Skip to content
Rush Commerce
Software & Dev3 min read

Anthropic added API key expiration — scope your AI keys

Anthropic now lets you set expirations on Claude API keys. With prompt injection turning agents into exfiltration tools, treat AI keys like production secrets.

Anthropic just made a small change to the Claude Console with a bigger message behind it: you can now set an expiration when you create an API key. Boring on its face. But an AI API key isn't a low-stakes secret anymore — it's a live credential that an agent, a poisoned document, or an MCP server can be tricked into handing to someone else. Native expiration is the platform quietly telling you to stop treating these keys like they're forever.

What actually happened

Per Anthropic's release notes, you can now set an expiration when creating an API key or Admin API key in the Console — a preset, a custom duration, or "Never." For any key with a lifetime of at least seven days, Anthropic emails the creator before it expires, and the Admin API now reports each key's expires_at so you can audit programmatically. Existing keys are untouched, so nothing rotates out from under you.

The reason this matters shows up in the threat research. OWASP's State of Agentic AI Security and Governance v2.01 maps prompt injection to six of the ten entries in its Top 10 for agentic apps — because a model treats the system prompt, the user's request, and any text it retrieves from the web or a file as one undifferentiated stream of tokens. Simon Willison's "lethal trifecta" names the danger: an agent with access to private data, exposure to untrusted content, and a way to communicate out is, by construction, an exfiltration tool. Your API key is exactly the kind of thing it can be talked into leaking.

Why it matters for your business

If you've wired Claude, or any LLM, into your ops — a support bot, an automation, an MCP server pulling from your systems — you're now holding a credential that maps to real spend and real access. Treat it like a production database password, not a throwaway token. That means scoping keys to the narrowest job, rotating them on a schedule, and never pasting a long-lived key into a tool you don't fully trust to read only what you intended.

Anthropic just removed the excuse for the rotation part: set an expiration, get the reminder email, cycle the key. Pair that with the basics — separate keys per app so you can kill one without breaking the rest, an audit of who holds what via expires_at, and Meta's "Agents Rule of Two" as a design rule (an autonomous agent should have at most two of: private-data access, untrusted-content exposure, external communication — all three needs a human in the loop). The convenience of handing an agent your keys is real. So is the day it hands them to someone else.

Key takeaways

  • Anthropic now supports expirations on Claude API and Admin API keys — preset, custom, or Never — with reminder emails and an expires_at field for auditing
  • AI API keys are high-value secrets: prompt injection maps to 6 of OWASP's 10 agentic risks, and agents can be tricked into leaking credentials
  • Scope keys narrowly, use a separate key per app, and set expirations so rotation is automatic instead of aspirational
  • Apply the "Rule of Two": an agent with private data, untrusted input, and outbound comms all at once needs a human in the approval path

Wired an AI agent into your systems without a credential plan? We scope keys to least privilege, set rotation and expiry, and lock down what each agent can read and reach. See how we build safe AI systems or book a review.

Sources: Anthropic release notes, Help Net Security / OWASP.

  • #ai-security
  • #api-keys
  • #mcp
  • #credential-hygiene
  • #prompt-injection
TR

Tommy Rush — Founder, Rush Commerce

Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More

Get The Rush Report weekly — one email, zero fluff.