users can install Claude Code.

Credential management

Claude Code securely manages your authentication credentials:

apiKeyHelper, ANTHROPIC_API_KEY, and ANTHROPIC_AUTH_TOKEN apply to terminal CLI sessions only. Claude Desktop and remote sessions use OAuth exclusively and do not call apiKeyHelper or read API key environment variables.

Authentication precedence

When multiple credentials are present, Claude Code chooses one in this order:

  1. Cloud provider credentials, when CLAUDE_CODE_USE_BEDROCK, CLAUDE_CODE_USE_VERTEX, or CLAUDE_CODE_USE_FOUNDRY is set. See third-party integrations for setup.
  2. ANTHROPIC_AUTH_TOKEN environment variable. Sent as the Authorization: Bearer header. Use this when routing through an LLM gateway or proxy that authenticates with bearer tokens rather than Anthropic API keys.
  3. ANTHROPIC_API_KEY environment variable. Sent as the X-Api-Key header. Use this for direct Anthropic API access with a key from the Claude Console. In interactive mode, you are prompted once to approve or decline the key, and your choice is remembered. To change it later, use the "Use custom API key" toggle in /config. In non-interactive mode (-p), the key is always used when present.
  4. apiKeyHelper script output. Use this for dynamic or rotating credentials, such as short-lived tokens fetched from a vault.
  5. CLAUDE_CODE_OAUTH_TOKEN environment variable. A long-lived OAuth token generated by claude setup-token. Use this for CI pipelines and scripts where browser login isn't available.
  6. Subscription OAuth credentials from /login. This is the default for Claude Pro, Max, Team, and Enterprise users.

If you have an active Claude subscription but also have ANTHROPIC_API_KEY set in your environment, the API key takes precedence once approved. This can cause authentication failures if the key belongs to a disabled or expired organization. Run unset ANTHROPIC_API_KEY to fall back to your subscription, and check /status to confirm which method is active.

Claude Code on the Web always uses your subscription credentials. ANTHROPIC_API_KEY and ANTHROPIC_AUTH_TOKEN in the sandbox environment do not override them.

Generate a long-lived token

For CI pipelines, scripts, or other environments where interactive browser login isn't available, generate a one-year OAuth token with claude setup-token:

```bash theme={null} claude setup-token


The command walks you through OAuth authorization and prints a token to the terminal. It does not save the token anywhere; copy it and set it as the `CLAUDE_CODE_OAUTH_TOKEN` environment variable wherever you want to authenticate:

```bash theme={null}
export CLAUDE_CODE_OAUTH_TOKEN=your-token

This token authenticates with your Claude subscription and requires a Pro, Max, Team, or Enterprise plan. It is scoped to inference only and cannot establish Remote Control sessions.

Bare mode does not read CLAUDE_CODE_OAUTH_TOKEN. If your script passes --bare, authenticate with ANTHROPIC_API_KEY or an apiKeyHelper instead.