At a glance: The Claude Gateway enables enterprises to manage identity via OIDC, enforce centralized policies, and track per-user costs without administrative overhead per developer.
Anthropic has released a self-hosted gateway for Claude Code that gives enterprises central control over developer access, SSO integration, and granular cost attribution. The gateway runs as a stateless container and is shipped together with the Claude client.
The gateway is a stateless container based on Linux, backed by a PostgreSQL database. It manages upstream authorization, authenticates developers against the identity provider (IdP), distributes managed settings centrally, and forwards usage metrics to a collector. Onboarding a developer is limited to adding them in the IdP, while offboarding involves removing them.
The gateway is distributed by Anthropic in the same claude binary that developers already install. The login process is gateway-aware, the client automatically adopts managed settings upon authentication, and policies are enforced on every request. The gateway implements OpenID Connect (OIDC) as a Relying Party against Google Workspace, Microsoft Entra ID, Okta, or any standards-compliant OIDC solution and issues short-lived sessions. Long-lived secrets do not land on developer machines.
For policy management, administrators can define managed settings once on the server, such as restricting permitted models or default parameters. The gateway routes API requests through Claude API, Amazon Bedrock, or Google Cloud with optional failover support. Daily, weekly, and monthly spending limits can be set per organization, group, or user. Telemetry via OTLP is sent to a collector in the customer’s own infrastructure and is subject to their own data retention policy.
Inference traffic and usage data do not leave the network unless Claude API is configured. Anthropic has published the gateway protocol so that third parties can build equivalent solutions. Deployment requires downloading the Claude Code CLI binary, configuring a gateway.yaml with OIDC issuer and upstream authorization, and registering an OIDC app in the IdP. Client machines are configured via forceLoginMethod and forceLoginGatewayUrl in managed-settings.json.
Source: claude.com · Published 28 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 of the EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.