Centralized IAM Hits Claude Code via Self-Hosted Apps Gateway

Anthropic’s new Claude apps gateway provides a self-hosted control plane to connect enterprise cloud deployments with local AI developer tools. Released as a stateless Linux container, the gateway allows IT teams to provision and manage access to Claude Code without distributing individual cloud IAM credentials to every developer. By sitting between engineering workstations and primary cloud environments like Amazon Bedrock or Google Cloud Vertex AI, the system removes the friction of manual credential rotation and local configuration pushes.

Architecture and Authentication

The gateway is distributed as part of the standard claude binary, requiring a PostgreSQL database for state management. It acts as an OpenID Connect (OIDC) relying party to integrate directly with corporate single sign-on providers. Supported identity platforms at launch include Microsoft Entra ID, Google Workspace, and Okta.

Once a developer signs in via SSO, the gateway issues a short-lived token. The server then multiplexes local inference requests through a single set of upstream administrative credentials connected to the organization’s cloud provider. This architecture shifts the burden of identity federation away from local machines and into a centrally managed network layer.

Policy Enforcement and Telemetry

Routing developer requests through a single gateway allows administrators to apply global constraints. IT teams can centrally define policies specifying which models are accessible, individual token limits, and strict data retention rules. These parameters are pushed to the local claude client automatically upon user login.

The system also addresses internal billing challenges by exporting OpenTelemetry (OTLP) metrics. The telemetry exposes granular per-user token counts and estimated spend data. This allows organizations to execute internal chargebacks for AI usage without layering third-party observability tools over their Bedrock or Vertex AI instances.

Concurrent Enterprise Updates

The gateway launch coincides with several broader enterprise rollouts. Claude Opus 4.8 and Claude Haiku 4.5 are now generally available on Microsoft Foundry, hosted on Azure. Additionally, Anthropic finalized a partnership with the State of California, offering a 50% discount on Claude access for state agencies, alongside dedicated technical workforce training.

For developers, Claude Code v2.1.195 introduces Remote Model Context Protocol (MCP) support. This update provides native OAuth flows to connect local sessions with third-party data sources like Sentry and Linear. Concurrently, a new Citations feature reached general availability on the Anthropic API and Vertex AI, mapping model outputs directly to specific source documents to improve auditability.

If you are deploying Claude for Teams or Enterprise plans, the gateway server requires version 2.1.195 or later and is initiated using the claude gateway --config gateway.yaml command. You must provision the required PostgreSQL instance and register the gateway with your OIDC provider before routing production traffic.