anthropic-auth
A Rust library for Anthropic/Claude OAuth 2.0 authentication with PKCE support.
Provides both synchronous (blocking) and asynchronous (runtime-agnostic) APIs for authenticating with Anthropic's OAuth 2.0 endpoints.
Features
- ✅ Sync & Async APIs - Choose blocking or async based on your needs
- ✅ Runtime Agnostic - Async API works with tokio, async-std, smol, etc.
- ✅ PKCE Support - Secure SHA-256 PKCE authentication flow
- ✅ Two OAuth Modes - Max (subscription) or Console (API key creation)
- ✅ Fully Configurable - Custom client IDs, redirect URIs, ports
- ✅ Browser Integration - Auto-open browser for authorization (default enabled)
- ✅ Callback Server - Optional local server for automatic callback handling
- ✅ API Key Creation - Create API keys via Console OAuth
- ✅ No Token Storage - You control how/where to persist tokens
Installation
[]
= "0.1"
Quick Start (Sync API)
Claude Pro/Max Subscription
use ;
API Key Creation
use ;
Quick Start (Async API)
use ;
// or async-std, smol, etc.
async
OAuth Modes
Max Mode (Claude Pro/Max Subscription)
Use this mode if you have a Claude Pro or Claude Max subscription:
let flow = client.start_flow?;
- Authorization endpoint:
https://claude.ai/oauth/authorize - Provides access tokens for Claude API with your subscription
- Best for personal use with existing subscription
Console Mode (API Key Creation)
Use this mode to create API keys programmatically:
let flow = client.start_flow?;
// ... get tokens ...
let api_key = client.create_api_key?;
- Authorization endpoint:
https://console.anthropic.com/oauth/authorize - Creates API keys that can be used independently
- Useful for programmatic access
Feature Flags
| Feature | Description | Default |
|---|---|---|
blocking |
Synchronous/blocking API | ✅ Yes |
async |
Asynchronous API (runtime-agnostic) | ❌ No |
browser |
Auto-open browser for authorization | ✅ Yes |
callback-server |
Local server for OAuth callback (requires tokio) | ❌ No |
full |
Enable all features | ❌ No |
Enable async API:
[]
= { = "0.1", = ["async"] }
Enable callback server (full automation):
[]
= { = "0.1", = ["callback-server"] }
= { = "1", = ["full"] }
Custom Configuration
use ;
let config = builder
.client_id
.redirect_port // Custom port
.build;
let client = new?;
Examples
See the examples/ directory for complete working examples:
max_subscription_sync.rs- Claude Pro/Max OAuth (sync)console_api_key_sync.rs- API key creation (sync)
Run examples with:
Authorization Response Format
Anthropic returns authorization responses in the format code#state. The library parses this automatically and validates the state for CSRF protection:
// User receives: "abc123#xyz789"
// Library parses it and validates state matches flow.state
let tokens = client.exchange_code?;
// Or if you've already separated them:
let tokens = client.exchange_code?;
Important: The state parameter is used for CSRF protection. The library validates that the state returned by Anthropic matches the state originally sent in the authorization URL.
API Overview
Sync API (blocking)
let client = new?;
// Start flow (generates PKCE and state, returns auth URL)
let flow = client.start_flow?;
// Exchange code for tokens (parses "code#state" format automatically)
let tokens = client.exchange_code?;
// Refresh expired tokens
let new_tokens = client.refresh_token?;
// Create API key (Console mode only)
let api_key = client.create_api_key?;
Async API (runtime-agnostic)
let client = new?;
// Start flow (still sync - no I/O)
let flow = client.start_flow?;
// Async methods
let tokens = client.exchange_code.await?;
let new_tokens = client.refresh_token.await?;
let api_key = client.create_api_key.await?;
Browser Integration
use open_browser;
let flow = client.start_flow?;
open_browser?; // Opens user's default browser
Token Storage
This library intentionally does not handle token persistence. You should store tokens securely based on your application's needs.
Recommended approaches:
- System Keychain: Use
keyringcrate - Encrypted Files: Encrypt tokens before writing to disk
- Environment Variables: For development/testing only