Anthropic quietly shipped the security control most teams keep meaning to build and never do: your Claude API keys can now expire on their own. When you create a key in the Console — a regular API key or an Admin API key — you pick a lifetime up front. The presets are 3 hours, 1 day, 7 days, or 30 days; you can type a custom duration; or you can choose Never and keep the old long-lived behavior. That's the entire feature, and it's more important than it looks.
Here's why it matters in one sentence: a leaked 7-day key is a bad weekend, and a leaked Never key is a bad quarter. Every API key you've ever pasted into an .env, a CI secret, or a Slack DM to your co-founder has been, until now, immortal. This turns the default from lives forever unless you remember to revoke it into dies on a date you chose. For a solo founder with no security team, that inversion is the single biggest cut to blast radius on offer — and it's free.
The one thing that will bite you: expiration is immutable#
Read this before you set anything: a key's expiration is chosen at creation and cannot be changed afterward. There is no "extend by 30 days" button. There is no edit control. Once a key is minted with a 7-day life, day 7 is the day it stops working, full stop.
That is a feature, not a bug, but it reshapes how you have to operate. The model is rotation, not renewal:
- Mint a new key with a fresh lifetime.
- Deploy it alongside the old one — both valid at once.
- Cut traffic over and verify.
- Let the old key expire on its own schedule (or revoke it now).
If your service reads its key from a single env var with no overlap window, a short lifetime doesn't harden your setup — it just schedules an outage. The whole game is building step 2, the overlap, so that expiry is a non-event. This is the same discipline as any other credential lifecycle, and it's why secrets management for AI agents stops being optional the moment you have more than one key in more than one place.
"Expiration" here doesn't mean "renewable lease." It means "planned death." You don't extend the key — you replace it, on a calendar, before it dies.
Make it auditable: the expires_at field#
The part that makes this operable rather than scary is in the Admin API. The List API Keys and Get API Key endpoints now return an expires_at timestamp for every key — and it's null for keys created without an expiration. That one field is the difference between rotating on your schedule and finding out from a 401 in production.
The move is a boring weekly cron that lists your keys and flags anything expiring inside your rotation window:
import anthropic, datetime
admin = anthropic.Anthropic(api_key=ADMIN_KEY) # admin-scoped key
soon = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=5)
for key in admin.api_keys.list(): # List API Keys
exp = key.expires_at # ISO timestamp, or None
if exp and datetime.datetime.fromisoformat(exp) < soon:
print(f"ROTATE SOON: {key.name} ({key.id}) expires {exp}")
if exp is None:
print(f"NO EXPIRY: {key.name} ({key.id}) — is this in a secrets manager?")
Anthropic will also email you — but read the timing carefully, because it depends on the lifetime you chose. Keys created to live at least 14 days get a heads-up 7 days before expiry; keys created to live at least 7 days get one 1 day before. Shorter keys may get nothing. And the mail goes to a single person: the key's creator. That's a fine reminder and a terrible alerting strategy. Page on the expires_at field; treat the email as a courtesy.
What to actually set#
For a founder or small team, the defaults that work:
- 7 days for anything CI or a dev laptop holds — you already run jobs there, so bolt rotation onto one of them.
- 30 days for a small prod service you rotate by hand — a monthly calendar reminder is a cadence humans actually keep, and it caps any leak at ~30 days.
- Never only for keys that live inside a real secrets manager (Vault, AWS or GCP Secrets Manager, Doppler, Infisical) that rotates them for you. At that point the manager is your expiry mechanism, and a static
Neverkey with no manager behind it is just the old footgun with a new label.
Admin API keys deserve the shortest lifetimes you can tolerate, not the longest — they can mint and revoke other keys and change org settings, so a leaked admin key is the one that turns a bad weekend into a bad quarter. And if you run a team, set an organization maximum-expiration policy: the Console then caps every preset and custom duration at your maximum and removes Never entirely, so nobody can quietly mint an immortal key again. Pair short keys with a cheap agent stack — the kind of setup in Claude Sonnet 5 for cheaper agents — and your secrets hygiene finally costs less than the incident it prevents.
The feature is small. The habit it enables — keys that die on schedule, rotated before they do — is the one that separates teams that get breached from teams that get a calendar reminder.



