What header does the Claude API use for authentication?

The Claude API uses a custom header named x-api-key (lowercase), not the standard Authorization: Bearer pattern used by OpenAI. Sending Authorization: Bearer sk-ant-... will return a 401. The correct header is x-api-key: sk-ant-... You must also include anthropic-version: 2023-06-01 (or later) in every request.

My Anthropic API key is new but I'm getting a 401. Why?

Newly created Anthropic API keys may not be immediately active. There is typically a brief activation period after a key is created, especially on new accounts. Wait a few minutes and try again. If the 401 persists after 10 minutes, the account may not be fully activated — check console.anthropic.com for any pending verification or payment steps.

What does the Claude API 401 error JSON look like?

The response body is: {"type": "error", "error": {"type": "authentication_error", "message": "invalid x-api-key"}}. The error type is always authentication_error for 401s. There is no code field like OpenAI's — the type field is the discriminator.

How do I rotate a Claude API key safely?

Create the new key first in console.anthropic.com before revoking the old one. Update all references (env vars, secrets managers, CI/CD) to the new key. Verify the new key works with a test request. Then revoke the old key. Never revoke first — there is no grace period and the old key stops working immediately.

Claude API `authentication_error` (HTTP 401): 5 causes in diagnostic order

HTTP 401 from the Anthropic Claude API means the server rejected your authentication credentials. Unlike OpenAI's API which uses standard Authorization: Bearer headers, Claude has its own authentication header — and that mismatch is the most commonly missed cause. This page covers the five causes in the order you should check them, the exact error JSON you'll see, a curl command to test the key in isolation, and how to rotate keys safely.

The 30-second answer

The header name matters: Claude uses x-api-key, not Authorization: Bearer. This is the most common gotcha when migrating from OpenAI.
Test with curl first: curl https://api.anthropic.com/v1/messages -H "x-api-key: $ANTHROPIC_API_KEY" -H "anthropic-version: 2023-06-01" ...
New keys: freshly created keys may take a few minutes to activate. A 401 on a brand-new key is often transient.
Rotate safely: create the new key before revoking the old one — never the other way around.

What the error looks like

The Claude API 401 response body:

HTTP/1.1 401 Unauthorized
{
  "type": "error",
  "error": {
    "type": "authentication_error",
    "message": "invalid x-api-key"
  }
}

Note the structure: the top-level type field is "error", and the inner error.type is "authentication_error". This is different from OpenAI's error format where the discriminator is error.code. In the Anthropic Python SDK this raises an anthropic.AuthenticationError exception. In the TypeScript/Node SDK it's an AuthenticationError from the SDK's error module.

Claude's full error code table for reference:

Status	Error type	Meaning
400	`invalid_request_error`	Malformed request or invalid parameters
401	`authentication_error`	API key invalid, missing, or not yet active
403	`permission_error`	Key doesn't have access to the requested resource
404	`not_found_error`	Resource not found
429	`rate_limit_error`	Your account hit its rate limit
500	`api_error`	Internal Anthropic error
529	`overloaded_error`	Anthropic's API is temporarily overloaded

Cause 1: Invalid or deleted API key

The key doesn't exist in Anthropic's system — either it was never saved correctly after creation, or it was deleted. Go to console.anthropic.com/settings/keys and check whether the key prefix matches anything in the list. If not, the key is gone and you need to generate a new one.

Anthropic API keys start with sk-ant-. If your key starts with something else, you may have copied the wrong credential or a key from a different service.

Fix: create a new key, save it immediately, and update all references. Anthropic shows the full key only once at creation time.

Cause 2: Key created but not yet activated

New Anthropic API keys — particularly on new accounts or accounts that haven't completed billing setup — can take a few minutes to become active in Anthropic's auth system. A 401 within the first few minutes of key creation does not necessarily mean the key is wrong.

Fix: wait 5 minutes and retry. If the 401 persists, check console.anthropic.com for any pending verification steps, payment method requirements, or account holds. A new account that hasn't added a payment method will not have a functional API key.

Cause 3: Wrong header name — must be `x-api-key`, not `Authorization: Bearer`

This is the most common cause for developers coming from the OpenAI ecosystem. OpenAI uses the standard OAuth2 Bearer pattern:

# OpenAI — DO NOT use this for Anthropic
Authorization: Bearer sk-...

The Anthropic Claude API uses a custom header:

# Anthropic Claude — correct
x-api-key: sk-ant-...
anthropic-version: 2023-06-01

If you send Authorization: Bearer sk-ant-... to api.anthropic.com, you will get a 401 even if the key is perfectly valid. There's no fallback — Anthropic's API only reads x-api-key.

Additionally, the anthropic-version header is required in every request. Omitting it will return a 400 rather than a 401, but it's worth confirming both headers are present.

Fix: change your authentication header from Authorization: Bearer ... to x-api-key: .... If you're using the official Anthropic SDK, this is handled automatically — the SDK always sets the right header.

Cause 4: Key scope restriction

Anthropic supports workspace-scoped API keys that are restricted to specific models or capabilities. If an admin created a restricted key for you, attempting to call a model or endpoint outside that scope returns a 401 or 403.

Fix: check with your org admin whether the key has restrictions. At console.anthropic.com/settings/keys, key restrictions are visible in the key's detail view. If you need broader access, request a new key or adjust the scope.

Cause 5: Organization key vs. personal key mismatch

Anthropic workspaces have both personal keys and workspace-level keys. Depending on how your workspace is configured, a personal key may not have access to the workspace's billing quota or to models that are only available to the workspace. Conversely, a workspace key sent from a context that doesn't match the workspace membership can also produce auth failures.

Fix: confirm at console.anthropic.com/settings that the key you're using belongs to the workspace you expect. If you're operating in a team environment, use a workspace-level key rather than a personal one for shared infrastructure.

How to test the key with a raw curl command

Always rule out application-layer issues by testing the key directly before debugging code:

curl https://api.anthropic.com/v1/messages \
  -H "x-api-key: $ANTHROPIC_API_KEY" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  -d '{
    "model": "claude-haiku-4-5",
    "max_tokens": 16,
    "messages": [{"role": "user", "content": "Hi"}]
  }'

A valid key returns HTTP 200 and a JSON completion. A 401 here means the key itself is the problem — work through causes 1–3 above. A 200 here but 401 in your application means your code is sending a different key than the one in your environment, or using the wrong header name.

To test a key string explicitly instead of from the env var:

curl https://api.anthropic.com/v1/messages \
  -H "x-api-key: sk-ant-YOUR_KEY_HERE" \
  -H "anthropic-version: 2023-06-01" \
  -H "content-type: application/json" \
  -d '{"model":"claude-haiku-4-5","max_tokens":16,"messages":[{"role":"user","content":"ping"}]}'

How to rotate Claude API keys safely

Key rotation is the right move after a suspected leak, as part of a regular security rotation, or when updating credentials across infrastructure. The safe sequence:

Create the new key first at console.anthropic.com/settings/keys. Do not revoke anything yet.
Update all references — environment variables, secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.), CI/CD pipeline secrets, any hardcoded references. Use the new key value.
Verify the new key works with the curl command above. Confirm your application is returning 200s with the new key in all environments.
Revoke the old key. It becomes invalid immediately — there is no grace period. Ensure everything is on the new key before this step.

If you suspect a key was compromised (e.g., committed to a public repo), reverse steps 1 and 4: revoke immediately to stop the leak, then create a new key. Accept the brief outage rather than leaving a known-compromised key active.

FAQ

Does Anthropic auto-revoke leaked keys like OpenAI does? Anthropic has mechanisms to detect keys committed to public repositories, similar to GitHub's secret scanning. Treat any key that has been in a public repo as revoked regardless — rotate immediately.

Is the Anthropic API key the same as the Claude.ai account password? No. API keys at console.anthropic.com are separate from Claude.ai login credentials. They are managed independently and cannot be used interchangeably.

Can I use the same key across multiple apps? Yes, but for security it's better practice to create one key per application so you can revoke a single key if one app is compromised without affecting others.

Last updated June 2, 2026. Error codes and header requirements verified against Anthropic's official API documentation. Anthropic may change these over time — confirm specifics in the current docs before relying on them in production.

Claude API authentication_error (HTTP 401): 5 causes in diagnostic order