2 min read AI-generated

Claude apps gateway: SSO and Spend Caps for Claude Code on AWS and Google Cloud

Copy article as Markdown

Anthropic ships a self-hosted control plane for Claude Code. A single container handles identity, policy, telemetry, and spend limits — no more credential sprawl across every laptop.

Featured image for "Claude apps gateway: SSO and Spend Caps for Claude Code on AWS and Google Cloud"

Anyone who has rolled out Claude Code across a big team knows the pain: every new developer needs a cloud credential, every laptop needs the right settings, and finance still wants to see who’s spending what. That’s exactly what Anthropic’s new Claude apps gateway tackles — introduced this week for Amazon Bedrock and Google Cloud.

One container for everything

The gateway is a single, stateless container you run on your own infrastructure, backed by a PostgreSQL database. It sits between developers and the model infrastructure and handles five things:

Identity: The gateway acts as an OpenID Connect relying party, working with Google Workspace, Microsoft Entra ID, Okta, or any standards-compliant OIDC provider. Instead of long-lived secrets on developer machines, you get short-lived sessions. Onboarding means adding someone to your identity provider. Offboarding means removing them. No more orphaned API keys.

Policy: Admins define managed settings once, on the server. Clients pick them up at login, and the gateway enforces them on every request. Allowed models and defaults are managed centrally.

Telemetry: Every request gets a usage metric that the gateway relays via OTLP to a collector you run yourself — on your infrastructure, on your retention schedule.

Routing: The gateway holds the upstream credential and routes inference to the Claude API, Amazon Bedrock, or Google Cloud — with optional failover between providers.

Spend caps: Daily, weekly, and monthly limits, applied per organization, group, or individual user.

Data stays where it is

Important for data-sensitive teams: the gateway doesn’t send inference traffic or usage data to Anthropic unless you specifically configure it to use the Claude API. For Bedrock or Google Cloud deployments, the data stays put. Anthropic is also publishing the protocol, so others can build compatible gateways.

The whole thing is built into the Claude binary your developers already install. The /login flow is gateway-aware, and settings apply automatically at sign-in. It’s available now.

My take

The interesting part isn’t any single feature — it’s the consolidation. Identity, policy, telemetry, routing, and cost control used to require five separate tools and dashboards. Folding all of that into one container you control meaningfully reduces the operational surface area.

There’s a bigger shift underneath, too: Anthropic is claiming the access and cost layer that third-party gateways and in-house tooling used to hold. As one analyst put it — this makes one coding tool manageable at scale, but it doesn’t govern what the agents actually do. And that’s the control problem still waiting to be solved.


Sources: Anthropic: Introducing the Claude apps gateway · DevOps.com: Anthropic Adds Enterprise Gateway