<aside> 🤖 🤖 Auto-generated by Integration Spec Generator · 2026-04-02 · Source: mixed · Spec: https://storage.googleapis.com/stainless-sdk-openapi-specs/anthropic%2Fanthropic-efe26b096126c693462514b8cbd3ec3e376569232becbfb730cd26fb31c7c7e3.yml

</aside>

1. Overview

🎯 Anthropic Claude is an AI assistant and inference platform. From an identity security perspective, the platform manages two identity surfaces: human organization members (with org-level roles) and workspace members (with workspace-scoped roles), plus Non-Human Identities in the form of API keys scoped to organizations and workspaces. There is no RBAC system with discrete role objects - roles are inline enumerations on user and workspace-member records.

Anthropic’s Claude utilizes a fractured, Dual-Engine IAM architecture. To build a comprehensive Identity Graph, the system must integrate with two completely decoupled APIs:

  1. The SCIM v2 API (Human Lifecycle): Used exclusively for human user ingestion, provisioning, and deprovisioning.
  2. The Admin API (Machine & Workspace Operations): Used for managing Workspaces (Groups), enumerating API Keys (NHIs), and determining workspace-level access.

🚨 The Enterprise SCIM Gate - SCIM functionality is strictly gated behind Anthropic's highest Enterprise tier. For lower-tier customers, SCIM endpoints return 403 Forbidden. The integration must gracefully detect this and selectively disable account lifecycle remediation features in the system if SCIM is unavailable.

Execution Flow (Recommended Sync Order):

  1. Accounts & System Roles (SCIM API): Ingest human users first. Extract global organizational roles concurrently to map Account -> Role edges.
  2. Groups / Workspaces (Admin API): Fetch Workspaces. In Anthropic, Workspaces act as the primary grouping boundary.
  3. Resources / NHIs (Admin API): Fetch API Keys mapped to each Workspace. Treat these as critical Service Accounts.
  4. Access Edges (Admin API): Fetch Workspace Memberships (GET /workspaces/{id}/members) to build Account -> Group edges and resolve inline workspace-scoped roles.

2. Authentication

🎯 The Bottom Line: Because the integration spans two separate engines (Admin API and SCIM), the system requires two distinct authentication mechanisms. Don’t attempt to use standard user API keys (inference keys) for integration tasks.

Property Value Notes
Admin API Auth x-api-key header Requires an Admin API Key manually provisioned via the Claude Console.
Format must be sk-ant-admin....
SCIM Auth Authorization: Bearer <token> Requires an application-only Bearer Token. This is typically generated during the IdP (e.g., Azure Entra / Okta) SCIM setup process and is mandatory for account lifecycle actions.

Required Scopes: Admin API keys do not utilize OAuth scopes, as they inherently grant Org-wide permissions.

3. Rate Limits

🎯 The Bottom Line: Both the Admin API and SCIM API are aggressively rate-limited based on the organization's enterprise tier. Because the system is performing identity synchronization and not AI model inference, token-based limits (input/output tokens) do not apply. However, standard HTTP request limits are strictly enforced using a Token Bucket algorithm. → Official Docs