
Corporate SSO for Claude Code in One Container: The Claude Apps Gateway
Chris Harper
3 min read
Jul 3, 2026 · 20:04 UTC
TL;DR: Anthropic's new Claude Apps Gateway is a single stateless container that gives org-wide Claude Code deployments corporate SSO, per-user spend caps, and centrally enforced policies — no per-dev API keys, data stays on Bedrock or Google Cloud.
The standard Claude Code enterprise rollout hits a wall fast: every developer has their own API key, there's no central visibility into who's spending what, IT can't enforce usage policies, and off-boarding means hunting down credentials. The Apps Gateway fixes all of this.
What it is
A self-hosted control plane: one stateless Linux container backed by a PostgreSQL database. It sits between your developers and the Claude inference backend (Claude API, Amazon Bedrock, or Google Cloud Vertex AI). You deploy it once; your developers authenticate to it via corporate SSO and get short-lived sessions automatically.
What it does
- Identity: Acts as an OpenID Connect (OIDC) relying party. Works with Google Workspace, Microsoft Entra ID, Okta, or any OIDC-compliant identity provider. No long-lived API keys on developer machines.
- Credential management: Holds your upstream API key or cloud credential centrally. Rotation happens in one place, not across every developer machine.
- Policy enforcement: Distributes managed Claude Code settings to all developers automatically. IT can enforce project-level or team-level configuration without relying on developers to update files.
- Spend caps: Set daily, weekly, or monthly token limits per organization, group, or individual user. Limits enforce before spend happens, not after.
- Usage reporting: Reports per-user token consumption to a collector you operate. Integrates with standard observability tooling.
- Routing & failover: Routes inference to Claude API, Bedrock, or Google Cloud — with optional failover between providers for reliability.
Data residency
For Bedrock or Google Cloud routing, inference traffic never reaches Anthropic servers. Only model capability metadata calls home. For compliance-sensitive teams, this is a significant difference from direct API key usage.
Quickstart (high-level — full config in the docs)
# 1. Pull and run the gateway container (Docker or Kubernetes)
docker pull public.ecr.aws/anthropic/claude-apps-gateway:latest
# 2. Configure OIDC client credentials and upstream provider
# (full env-var reference in the docs)
docker run -e OIDC_CLIENT_ID=your_client_id -e OIDC_CLIENT_SECRET=your_secret -e OIDC_ISSUER_URL=https://accounts.google.com -e UPSTREAM_PROVIDER=bedrock -e DATABASE_URL=postgres://... -p 8080:8080 public.ecr.aws/anthropic/claude-apps-gateway:latest
# 3. Point Claude Code at your gateway
claude config set apiBaseUrl https://your-gateway.internal
Developers authenticate via claude auth login — they see your corporate IdP, not an Anthropic sign-in page.
When to use this vs. direct Bedrock/Google Cloud integration: Direct cloud integration (no gateway) is fine for small teams where everyone already has cloud credentials. The gateway pays off once you have >10 developers, need central policy enforcement, or have compliance requirements around credential management and spend visibility.
Sources: Anthropic blog: Introducing the Claude apps gateway · Claude Code docs: Claude apps gateway · DevOps.com coverage