Get access to the Compliance API

Request Compliance API access for your organization, then create a Compliance Access Key (with scoped permissions) or an Admin API key, and learn which to use.

The Compliance API uses two key types, and which one you create depends on which Claude product your organization uses. Primary owners create Compliance Access Keys in claude.ai; these keys unlock the full Compliance API. Organization admins create Admin API keys in Claude Console; these keys unlock the Activity Feed only.

Which key do you need?

A Claude Enterprise tenant has one parent organization that centralizes identity, SSO, and SCIM for every workload organization beneath it. These workload organizations are the parent's linked organizations.

Request Compliance API access

Contact your Anthropic representative to request access. Enablement happens at the parent organization level and cascades to every linked organization, both claude.ai and Claude Console. What changes after enablement depends on which Claude product your organization uses.

After enablement: claude.ai organizations

After Anthropic enables the Compliance API for your parent organization, a Compliance access keys section appears at claude.ai > Organization settings > Data and privacy. The primary owner can then create Compliance Access Keys.

After enablement: Claude Console organizations

After Anthropic enables the Compliance API for your parent organization, Admin API keys created from then on carry the read:compliance_activities scope. Admin API keys created before enablement continue to work with the Admin API, but calling the Activity Feed with one returns 403 Forbidden; create a new Admin API key to pick up the scope.

Create a Compliance Access Key

1. Sign in as the primary owner

   Only the primary owner of the parent organization can create Compliance Access Keys. If the Compliance access keys section described in the next step is not visible, either you are not the primary owner, or the Compliance API has not been enabled for your organization yet (see Request Compliance API access).

2. Open Data and privacy settings

   Go to claude.ai > Organization settings > Data and privacy and find the Compliance access keys section.

3. Create the key

   Click Create key, name the key, and select one or more scopes from the following table. Click Create.

   Scope	Grants
   read:compliance_activities	Read the Activity Feed for the parent organization and all linked organizations
   read:compliance_user_data	Read user chats, messages, files, projects, organization users, and group members
   delete:compliance_user_data	Delete user chats, files, and projects
   read:compliance_org_data	Read organization metadata (names, types, roles, and groups). User listings and group membership require read:compliance_user_data.

   Choose the smallest scope set that your integration needs:

   • An audit pipeline that reads the Activity Feed only needs read:compliance_activities.
   • An eDiscovery tool that reads chats and files but never deletes them does not need delete:compliance_user_data.
   • If your workflow both reads and deletes, use two keys with separate scopes so a leaked read key cannot delete data.

   Compliance Access Key scopes are immutable after creation. To change scopes, create a new key with the scopes you want, then delete the old one.

4. Copy and store the secret

   Copy the displayed secret key (starting with sk-ant-api01-) and store it in your secrets manager. The full secret is displayed only once.

5. Export the key for the examples in this guide

   Set the key as an environment variable so the shell samples in this guide can read it:

   export ANTHROPIC_COMPLIANCE_ACCESS_KEY=sk-ant-api01-...
   

Create an Admin API key

1. Sign in as an organization admin

   Only an organization member with the admin role can create Admin API keys. See Organization roles and permissions for the full role list.

2. Open Admin keys settings

   Go to Claude Console > Settings > Admin keys.

3. Create the key

   Click Create key, name the key, and click Create.

4. Copy and store the secret

   Copy the displayed secret key (starting with sk-ant-admin01-) and store it in your secrets manager. The full secret is displayed only once.

5. Export the key for use with the Activity Feed

   Set the key as an environment variable:

   export ANTHROPIC_ADMIN_KEY=sk-ant-admin01-...
   

   The distinct variable name keeps the Admin API key from overwriting a Compliance Access Key if you provision both. The cURL examples in this guide read the key from $ANTHROPIC_COMPLIANCE_ACCESS_KEY; substitute $ANTHROPIC_ADMIN_KEY when calling the Activity Feed with an Admin API key.

Admin API keys carry the read:compliance_activities scope only when the Compliance API was enabled for the organization before the key was created; see After enablement: Claude Console organizations. They cannot be granted any other Compliance API scope, so calls to any endpoint other than the Activity Feed return 403 Forbidden.

For the same key's role in managing your Claude Console organization, see Admin API.

Check your key's scopes

To inspect the scopes on a key you already have, use one of the following signals.

• Key prefix. sk-ant-admin01- is an Admin API key (carries read:compliance_activities only, subject to the enablement timing in the preceding section). sk-ant-api01- is a Compliance Access Key; its scopes are the subset you selected at creation.
• Settings UI. Open the Compliance access keys section in claude.ai > Organization settings > Data and privacy, or the Admin keys section in Claude Console > Settings > Admin keys, and read the Scopes column for the key.
• Error responses. A call that exceeds the key's scopes returns a 403 with a message in the format Missing required scopes. Got: [<scopes the key carries>] Needed: [<scopes the endpoint requires>]. See Handle Compliance API errors for the full error catalog.

{
  "error": {
    "type": "permission_error",
    "message": "Missing required scopes. Got: ['read:compliance_activities'] Needed: ['read:compliance_user_data']"
  }
}

Manage and rotate keys

Delete a Compliance Access Key from the same Compliance access keys panel where you created it: go to claude.ai > Organization settings > Data and privacy. Delete an Admin API key from Claude Console > Settings > Admin keys.

Deleting a key takes effect on the next request: there is no grace period. Compliance Access Keys do not expire on their own.

To rotate a key without an outage:

1. Create a new key with the same scopes.
2. Update your integration to use the new key.
3. Verify the integration succeeds with the new key.
4. Delete the old key.

Pagination cursors stored before a rotation remain valid: cursors are scoped to the organization, not the key.

If a Compliance Access Key leaks, delete it immediately, audit the Activity Feed for compliance_api_accessed activities by the compromised key, and rotate any downstream credentials that the leaked key could reach. Pass activity_types[]=compliance_api_accessed to scope the query, then in your client, keep the activities whose actor.type is api_actor and whose actor.api_key_id matches the compromised key; see Understand the Activity object for the actor schema.

Next steps