# Claude Enterprise Compliance API Connect your Anthropic organization to Capsule Security through Anthropic's [Compliance API](https://platform.claude.com/docs/en/manage-claude/compliance-api) for visibility into your members, activity, and Claude conversations. ![Claude Enterprise](/assets/claudeenterprise.abc2509c9ee9577ec389ce1cfde33911c23153c563b6461c642dda40384a9066.9c1bb791.png) ## Overview This integration reads your organization's data from Anthropic's Compliance API for audit and governance: - **Members** — Users across your linked organizations (email, name, and organization role), surfaced as agent owners - **Activity Feed** — The organization's audit events (sign-ins, key changes, chat and project lifecycle, and more), surfaced as an audit trail - **Conversations** — Claude.ai chats and their messages, surfaced as sessions in Observability The integration is **read-only** — it never modifies your Anthropic configuration or deletes content. Each user's Claude activity is grouped under a per-user agent (`Claude Enterprise/`) so members, activity, and conversations line up against a single owner. ## Prerequisites Before you begin, ensure you have: - An active **Claude Enterprise** plan - The Compliance API **enabled for your organization** — the parent organization's **primary owner** enables it in claude.ai - **Primary owner** access in claude.ai, required to create a Compliance Access Key - A **Capsule Security** account with admin access > **Note:** This integration requires a **Compliance Access Key** (`sk-ant-api01-...`) created in claude.ai — not a Console Admin key (`sk-ant-admin-...`) or a standard model API key (`sk-ant-api03-...`). Only a Compliance Access Key can read the activity feed, directory, and conversation content. ## Step 1: Create a Compliance Access Key Create a Compliance Access Key in claude.ai. This is the credential Capsule uses to read your organization's compliance data. ### Steps 1. Go to [claude.ai/admin-settings/api-access](https://claude.ai/admin-settings/api-access) 2. Confirm you are signed in as the organization's **primary owner** — only the primary owner can create a Compliance Access Key 3. Click **Create key** and give it a descriptive name (e.g., "Capsule Security Integration") 4. Grant the compliance **read** scopes so Capsule can read the activity feed, directory, and conversations: - `read:compliance_activities` — the Activity Feed - `read:compliance_user_data` — users, chats, and messages - `read:compliance_org_data` — organizations, roles, and groups 5. **Important:** Copy and save the key immediately — it begins with `sk-ant-api01-...` and is shown only once ### Security notes - Scopes are fixed when the key is created — to change them, create a new key and delete the old one - Store the key in a password manager or secret store; never share it in email, chat, or source control - The key grants read access to conversation content — treat it as a privileged credential - To rotate it, create a new key, reconnect the integration in Capsule, then delete the old key in claude.ai ## Step 2: Find Your Organization ID Capsule binds the integration to your parent organization, identified by its UUID. ### Steps 1. In claude.ai, open your **organization settings** 2. Copy the **Organization ID** — it is a UUID in the format `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` ### Example Organization ID ``` 91012d09-e48b-438e-a489-1bebfd8fa6f9 ``` > **Note:** The Organization ID must be a valid UUID. If you paste a name or slug instead, Capsule rejects it with *"Invalid Organization ID format (must be UUID)."* ## Step 3: Configure the Integration in Capsule Once you have your Compliance Access Key and Organization ID, set up the integration in the portal. ### Steps 1. Log in to the **Capsule Security** portal 2. Click **Integrations** in the left sidebar 3. Find the **Claude Enterprise Compliance API** card and click **Set up Integration** 1. The card displays a 3-step wizard. Step 1 links to the claude.ai API access page and Step 2 to your organization settings; Step 3 collects your credentials: - **Compliance Access Key** — paste the full key from Step 1 (starts with `sk-ant-api01-...`) - **Organization ID** — paste the UUID from Step 2 1. Capsule validates the credentials live as you type. When both fields are valid you'll see **Connection successful** 2. Click **Save** ### After setup - Capsule validates the credentials and creates a **Claude Enterprise Compliance API** environment scoped to your organization - Your access key is encrypted and stored in Capsule's secret store — it is never displayed again - Capsule syncs incrementally: members and the activity feed populate first, followed by Claude conversations. View members and activity under **Inventory**, and conversations under **Observability → Activity Type — Session** ## What Capsule ingests | Compliance API source | Appears in Capsule as | | --- | --- | | Organization members (directory) | **Owners** on the per-user `Claude Enterprise/` agent | | Activity Feed events | **Audit** entries on the acting user's agent | | Claude.ai chats and messages | **Sessions** in Observability, with user / assistant messages | Syncs are incremental and checkpointed — each run fetches only what changed since the last run, with overlap and de-duplication so no events are missed or double-counted. ## Troubleshooting If the connection test fails, the portal shows a specific message: | Message | Cause | Fix | | --- | --- | --- | | **Compliance Access Key is required** | The key field is empty | Paste the full `sk-ant-api01-...` key from Step 1 | | **Organization ID is required** | The Organization ID field is empty | Paste the organization UUID from Step 2 | | **Invalid Organization ID format (must be UUID)** | The value isn't a UUID | Copy the UUID exactly from your claude.ai organization settings | | **API key invalid or revoked** | The key is wrong, deleted, or revoked (`401`) | Create a fresh Compliance Access Key and reconnect | | **Key lacks the required compliance scopes, or wrong key type** | The key is missing a read scope, or it's an Admin / model key (`403`) | Use a Compliance Access Key (`sk-ant-api01-...`) with the read scopes from Step 1 | | **Organization or resource not found** | The organization isn't reachable by this key (`404`) | Confirm the UUID is your parent organization and the key belongs to it | | **Rate limited — try again shortly** | Anthropic's compliance rate limit was hit (`429`) | Wait and retry; Capsule paces and retries automatically | Use the **retry** button next to the Organization ID field to re-run the connection test after correcting a value. ## How It Works Capsule calls Anthropic's **Compliance API** under `https://api.anthropic.com/v1/compliance/*`, authenticating with the `x-api-key` header. It reads: - `GET /v1/compliance/organizations` and `/organizations/{org_uuid}/users` — the org tree and members - `GET /v1/compliance/activities` — the audit activity feed (incremental, by `created_at`) - `GET /v1/compliance/apps/chats` and `/apps/chats/{chat_id}/messages` — Claude conversations and their messages All `/v1/compliance/*` endpoints share a single rate limit of **600 requests per minute per parent organization**. Capsule paces requests within that budget, honors `Retry-After` on `429`, retries transient `5xx`, and never retries `4xx`. Sync state (checkpoints) is persisted per environment so runs resume where they left off. Your access key is held in an encrypted secret store, scoped to your tenant and organization, and is used only to read the endpoints above. ## Support For help with this integration: - **Email**: support@capsule.security - **Include**: Your tenant ID, your Anthropic Organization ID, and any error message shown in the connection test ## References - [Compliance API overview](https://platform.claude.com/docs/en/manage-claude/compliance-api) - [Get access to the Compliance API](https://platform.claude.com/docs/en/manage-claude/compliance-api-access) — key types and scopes - [Query the Activity Feed](https://platform.claude.com/docs/en/manage-claude/compliance-activity-feed) - [Compliance API reference](https://platform.claude.com/docs/en/api/compliance)