claude-hub/docs/claude-authentication-guide.md

# Claude Authentication Guide

This guide covers three authentication methods for using Claude with the webhook service.

## Authentication Methods Overview

| Method | Use Case | Setup Complexity |
|--------|----------|------------------|
| **Setup Container** | Personal development | Medium |
| **ANTHROPIC_API_KEY** | Production environments | Low |
| **AWS Bedrock** | Enterprise integration | High |

---

## 🐳 Option 1: Setup Container (Personal Development)

Uses personal Claude Code subscription for authentication.

### Setup Process

#### 1. Run Interactive Authentication Setup
```bash
./scripts/setup/setup-claude-interactive.sh
```

#### 2. Authenticate in Container
When the container starts:
```bash
# In the container shell:
claude --dangerously-skip-permissions  # Follow authentication flow
exit                                   # Save authentication state
```

#### 3. Test Captured Authentication
```bash
./scripts/setup/test-claude-auth.sh
```

#### 4. Use Captured Authentication
```bash
# Option A: Copy to your main Claude directory
cp -r ${CLAUDE_HUB_DIR:-~/.claude-hub}/* ~/.claude/

# Option B: Mount in docker-compose
# Update docker-compose.yml:
# - ./${CLAUDE_HUB_DIR:-~/.claude-hub}:/home/node/.claude
```

#### 5. Verify Setup
```bash
node cli/webhook-cli.js --repo "owner/repo" --command "Test authentication" --url "http://localhost:8082"
```

### Troubleshooting
- **Tokens expire**: Re-run authentication setup when needed
- **File permissions**: Ensure `.credentials.json` is readable by container user
- **Mount issues**: Verify correct path in docker-compose volume mounts

---

## 🔑 Option 2: ANTHROPIC_API_KEY (Production)

Direct API key authentication for production environments.

### Setup Process

#### 1. Get API Key
1. Go to [Anthropic Console](https://console.anthropic.com/)
2. Create a new API key
3. Copy the key (starts with `sk-ant-`)

#### 2. Configure Environment
```bash
# Add to .env file
ANTHROPIC_API_KEY=sk-ant-your-api-key-here
```

#### 3. Restart Service
```bash
docker compose restart webhook
```

#### 4. Test
```bash
node cli/webhook-cli.js --repo "owner/repo" --command "Test API key authentication" --url "http://localhost:8082"
```

### Best Practices
- **Key rotation**: Regularly rotate API keys
- **Environment security**: Never commit keys to version control
- **Usage monitoring**: Monitor API usage through Anthropic Console

---

## ☁️ Option 3: AWS Bedrock (Enterprise)

AWS-integrated Claude access for enterprise deployments.

### Setup Process

#### 1. Configure AWS Credentials
```bash
# Option A: AWS Profile (Recommended)
./scripts/aws/create-aws-profile.sh

# Option B: Environment Variables
export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
export AWS_REGION=us-east-1
```

#### 2. Configure Bedrock Settings
```bash
# Add to .env file
CLAUDE_CODE_USE_BEDROCK=1
ANTHROPIC_MODEL=us.anthropic.claude-3-7-sonnet-20250219-v1:0
AWS_REGION=us-east-1

# If using profiles
USE_AWS_PROFILE=true
AWS_PROFILE=claude-webhook
```

#### 3. Verify Bedrock Access
```bash
aws bedrock list-foundation-models --region us-east-1
```

#### 4. Restart Service
```bash
docker compose restart webhook
```

#### 5. Test
```bash
node cli/webhook-cli.js --repo "owner/repo" --command "Test Bedrock authentication" --url "http://localhost:8082"
```

### Best Practices
- **IAM policies**: Use minimal required permissions
- **Regional selection**: Choose appropriate AWS region
- **Access logging**: Enable CloudTrail for audit compliance

---

## 🚀 Authentication Priority and Fallback

The system checks authentication methods in this order:

1. **ANTHROPIC_API_KEY** (highest priority)
2. **Claude Interactive Authentication** (setup container)
3. **AWS Bedrock** (if configured)

### Environment Variables

```bash
# Method 1: Direct API Key
ANTHROPIC_API_KEY=sk-ant-your-key

# Method 2: Claude Interactive (automatic if ~/.claude is mounted)
# No environment variables needed

# Method 3: AWS Bedrock
CLAUDE_CODE_USE_BEDROCK=1
ANTHROPIC_MODEL=us.anthropic.claude-3-7-sonnet-20250219-v1:0
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=your_key_id
AWS_SECRET_ACCESS_KEY=your_secret_key
# OR
USE_AWS_PROFILE=true
AWS_PROFILE=your-profile-name
```

---

## 🛠️ Switching Between Methods

You can switch between authentication methods by updating your `.env` file:

```bash
# Development with personal subscription
# Comment out API key, ensure ~/.claude is mounted
# ANTHROPIC_API_KEY=
# Mount: ~/.claude:/home/node/.claude

# Production with API key
ANTHROPIC_API_KEY=sk-ant-your-production-key

# Enterprise with Bedrock
CLAUDE_CODE_USE_BEDROCK=1
ANTHROPIC_MODEL=us.anthropic.claude-3-7-sonnet-20250219-v1:0
USE_AWS_PROFILE=true
AWS_PROFILE=production-claude
```

---

## 🔍 Troubleshooting

### Authentication Not Working
1. Check environment variables are set correctly
2. Verify API keys are valid and not expired
3. For Bedrock: Ensure AWS credentials have correct permissions
4. For setup container: Re-run authentication if tokens expired

### Rate Limiting
- **API Key**: Contact Anthropic for rate limit information
- **Bedrock**: Configure AWS throttling settings
- **Setup Container**: Limited by subscription tier

---

## 📚 Additional Resources

- [Anthropic Console](https://console.anthropic.com/) - API key management
- [AWS Bedrock Documentation](https://docs.aws.amazon.com/bedrock/) - Enterprise setup
- [Claude Code Documentation](https://docs.anthropic.com/en/docs/claude-code) - Official Claude CLI docs
- [Setup Container Deep Dive](./setup-container-guide.md) - Detailed setup container documentation

---

*This guide covers all authentication methods for the Claude GitHub Webhook service. Choose the method that best fits your technical requirements.*