or run

npx @tessl/cli init

Version

Tile

Overview

Evals

Files

docs

authentication.md cli-interface.md cli-options.md configuration.md custom-commands.md hooks.md ide-integration.md index.md mcp-integration.md sdk-integration.md slash-commands.md

tile.json

Authentication

Claude Code supports multiple authentication methods for secure access to AI services, including API keys, OAuth, subscription management, and third-party integrations.

Capabilities

API Key Authentication

Direct API key authentication for programmatic access.

# Environment variable (recommended)
export ANTHROPIC_API_KEY="sk-ant-api03-..."

# Command line argument
claude --api-key sk-ant-api03-...

# Configuration file
{
  "apiKey": "sk-ant-api03-...",
  "model": "claude-3-sonnet-20240229"
}

API Key Features:

Secure storage in system keychain (macOS)
Environment variable support
Configuration file integration
Per-project API key override
Key validation and testing

API Key Storage

Secure storage of API keys using system keychains.

# macOS Keychain storage
# Keys automatically stored in macOS Keychain
# Access controlled by system security

# Linux/Windows secure storage
# Keys stored in encrypted configuration
# OS-level security integration

# Manual key management
claude --set-api-key sk-ant-api03-...
claude --remove-api-key
claude --test-api-key

Storage Security:

System keychain integration (macOS)
Encrypted storage (Linux/Windows)
No plaintext key storage
Automatic key rotation support
Access logging and auditing

OAuth Authentication

OAuth 2.0 flow for secure account-based authentication.

# Initialize OAuth flow
claude --login

# OAuth with specific provider
claude --login --provider anthropic

# OAuth with custom scopes
claude --login --scopes "read write admin"

# Check authentication status
claude --auth-status

OAuth Features:

Standard OAuth 2.0 flow
Browser-based authentication
Automatic token refresh
Scope-based permissions
Multi-account support

{
  "oauth": {
    "clientId": "your-client-id",
    "redirectUri": "http://localhost:8080/callback",
    "scopes": ["read", "write"],
    "tokenEndpoint": "https://api.anthropic.com/oauth/token",
    "authEndpoint": "https://api.anthropic.com/oauth/authorize"
  }
}

Subscription Management

Claude Pro and Claude Max subscription integration.

# Check subscription status
claude --subscription-status

# Upgrade to Claude Max
claude /upgrade --claude-max

# View usage and billing
claude /cost --detailed

# Manage subscription
claude --manage-subscription

Subscription Features:

Claude Pro integration
Claude Max advanced features
Usage tracking and limits
Billing management
Feature availability based on plan

{
  "subscription": {
    "plan": "claude-max",
    "status": "active",
    "features": [
      "opus-access",
      "priority-bandwidth",
      "extended-context",
      "advanced-tools"
    ],
    "usage": {
      "tokens": 45000,
      "limit": 100000,
      "resetDate": "2024-02-01T00:00:00Z"
    }
  }
}

Third-party Integrations

Authentication with cloud providers and services.

AWS Bedrock Integration

# Bedrock authentication
export AWS_BEARER_TOKEN_BEDROCK="your-bedrock-token"
export AWS_REGION="us-west-2"

# Bedrock configuration
{
  "provider": "bedrock",
  "region": "us-west-2",
  "model": "anthropic.claude-3-sonnet-20240229-v1:0"
}

Bedrock Features:

AWS IAM integration
Regional model access
Enterprise security compliance
Cost management through AWS billing
VPC and private networking support

Google Vertex AI Integration

# Vertex AI authentication
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
export GOOGLE_CLOUD_PROJECT="your-project-id"

# Vertex AI configuration
{
  "provider": "vertex",
  "project": "your-project-id",
  "location": "us-central1",
  "model": "claude-3-sonnet@20240229"
}

Vertex AI Features:

Google Cloud IAM integration
Service account authentication
Project-based access control
Regional deployment options
Enterprise compliance features

GitHub Integration

GitHub app and OAuth integration for repository access.

# Install GitHub app
claude /install-github-app

# GitHub OAuth login
claude --login --provider github

# Repository permissions
{
  "github": {
    "permissions": {
      "contents": "read",
      "pull_requests": "write",
      "issues": "write"
    },
    "repositories": ["owner/repo"]
  }
}

GitHub Features:

GitHub App installation
Repository access control
PR comment automation
Issue management
Code review assistance

Authentication Configuration

Comprehensive authentication configuration options.

{
  "authentication": {
    "method": "oauth",
    "provider": "anthropic",
    "fallback": "api-key",
    "timeout": 30000,
    "retryAttempts": 3,
    "autoRefresh": true,
    "storage": {
      "type": "keychain",
      "encryptionKey": "user-derived-key"
    }
  }
}

Configuration Options:

Primary and fallback authentication methods
Provider-specific settings
Timeout and retry configuration
Automatic token refresh
Secure storage preferences

Session Management

Authentication session handling and persistence.

# View active sessions
claude --list-sessions

# Logout from current session
claude --logout

# Logout from all sessions
claude --logout --all

# Session timeout configuration
{
  "session": {
    "timeout": 3600,
    "autoExtend": true,
    "maxDuration": 86400
  }
}

Session Features:

Multiple concurrent sessions
Session timeout management
Automatic session extension
Secure session storage
Cross-device session sync

Security Features

Advanced security and compliance features.

{
  "security": {
    "mfa": {
      "enabled": true,
      "methods": ["totp", "sms"]
    },
    "ipRestrictions": [
      "192.168.1.0/24",
      "10.0.0.0/8"
    ],
    "auditLogging": true,
    "sessionEncryption": true,
    "keyRotation": {
      "enabled": true,
      "interval": 2592000
    }
  }
}

Security Features:

Multi-factor authentication (MFA)
IP address restrictions
Audit logging and compliance
Session encryption
Automatic key rotation

Environment-specific Authentication

Different authentication methods for different environments.

# Development environment
export CLAUDE_ENV=development
export ANTHROPIC_API_KEY=sk-ant-dev-...

# Staging environment
export CLAUDE_ENV=staging
export AWS_BEARER_TOKEN_BEDROCK=staging-token

# Production environment
export CLAUDE_ENV=production
# OAuth-only in production

Environment Configuration:

{
  "environments": {
    "development": {
      "authentication": "api-key",
      "apiKey": "${DEV_API_KEY}"
    },
    "staging": {
      "authentication": "bedrock",
      "region": "us-west-2"
    },
    "production": {
      "authentication": "oauth",
      "requireMFA": true
    }
  }
}

Authentication Troubleshooting

Debug and resolve authentication issues.

# Test authentication
claude --test-auth

# Validate API key
claude --validate-key sk-ant-api03-...

# Check permissions
claude --check-permissions

# Reset authentication
claude --reset-auth

# Debug authentication flow
claude --debug-auth

Troubleshooting Commands:

Authentication validation
Permission verification
Token refresh testing
Connection diagnostics
Detailed error reporting

Error Handling

Comprehensive error handling for authentication failures.

// Authentication error types
enum AuthError {
  INVALID_API_KEY = 'invalid_api_key',
  EXPIRED_TOKEN = 'expired_token',
  INSUFFICIENT_PERMISSIONS = 'insufficient_permissions',
  RATE_LIMITED = 'rate_limited',
  NETWORK_ERROR = 'network_error',
  MFA_REQUIRED = 'mfa_required'
}

// Error handling patterns
try {
  await authenticateUser();
} catch (error) {
  switch (error.code) {
    case AuthError.INVALID_API_KEY:
      console.error('Invalid API key. Please check your configuration.');
      break;
    case AuthError.EXPIRED_TOKEN:
      await refreshToken();
      break;
    case AuthError.INSUFFICIENT_PERMISSIONS:
      console.error('Insufficient permissions for this operation.');
      break;
    default:
      console.error('Authentication failed:', error.message);
  }
}

Authentication Best Practices

Security best practices for authentication setup.

# Best practices checklist:

# 1. Use environment variables for API keys
export ANTHROPIC_API_KEY="sk-ant-api03-..."

# 2. Enable MFA when available
claude --enable-mfa

# 3. Use OAuth for interactive sessions
claude --login

# 4. Rotate keys regularly
claude --rotate-key

# 5. Monitor authentication logs
claude --show-auth-logs

# 6. Use least privilege permissions
{
  "permissions": ["read", "basic-write"]
}

# 7. Set session timeouts
{
  "session": {"timeout": 3600}
}

Compliance and Auditing

Enterprise compliance and auditing features.

{
  "compliance": {
    "auditLogging": true,
    "logRetention": 90,
    "ssoIntegration": {
      "enabled": true,
      "provider": "okta",
      "domain": "company.okta.com"
    },
    "dataResidency": "us-west-2",
    "encryptionAtRest": true,
    "encryptionInTransit": true
  }
}

Compliance Features:

Comprehensive audit logging
SSO integration support
Data residency controls
Encryption requirements
Access policy enforcement
Compliance reporting