claudekit / updates / introducing-the-claude-apps-gateway
[ NEW · ]

Introducing the Claude apps gateway — centrally manage Claude Code on Amazon Bedrock and Google Cloud

The Claude apps gateway is a self-hosted control plane for managing Claude Code deployments on Amazon Bedrock and Google Cloud. It provides corporate SSO sign-in, centrally managed settings enforced on every request, and per-user cost attribution, and ships as a stateless container within the existing claude binary. It supports OIDC-based authentication, control over allowed models, and spend caps per organization, group, or user.

Claude Code
Official announcement →

This article is a summary based on official documentation.

Overview

The Claude apps gateway is a self-hosted control plane for managing Claude Code deployments on Amazon Bedrock and Google Cloud. It centralizes corporate SSO sign-in, managed settings enforced on every request, and per-user cost attribution, and ships as a stateless container within the existing claude binary.

Key features

  • Corporate SSO and OIDC-based authentication

    Previously, running Claude Code on cloud platforms meant provisioning individual credentials per developer and manually distributing settings across machines. The gateway acts as an OIDC relying party against Google Workspace, Microsoft Entra ID, Okta, or any standards-compliant OIDC provider, leaving only short-lived session tokens on developer machines instead of long-lived secrets.

  • Centrally managed settings and policy enforcement

    Managing settings machine by machine makes policy consistency hard to maintain. The gateway applies managed settings at sign-in and enforces them on every request, with central control over allowed models, default configuration, and role-based access.

  • Per-user cost attribution and spend caps

    Cost visibility used to require building separate tooling. The gateway provides per-user cost attribution and lets you set daily, weekly, and monthly spend caps per organization, group, or user. Usage telemetry is sent via OTLP to customer-operated collectors.

  • Inference routing and failover

    The gateway routes inference to the Claude API, Amazon Bedrock, or Google Cloud, with optional provider failover. It holds upstream credentials so they stay off developer machines.

Notes

  • Available now — setup is documented in the Claude Code developer docs.
  • Requirements — a Linux container environment with PostgreSQL, configured via gateway.yaml and managed-settings.json.
  • Deployment — not a separate service; it runs as a stateless container within the existing claude binary.
§ 4

Frequently Asked Questions

frequently asked
§ 4.1
What is the Claude apps gateway?
A self-hosted control plane for managing Claude Code deployments on Amazon Bedrock and Google Cloud. It ships as a stateless container within the existing claude binary and centralizes corporate SSO sign-in, policy enforcement, and per-user cost tracking.
§ 4.2
What authentication does it support?
It acts as an OpenID Connect (OIDC) relying party against Google Workspace, Microsoft Entra ID, Okta, or any standards-compliant OIDC provider. Short-lived session tokens eliminate long-lived secrets on developer machines.
§ 4.3
How does it manage cost?
It provides per-user cost attribution and lets you configure daily, weekly, and monthly spend caps per organization, group, or user. Usage telemetry is sent via OTLP to customer-operated collectors.
§ 4.4
What does it require to run?
A Linux container environment with PostgreSQL, configured via gateway.yaml and managed-settings.json. It routes inference to the Claude API, Amazon Bedrock, or Google Cloud, with optional provider failover.
§ 4.5
Where can I find the official announcement?
See the Claude blog post 'Introducing the Claude apps gateway' at claude.com/blog/introducing-the-claude-apps-gateway, and the Claude Code developer docs.