{"slug": "introducing-claude-apps-gateway-for-aws", "title": "Introducing Claude apps gateway for AWS", "summary": "Anthropic announced the Claude apps gateway for AWS, a self-hosted control plane that gives organizations centralized management of access, cost, and policy for Claude Code and Claude Desktop. The gateway integrates with Amazon Bedrock or Claude Platform on AWS, replacing per-developer credentials with identity provider-based access and enforcing spend caps and policy settings across teams.", "body_md": "[Artificial Intelligence](https://aws.amazon.com/blogs/machine-learning/)\n\n# Introducing Claude apps gateway for AWS\n\nEnterprises deploying Claude Code and Claude Desktop across development teams need centralized control over access, cost, and policy. At scale, this is hard to manage: each developer needs an individual credential, settings must be distributed manually, and spend is difficult to track or cap. Without a centralized control point, governance is left to whatever tooling each team can implement independently.\n\nToday, we’re announcing the Claude apps gateway for AWS, a self-hosted control plane that gives organizations a single point of control over access, cost, and policy for Claude Code and Claude Desktop. It replaces the need to provision a separate cloud credential per developer, push settings to every laptop by hand, or stand up separate tooling to track spend. You can deploy it through Amazon Bedrock to keep data within the AWS security boundary, or through Claude Platform on AWS to get the same gateway controls with the native Claude platform experience.\n\nIn this post, we show how to set up and run Claude apps gateway for AWS with Amazon Bedrock and Claude Platform on AWS.\n\n## How the Claude apps gateway works\n\nThe gateway is delivered by Anthropic inside the same [Claude Code CLI](https://code.claude.com/docs/en/quickstart) binary your developers already use. You can run it in one stateless container on your infrastructure, backed by a [PostgreSQL](https://www.postgresql.org/) database that stores short-lived sign-in state and rate-limit counters. Because the gateway and the client are built together, the `/login`\n\nflow is gateway-aware. The client applies managed settings automatically at sign-in, and policy is enforced consistently on every request.\n\nOnboarding and offboarding follow your existing identity workflows. To grant access, add a developer to your identity provider (IdP). To revoke it, remove them, and their session expires within the configured token lifetime (one hour by default). No long-lived secrets live on developer machines.\n\nThe gateway handles five core responsibilities:\n\n**Identity:** The gateway connects to any standards-compliant OpenID Connect (OIDC) identity provider. After a developer signs in through browser single sign-on (SSO), the gateway issues a short-lived token that the CLI uses for all subsequent requests.**Policy:** You define managed settings once on the server. Clients receive policy at sign-in, and the gateway enforces it on every request. You can adjust allowed models, tool permissions, and default settings centrally, scoped by IdP group.**Telemetry:** The client stamps a usage metric for every request, and the gateway relays it over OpenTelemetry Protocol (OTLP) to a collector you configure, such as Amazon CloudWatch or Amazon Managed Service for Prometheus in your own account, or a third-party platform. You control where telemetry goes and how long it’s retained.**Routing:** The gateway holds your upstream credential and routes inference requests to Amazon Bedrock or Claude Platform on AWS on behalf of developers, with optional failover between AWS Regions or across multiple accounts.**Spend caps:** Set daily, weekly, and monthly spend limits per organization, group, or user. When a developer exceeds their cap, the gateway blocks further requests until the period resets or an admin raises the limit.\n\nWhen Claude apps gateway is used with Amazon Bedrock, inference requests go through Amazon Bedrock in the AWS Regions you configure, maintaining the same data handling and privacy controls as any other Amazon Bedrock workload in your account. When Claude apps gateway is used with Claude Platform on AWS, requests are processed by Anthropic.\n\n### The configuration\n\nThe gateway reads a single YAML file at startup. Here’s what a minimal production configuration looks like:\n\nThe file contains six sections and the secrets stay in environment variables. The Bedrock upstream uses the container’s IAM role, so there are no static credentials to manage. To route through Claude Platform on AWS instead, replace the upstreams block:\n\nModel IDs are the same as the Anthropic API (`claude-sonnet-5`\n\n, `claude-opus-4-8`\n\n). No Amazon Bedrock ARNs or inference profiles needed.\n\nThe gateway runs as a stateless container in your private network on [Amazon Elastic Container Service (Amazon ECS)](https://aws.amazon.com/ecs/), [Amazon Elastic Kubernetes Service (Amazon EKS)](https://aws.amazon.com/eks/), or [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/). You place it behind an internal [Application Load Balancer](https://aws.amazon.com/elasticloadbalancing/) with a Transport Layer Security (TLS) certificate from [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/). [Amazon Relational Database Service (Amazon RDS)](https://aws.amazon.com/rds/) for PostgreSQL stores short-lived sign-in state. Developers reach the gateway through your private network, and the gateway uses an IAM task role to call the upstream provider on their behalf.\n\n### Developer sign-in\n\nOnce the gateway is deployed, developers run `claude /login`\n\n. Administrators push a managed settings file to developer machines via their device management tool that pre-fills the gateway URL, so developers see the Claude apps gateway screen directly.\n\nThey press Enter, and a browser opens with your corporate SSO.\n\nOne sign-in, and they’re connected. The session refreshes silently in the background using OIDC refresh tokens, so developers stay authenticated across restarts without repeated browser logins. If a user is removed from the IdP, their session expires at the next refresh.\n\n### Working with Claude Code\n\nAfter sign-in, developers use Claude Code exactly as they would with any other authentication method. They write code, run commands, and interact with Claude normally. The difference is invisible to them: every request is authenticated through the gateway, routed through your configured upstream, and governed by the policies you set centrally.\n\nThe `/model`\n\npicker shows only the models your policy allows. Beyond model access, policies can control tool permissions, such as restricting file writes or web access. They can also enforce permission rules that developers cannot override locally, and push environment variables or hooks to standardize workflows across teams. Usage is attributed to each developer’s identity, and spend is tracked against their cap. If they leave the company, removing them from the IdP revokes access within the configured session lifetime.\n\n## Conclusion\n\nWith the Claude apps gateway for AWS, you can expand Claude Code and Claude Desktop adoption across your organization while managing identity, policy, and cost from one place. Identity flows through your existing IdP, policy is enforced centrally, and cost is attributed per user, with no long-lived secrets on developer machines.\n\nBecause the gateway is self-hosted, you can deploy it in any AWS Region and route inference to Amazon Bedrock or Claude Platform on AWS, including cross-Region and cross-account setups. Choose Amazon Bedrock when data must stay within the AWS security boundary, or Claude Platform on AWS for access to Anthropic’s native platform experience with AWS authentication and billing.\n\nTo get started, download the [Claude Code CLI](https://code.claude.com/docs/en/quickstart) and review the [Claude apps gateway documentation](https://code.claude.com/docs/en/claude-apps-gateway). Send feedback to AWS re:Post for Amazon Bedrock or through your usual AWS Support contacts.", "url": "https://wpnews.pro/news/introducing-claude-apps-gateway-for-aws", "canonical_source": "https://aws.amazon.com/blogs/machine-learning/introducing-claude-apps-gateway-for-aws/", "published_at": "2026-07-08 19:49:22+00:00", "updated_at": "2026-07-08 20:16:46.714799+00:00", "lang": "en", "topics": ["ai-tools", "ai-infrastructure", "ai-policy", "developer-tools"], "entities": ["Anthropic", "AWS", "Amazon Bedrock", "Claude Code", "Claude Desktop", "Claude Platform on AWS", "PostgreSQL"], "alternates": {"html": "https://wpnews.pro/news/introducing-claude-apps-gateway-for-aws", "markdown": "https://wpnews.pro/news/introducing-claude-apps-gateway-for-aws.md", "text": "https://wpnews.pro/news/introducing-claude-apps-gateway-for-aws.txt", "jsonld": "https://wpnews.pro/news/introducing-claude-apps-gateway-for-aws.jsonld"}}