Anthropic’s Python SDK Fixes Foundry Auth and Pydantic RootModel Schemas

The most expensive SDK bugs are the ones that make correct application code fail at the boundary. Anthropic’s Python SDK 0.106.0 is not a glamorous release, but it fixes exactly that class of problem: valid Pydantic schemas getting transformed into broken JSON Schema, and Foundry authentication paths getting muddied by ambient Anthropic API keys.

That is a narrow audience until it is your production agent service, your structured-output contract, or your enterprise routing path. Then it is not narrow at all. It is the line between “we can trust this SDK as infrastructure” and “we need to wrap every release in our own defensive archaeology.”

The release landed June 5 at 21:13 UTC, with PyPI publishing anthropic 0.106.0 seconds later. The changelog marks Claude Opus 4.1 as deprecated, fixes Foundry client copy() and with_options(), and fixes a JSON Schema transform bug involving root $ref schemas with sibling $defs. The last item is the one Python teams using Pydantic v2 should read twice.

When the SDK “simplifies” a schema into a bug

Pydantic v2 RootModel can emit a perfectly valid JSON Schema shape like this: a root {"$ref": "#/$defs/Tier"} with sibling $defs containing the referenced definition. The SDK’s transform_schema() previously returned early when it saw a root $ref. That preserved the reference but dropped the definitions. The result was a dangling reference: valid local type model in, invalid API-facing schema out.

The issue notes that the bug was verified from at least SDK 0.84.0 through 0.105.2. That matters because this was not a one-release regression developers could avoid by skipping a bad version. It was a long-lived edge case in the transformation layer, sitting in the path between Python types and Claude structured outputs.

This is a good example of why LLM SDK correctness is now schema correctness. Claude apps are no longer just wrappers around prose generation. They produce typed tool calls, validated JSON, parsed responses, extraction outputs, routing decisions, scoring objects, and machine-readable plans that feed downstream systems. When the schema layer breaks, the app failure looks like an API rejection or model-output failure even though the developer’s type definition was valid. That is the worst debugging shape: the user did the right thing, then the SDK helpfully changed it into the wrong thing.

The fix is straightforward and sensible: process $defs before the $ref early return, while leaving bare $ref schemas unchanged. In other words, preserve the definitions needed by the reference, do not over-transform the root reference itself, and stop making valid Pydantic output invalid. Boring. Correct. Exactly the point.

Foundry auth is a credential-boundary story

The Foundry side is equally unflashy and arguably more security-sensitive. The release fixes copy() and with_options() behavior for the Foundry client. Related code-path hardening prevents a stray ANTHROPIC_API_KEY environment variable from being sent as X-Api-Key to a Foundry endpoint when Azure AD token authentication is intended.

That sounds like a small header bug until you picture a real enterprise development environment. A developer shell may have an Anthropic API key for local experiments. CI may have direct Anthropic credentials for one job and Azure identity for another. A service may route some traffic through direct Claude and some through Foundry. Ambient environment variables are convenient until they cross an authentication boundary they were never meant to cross.

The Foundry client source already makes clear that not every direct Anthropic resource maps to Foundry. Unsupported endpoints such as message batches are hidden by returning None for batch resources. Auth should be similarly explicit. The code distinguishes API-key auth from Azure AD token provider auth and raises a MutuallyExclusiveAuthError when both are passed directly. The hardening here closes the less obvious case: credentials not passed directly, but inherited from the base client through the environment.

That is a real production blast radius because SDKs are part of the trust boundary. Teams tend to review prompts, MCP permissions, and tool allowlists while treating SDKs as inert plumbing. They are not. SDKs decide header precedence, retry behavior, schema transformation, streaming parsing, auth source selection, base URL handling, error propagation, and what metadata leaves the process. If your agent can touch internal data, the SDK is not outside the security model. It is in the middle of it.

Practitioners should do four things with this release. First, upgrade if you use structured outputs with Pydantic, especially RootModel. Second, add a regression test that sends a root $ref plus sibling $defs through your own schema pipeline. Do not just test that your Pydantic model generates the right schema; test that the SDK call receives the right schema. Third, audit CI and developer environments for ambient ANTHROPIC_API_KEY when using Foundry or Azure AD auth. Fourth, move model names and deprecation handling into config. The Opus 4.1 deprecation marker is a useful reminder that model routing should not be hardcoded across every workflow.

There is also a broader engineering lesson here. As agent systems become more typed and more cloud-routed, “small SDK patch” increasingly means “production control-plane patch.” A schema transform bug can block structured outputs. An auth precedence bug can leak the wrong credential to the wrong endpoint. A streaming parser bug can corrupt a downstream state machine. A retry default can double your bill or hide an outage. The libraries are not just client convenience packages anymore; they are runtime components.

The community reaction was quiet within the release window, which is unsurprising. Nobody writes a viral thread about preserving $defs in a JSON Schema transform. But the GitHub issue includes the right kind of signal: a concrete user-reported failure, a minimal repro, and a fix that respects the valid schema shape rather than papering over it.

The verdict: upgrade if this path touches you, and use the release as an excuse to harden your own tests around SDK behavior. When agents become infrastructure, edge cases in schemas and credential routing stop being edge cases. They become incident tickets with boring root causes.

Sources: Anthropic Python SDK release, schema fix commit, Foundry client source, PyPI package metadata, Anthropic client SDK docs