CloudCodeTree LogoCloudCodeTree
AI NewsTutorialsAbout
CloudCodeTree Logo
CloudCodeTree
  • AI News
  • Tutorials
  • About
← Back to AI News
Corporate SSO for Claude Code in One Container: The Claude Apps Gateway

Corporate SSO for Claude Code in One Container: The Claude Apps Gateway

Chris Harper

3 min read

Jul 3, 2026 · 20:04 UTC

AI
Workflow
Claude Code
Agents

TL;DR: Anthropic's new Claude Apps Gateway is a single stateless container that gives org-wide Claude Code deployments corporate SSO, per-user spend caps, and centrally enforced policies — no per-dev API keys, data stays on Bedrock or Google Cloud.

The standard Claude Code enterprise rollout hits a wall fast: every developer has their own API key, there's no central visibility into who's spending what, IT can't enforce usage policies, and off-boarding means hunting down credentials. The Apps Gateway fixes all of this.

What it is

A self-hosted control plane: one stateless Linux container backed by a PostgreSQL database. It sits between your developers and the Claude inference backend (Claude API, Amazon Bedrock, or Google Cloud Vertex AI). You deploy it once; your developers authenticate to it via corporate SSO and get short-lived sessions automatically.

What it does

  • Identity: Acts as an OpenID Connect (OIDC) relying party. Works with Google Workspace, Microsoft Entra ID, Okta, or any OIDC-compliant identity provider. No long-lived API keys on developer machines.
  • Credential management: Holds your upstream API key or cloud credential centrally. Rotation happens in one place, not across every developer machine.
  • Policy enforcement: Distributes managed Claude Code settings to all developers automatically. IT can enforce project-level or team-level configuration without relying on developers to update files.
  • Spend caps: Set daily, weekly, or monthly token limits per organization, group, or individual user. Limits enforce before spend happens, not after.
  • Usage reporting: Reports per-user token consumption to a collector you operate. Integrates with standard observability tooling.
  • Routing & failover: Routes inference to Claude API, Bedrock, or Google Cloud — with optional failover between providers for reliability.

Data residency

For Bedrock or Google Cloud routing, inference traffic never reaches Anthropic servers. Only model capability metadata calls home. For compliance-sensitive teams, this is a significant difference from direct API key usage.

Quickstart (high-level — full config in the docs)

# 1. Pull and run the gateway container (Docker or Kubernetes)
docker pull public.ecr.aws/anthropic/claude-apps-gateway:latest

# 2. Configure OIDC client credentials and upstream provider
#    (full env-var reference in the docs)
docker run   -e OIDC_CLIENT_ID=your_client_id   -e OIDC_CLIENT_SECRET=your_secret   -e OIDC_ISSUER_URL=https://accounts.google.com   -e UPSTREAM_PROVIDER=bedrock   -e DATABASE_URL=postgres://...   -p 8080:8080   public.ecr.aws/anthropic/claude-apps-gateway:latest

# 3. Point Claude Code at your gateway
claude config set apiBaseUrl https://your-gateway.internal

Developers authenticate via claude auth login — they see your corporate IdP, not an Anthropic sign-in page.

When to use this vs. direct Bedrock/Google Cloud integration: Direct cloud integration (no gateway) is fine for small teams where everyone already has cloud credentials. The gateway pays off once you have >10 developers, need central policy enforcement, or have compliance requirements around credential management and spend visibility.

Sources: Anthropic blog: Introducing the Claude apps gateway · Claude Code docs: Claude apps gateway · DevOps.com coverage