[Admin API] Archived workspace is automatically recreated and assigned org-level spend limit

[RyutoYoda]

Summary

When using the Admin API to manage workspaces (creating 100 workspaces,
assigning one user per workspace for cost control), archived workspaces
are being recreated — apparently through the Anthropic Console — and
the recreated workspace is automatically assigned the organization's
maximum spend limit. Multiple users from the organization are then
added to this workspace.

What we're trying to do

• Create ~100 workspaces via Admin API
• Assign exactly one user per workspace
• Control per-user spend limits at the workspace level

What's happening

1. We archive a workspace named "Claude Code" via Admin API
2. The same workspace is recreated (via Console or direct API call)
   — this has happened 3 times in 2 days:
   • wrkspc created 2026-03-12, archived 2026-03-15
   • wrkspc created 2026-03-15, archived 2026-03-16
   • wrkspc created 2026-03-16 (current, still active)
3. The recreated workspace inherits the org-level max spend limit
4. Multiple users get assigned to it automatically

Expected behavior

• Archived workspaces should stay archived
• Newly created workspaces should NOT inherit the org-level spend limit by default
• There should be an audit log API to track who created/restored a workspace

Current workaround

We deployed an AWS Lambda function using the Admin API key to intercept
ws_create calls and return 403. However, this does not prevent
workspace creation via the Anthropic Console or direct API calls.

Missing API capabilities

• No GET /v1/organizations/audit_logs endpoint exists — impossible to determine who created or restored a workspace
• No way to restrict Console access to workspace creation for org admins

Environment

• Using: Anthropic Admin API (sk-ant-admin01-...)
• anthropic-version: 2023-06-01
• Endpoint: POST /v1/organizations/workspaces