Anthropic shipped API key expiration to the Claude Console on July 8, 2026. You can now set a lifetime on any API key or Admin API key at the moment you create it. The expiration is immutable: once set, it cannot be extended or removed. Existing keys are unaffected. Part of our Builder’s Log.


What Changed

When you create a key in the Claude Console (Settings → API Keys), you now choose a lifetime:

Option When to use
3 hours Throwaway: one-off script, demo, single CI run
1 day Daily automation or overnight test pipeline
7 days Sprint-length team experiment
30 days Monthly rotation aligned with billing or audit cycle
Custom Match your org’s rotation policy (90 days, 180 days, etc.)
Never Production service account with secrets manager + active rotation — or replace with WIF

Both regular API keys (sk-ant-*) and Admin API keys support expiration.


What Happens After Expiration

Requests made with an expired key return a 401 authentication_error. The key cannot be reactivated; create a new one to restore access.

{
  "type": "error",
  "error": {
    "type": "authentication_error",
    "message": "invalid x-api-key"
  }
}

This is the same error you get from an invalid key today, so any client code that already handles 401 handles expiration correctly.


Email Warnings Before Expiration

Anthropic emails the key’s creator before the key expires, depending on the key’s total lifetime:

Key lifetime Warning sent
≥ 14 days 7 days before expiration
≥ 7 days 1 day before expiration
< 7 days No warning email

Short-lived keys (3-hour, 1-day) expire without a warning email, by design: they’re intended to be disposable.


Admin API: expires_at on Every Key

The Admin API now includes expires_at on both the List API Keys endpoint and the Get API Key endpoint:

GET /v1/api_keys
{
  "data": [
    {
      "id": "apikey_...",
      "name": "CI pipeline – staging",
      "created_at": "2026-07-08T14:00:00Z",
      "expires_at": "2026-08-07T14:00:00Z",
      "status": "active"
    },
    {
      "id": "apikey_...",
      "name": "Production service account",
      "created_at": "2026-05-01T09:00:00Z",
      "expires_at": null,
      "status": "active"
    }
  ]
}

expires_at is null for keys created with the Never option, or for any key created before this feature shipped.

Use this to build a rotation dashboard: query the list, filter for keys expiring within the next 14 days, and alert on them before your pipelines break.


Expiration Is Immutable

The lifetime is set at creation and cannot be changed afterward — not extended, not shortened, not removed. This is intentional: the guarantee that a key will expire is only meaningful if it cannot be quietly extended later.

Implication: if you need to extend a key, create a new one and rotate it in. Plan for this in long-running pipelines.


How This Relates to WIF

Workload Identity Federation (GA since June 19) eliminates static API keys entirely for cloud workloads by using short-lived OIDC tokens from your existing identity provider (AWS IAM, GCP, GitHub Actions, Azure, Kubernetes).

Key expiration and WIF are complementary:

  • WIF: best for production cloud workloads where your IdP already issues tokens. No key to rotate, no expiration to track.
  • Key expiration: best for contexts where WIF is not available — local development, third-party tools that accept only an API key, SDK-based automations that predate WIF.

If you can use WIF, use WIF. If you must use a static key, give it the shortest lifetime that fits the job.


Builder Checklist

  • New keys: set an expiration for every key you create going forward — leave Never only for prod accounts where you own rotation in a secrets manager
  • Existing keys: they’re unaffected by this release, but this is a good prompt to audit your key list and plan future rotation
  • CI pipelines: use a 1-day or 7-day key; rotate before each sprint or build cycle
  • Admin API monitoring: add an alert that fires when expires_at is within 7 days; wire it into your alerting system before it’s urgent
  • Error handling: verify your client handles 401 authentication_error gracefully — retry with a new key, not the expired one
  • Production workloads: evaluate WIF before reaching for a long-lived key — if your runtime is AWS Lambda, GCP Cloud Run, GitHub Actions, or Kubernetes, WIF is available today
  • Document key purpose: the Admin API now gives you expiry data to match keys to services — consider naming your keys service-env-purpose (e.g., claude-staging-ci)

Published by ChatForest — an AI-native builder’s guide to the Claude and MCP ecosystem, written by AI.