Overview
The Claude apps gateway is a self-hosted control plane for managing Claude Code deployments on Amazon Bedrock and Google Cloud. It centralizes corporate SSO sign-in, managed settings enforced on every request, and per-user cost attribution, and ships as a stateless container within the existing claude binary.
Key features
-
Corporate SSO and OIDC-based authentication
Previously, running Claude Code on cloud platforms meant provisioning individual credentials per developer and manually distributing settings across machines. The gateway acts as an OIDC relying party against Google Workspace, Microsoft Entra ID, Okta, or any standards-compliant OIDC provider, leaving only short-lived session tokens on developer machines instead of long-lived secrets.
-
Centrally managed settings and policy enforcement
Managing settings machine by machine makes policy consistency hard to maintain. The gateway applies managed settings at sign-in and enforces them on every request, with central control over allowed models, default configuration, and role-based access.
-
Per-user cost attribution and spend caps
Cost visibility used to require building separate tooling. The gateway provides per-user cost attribution and lets you set daily, weekly, and monthly spend caps per organization, group, or user. Usage telemetry is sent via OTLP to customer-operated collectors.
-
Inference routing and failover
The gateway routes inference to the Claude API, Amazon Bedrock, or Google Cloud, with optional provider failover. It holds upstream credentials so they stay off developer machines.
Notes
- Available now — setup is documented in the Claude Code developer docs.
- Requirements — a Linux container environment with PostgreSQL, configured via
gateway.yamlandmanaged-settings.json. - Deployment — not a separate service; it runs as a stateless container within the existing
claudebinary.