Anthropic Permissions & Security

This document explains how CloudYali securely integrates with your Anthropic account and the permissions required for the integration.

Read-Only Integration

CloudYali uses your Anthropic Admin API key in read-only mode. We only access usage and billing data—never prompts, responses, or conversation content.

API Key Requirements

CloudYali requires an Admin API key from your Anthropic account to access usage and billing data.

Key Format

Admin API keys start with sk-ant-admin
Generated from Anthropic Console under Manage → API keys → Admin keys

Organization Required

Admin API keys are only available to Anthropic Organizations. Individual accounts cannot generate Admin keys. Set up an organization if you don't have one.

Required Permissions

Permission	Purpose
Read Usage Data	Access daily token consumption metrics
Read Billing Data	Retrieve cost information for reporting

Note: Admin keys provide broad access to the Anthropic API. CloudYali uses these keys in read-only mode and cannot perform cost-incurring actions like making API calls to Claude models.

What CloudYali Does NOT Access

Conversation content (prompts and responses)
API request/response payloads
User-generated content of any kind
Write or modify operations on your Anthropic account

How API Keys Are Stored

CloudYali uses enterprise-grade security for API key storage:

Encryption at Rest

Your Anthropic API key is encrypted at rest using AES-256 encryption
The database stores only a reference pointer to the encrypted secret—never the actual key
Keys are stored in a secure, isolated secrets management system

Access Controls

Only authorized CloudYali services can retrieve the decrypted key
All access is logged for audit purposes
Keys are never exposed in logs, error messages, or UI

Data Collection

What Data Is Collected

CloudYali collects only usage metadata from the Anthropic API:

Data Type	Description
Token Counts	Input, output, cache creation, and cache read tokens
Cost Data	Daily costs in USD by model and token type
Model Information	Which Claude models were used
Workspace IDs	For organizations with multiple workspaces
Timestamps	When API calls were made (daily aggregates)

What Data Is NOT Collected

Prompt content
Response content
Conversation history
User identifiers beyond workspace attribution
Any personally identifiable information (PII)

Data Retention

CloudYali maintains your Anthropic usage data following these policies:

Data Type	Retention Period
Daily usage metrics	Rolling 15-day refresh window
Historical cost data	Retained for reporting and trend analysis
Sync job logs	90 days

Data Refresh

Daily syncs retrieve the last 15 days of data
This ensures any corrections from Anthropic's API are captured
Older data remains available for historical reporting

Security Best Practices

API Key Management

Use dedicated keys - Create a separate API key for CloudYali integration
Regular rotation - Rotate API keys periodically (e.g., every 90 days)
Monitor usage - Review API key activity in Anthropic Console
Revoke if compromised - Immediately revoke and regenerate keys if you suspect unauthorized access

Access Control

Limit CloudYali admin access to authorized personnel
Use role-based access control (RBAC) within CloudYali
Review user permissions regularly

Compliance & Auditing

Audit Trail

CloudYali maintains comprehensive audit logs:

All API calls to Anthropic are logged
Data access events are tracked
Integration configuration changes are recorded

Data Isolation

Your data is strictly isolated by customer ID
Multi-tenant architecture ensures no data leakage between organizations
Workspace data is isolated within your organization

Disconnecting the Integration

If you need to remove the Anthropic integration:

Navigate to Settings → Cloud Providers
Find the Anthropic account you want to disconnect
Click Disconnect or Remove
Confirm the disconnection

What Happens When You Disconnect

API key is securely deleted from our encrypted storage
Data syncs stop immediately
Historical cost data remains available for reporting
You can reconnect at any time with a new API key

Frequently Asked Questions

Can CloudYali read my prompts or responses?

No. CloudYali only accesses aggregated usage and billing data through the Anthropic Admin API. We never have access to conversation content.

Is my API key stored securely?

Yes. API keys are encrypted at rest using AES-256 encryption. The actual key is never stored in our database—only an encrypted reference in our secure secrets management system.

What happens if I rotate my API key?

You'll need to update the API key in CloudYali settings. Go to Cloud Providers, select your Anthropic account, and enter the new key.

Can I limit which workspaces CloudYali accesses?

Yes. During setup, you can specify which workspaces to track. You can also add or remove workspaces later from the account settings.

For security questions or concerns, please contact our support team at support@cloudyali.io.

API Key Requirements​

Key Format​

Required Permissions​

What CloudYali Does NOT Access​

How API Keys Are Stored​

Encryption at Rest​

Access Controls​

Data Collection​

What Data Is Collected​

What Data Is NOT Collected​

Data Retention​

Data Refresh​

Security Best Practices​

API Key Management​

Access Control​

Compliance & Auditing​

Audit Trail​

Data Isolation​

Disconnecting the Integration​

What Happens When You Disconnect​

Frequently Asked Questions​

Can CloudYali read my prompts or responses?​

Is my API key stored securely?​

What happens if I rotate my API key?​

Can I limit which workspaces CloudYali accesses?​