Anthropic Admin APIs

The Anthropic Admin APIs including Claude usage, compliance and admin.

The Omnata Plugin for Anthropic Admin APIs pulls administrative, compliance, and usage data from Anthropic into Snowflake. It uses two Anthropic API surfaces:

The Admin API (/v1/organizations/*) — workspaces, console users, API keys, invites, rate limits, and Anthropic Console usage and cost reporting (including a per-actor Claude Code usage report).
The Compliance API (/v1/compliance/*) — Anthropic's enterprise compliance feed: activities, directory data (orgs / users / roles / groups), claude.ai projects, and per-user chat metadata.

You can connect with either key, or both. Stream availability depends on which key(s) you provide on the connection. This plugin support inbound syncs only.

Prerequisites

Anthropic

You need one or both of the following keys, depending on which streams you want to sync.

Admin API Key (sk-ant-admin01-...)

Created by an Anthropic Console organization owner under Settings → Admin Keys.
Required scope: the Admin API key is itself the scope — it grants the Admin API endpoints listed above to its holder.

Compliance Access Key (sk-ant-api01-...)

Issued by Anthropic as part of the Compliance API programme. Compliance API access is an Enterprise Plan feature and must be enabled on your Anthropic organization — contact your Anthropic account team if you don't yet have access.
See Anthropic's Compliance API access provisioning documentation for the request flow.

Each key unlocks a different set of streams in this plugin. Provide both keys if you want full coverage across the Admin API and Compliance API surfaces.

Authentication

The plugin has one connection method, API Keys, with two optional fields. At least one must be populated.

Field

Notes

Compliance Access Key

Format sk-ant-api01-.... Stored as a secret in Snowflake. Unlocks the Compliance API streams (see below).

Admin API Key

Format sk-ant-admin01-.... Stored as a secret in Snowflake. Unlocks the Admin API streams (see below).

Inbound Syncs

The streams listed in the configuration UI are gated by which key you supplied. If you provide only one key, only that key's streams appear. If you provide both, all streams appear.

Streams unlocked by the Compliance Access Key

Stream

Sync strategies

Primary key

Depends on

activities

Full Refresh, Incremental

id

—

organizations

Full Refresh

uuid

—

organization_users

Full Refresh

id

organizations

organization_roles

Full Refresh

id

organizations

groups

Full Refresh

id

—

group_members

Full Refresh

group_id + user_id

groups

projects

Full Refresh

id

—

project_attachments

Full Refresh

project_id + id

projects

user_chats

Full Refresh

id

organization_users

Streams unlocked by the Admin API Key

Stream

Sync strategies

Primary key

admin_users

Full Refresh

id

workspaces

Full Refresh

id

api_keys

Full Refresh

id

invites

Full Refresh

id

rate_limits

Full Refresh

group_type

usage_report

Full Refresh, Incremental

id

cost_report

Full Refresh, Incremental

id

claude_code_usage_report

Full Refresh, Incremental

date + actor_id

How dependent streams work

Streams marked as depending on another (e.g. organization_users depends on organizations) are populated as a by-product of the parent's iteration. The sync engine schedules the parent first and the child receives one batch of rows per parent record. This means a Full Refresh of, say, group_members is implicitly scoped to the groups returned by groups in the same sync run.

Usage report configuration

The Admin API supports configurable bucketing and grouping for usage reports. When the Admin API Key is set, the inbound sync configuration form exposes two parameters that apply to the usage_report stream:

Parameter

Default

Options

Notes

Usage report — granularity

Daily (1d)

Daily (1d), Hourly (1h), Minute (1m)

Time bucket size. Daily is recommended; hourly produces 24× the row volume and minute produces 1,440× the row volume.

Usage report — grouping

api_key_id,workspace_id,model,service_tier

api_key_id, workspace_id, model, service_tier, context_window, inference_geo, account_id, service_account_id

Multi-select. Each additional grouping multiplies the row count. An empty grouping returns one aggregate row per time bucket.

Combining minute-level granularity with several grouping dimensions can rapidly produce millions of rows per day. Start with the defaults and add granularity only where you need it.

The cost_report stream uses the same time bucketing as usage_report (it shares the granularity setting).

Consumer UDTFs

The plugin exposes two consumer-callable UDTFs under <plugin_app>.UDFS.*. They let a Snowflake role that has been granted CONSUMER_FUNCTION_CALLER call the Claude API on demand, without writing through a stream. Both are also published with a slug-overload so consumers can pass a connection slug (varchar) instead of resolving the connection object themselves.

`CLAUDE_API_REQUEST`

Generic Claude API caller. Uses whichever key is populated on the connection (Compliance Access Key is preferred, then Admin API Key). The path must begin with /.

SELECT STATUS_CODE, RESPONSE
FROM TABLE(
  PLUGIN_CLAUDE_APP_<user>.UDFS.CLAUDE_API_REQUEST(
    'my_claude_connection',
    'GET',
    '/v1/compliance/activities',
    OBJECT_CONSTRUCT('limit', 10),
    NULL
  )
);

Grant this UDTF to roles that need broad access to Claude API endpoints reachable by the connection's keys.

`CLAUDE_COMPLIANCE_API_REQUEST`

Locked-down sibling. Two enforcement layers, in addition to the key checks above:

Reads only the Compliance Access Key from the connection. The Admin API Key is ignored even if populated.
Rejects any PATH that does not start with /v1/compliance/.

Grant this UDTF (and not the generic one) to roles that must not be able to reach the Admin API or other Claude endpoints.

SELECT STATUS_CODE, RESPONSE
FROM TABLE(
  PLUGIN_CLAUDE_APP_<user>.UDFS.CLAUDE_COMPLIANCE_API_REQUEST(
    'my_claude_connection',
    'GET',
    '/v1/compliance/activities',
    OBJECT_CONSTRUCT('limit', 10),
    NULL
  )
);

Troubleshooting

"Connection failed (401)" on the connect step

For a Compliance Access Key, confirm the key starts with sk-ant-api01- and that Compliance API access has been enabled on your Anthropic organization.
For an Admin API Key, confirm the key starts with sk-ant-admin01- and was created under the Anthropic Console for your organization.

"Connection failed (404)" or empty Activity Feed

The Compliance Activity Feed (/v1/compliance/activities) is only populated for organizations with Compliance API enablement. A 404 on the smoke test usually means the key is valid but the org is not entitled to the Compliance API. Pursue Compliance enablement with your Anthropic account team, or remove the Compliance Access Key and operate the plugin with the Admin API Key only.

No streams visible after saving the connection

The stream list is gated on which key is populated. If you provided only an Admin API Key, you will see the eight Admin API streams but not the Compliance streams (and vice versa). Add the second key to the connection if you want both sets to appear.

Usage report has unexpectedly large row counts

The usage_report row count is the product of (time buckets × grouping dimensions). Switching from daily to hourly multiplies the row count by 24; adding context_window or inference_geo to the grouping can substantially increase the cardinality further. Start at the defaults and add detail only as needed.

Last updated

PreviousBOM Weather Data NextRelease History

Last updated 12 minutes ago