Screenshot 2026 07 08 at 20031PM
Enterprises deploying Claude Code and Claude Desktop across development teams need centralized control over access, cost, and policy. At scale, this is hard to manage: each developer needs an individual credential, settings must be distributed manually, and spend is difficult to track or cap. Without a centralized control point, governance is left to whatever tooling each team can implement independently.
Today, we’re announcing the Claude apps gateway for AWS, a self-hosted control plane that gives organizations a single point of control over access, cost, and policy for Claude Code and Claude Desktop. It replaces the need to provision a separate cloud credential per developer, push settings to every laptop by hand, or stand up separate tooling to track spend. You can deploy it through Amazon Bedrock to keep data within the AWS security boundary, or through Claude Platform on AWS to get the same gateway controls with the native Claude platform experience.
High level overview of Claude apps gateway for AWS
In this post, we show how to set up and run Claude apps gateway for AWS with Amazon Bedrock and Claude Platform on AWS.
The gateway is delivered by Anthropic inside the same Claude Code CLI binary your developers already use. You can run it in one stateless container on your infrastructure, backed by a PostgreSQL database that stores short-lived sign-in state and rate-limit counters. Because the gateway and the client are built together, the /login flow is gateway-aware. The client applies managed settings automatically at sign-in, and policy is enforced consistently on every request.
Onboarding and offboarding follow your existing identity workflows. To grant access, add a developer to your identity provider (IdP). To revoke it, remove them, and their session expires within the configured token lifetime (one hour by default). No long-lived secrets live on developer machines.
Figure 1: Claude apps gateway architecture for AWS
The gateway handles five core responsibilities:
When Claude apps gateway is used with Amazon Bedrock, inference requests go through Amazon Bedrock in the AWS Regions you configure, maintaining the same data handling and privacy controls as any other Amazon Bedrock workload in your account. When Claude apps gateway is used with Claude Platform on AWS, requests are processed by Anthropic.
The gateway reads a single YAML file at startup. Here’s what a minimal production configuration looks like:
gateway.yaml — the full configuration for an Amazon Bedrock deployment
The file contains six sections and the secrets stay in environment variables. The Bedrock upstream uses the container’s IAM role, so there are no static credentials to manage. To route through Claude Platform on AWS instead, replace the upstreams block:
Model IDs are the same as the Anthropic API (claude-sonnet-5, claude-opus-4-8). No Amazon Bedrock ARNs or inference profiles needed.
The gateway runs as a stateless container in your private network on Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Compute Cloud (Amazon EC2). You place it behind an internal Application Load Balancer with a Transport Layer Security (TLS) certificate from AWS Certificate Manager. Amazon Relational Database Service (Amazon RDS) for PostgreSQL stores short-lived sign-in state. Developers reach the gateway through your private network, and the gateway uses an IAM task role to call the upstream provider on their behalf.
Once the gateway is deployed, developers run claude /login. Administrators push a managed settings file to developer machines via their device management tool that pre-fills the gateway URL, so developers see the Claude apps gateway screen directly.
The Claude apps gateway login screen in Claude Code
They press Enter, and a browser opens with your corporate SSO.
Browser SSO authentication through your identity provider
One sign-in, and they’re connected. The session refreshes silently in the background using OIDC refresh tokens, so developers stay authenticated across restarts without repeated browser logins. If a user is removed from the IdP, their session expires at the next refresh.
After sign-in, developers use Claude Code exactly as they would with any other authentication method. They write code, run commands, and interact with Claude normally. The difference is invisible to them: every request is authenticated through the gateway, routed through your configured upstream, and governed by the policies you set centrally.
Claude Code responding to a prompt, routed through Amazon Bedrock via the gateway
The /model picker shows only the models your policy allows. Beyond model access, policies can control tool permissions, such as restricting file writes or web access. They can also enforce permission rules that developers cannot override locally, and push environment variables or hooks to standardize workflows across teams. Usage is attributed to each developer’s identity, and spend is tracked against their cap. If they leave the company, removing them from the IdP revokes access within the configured session lifetime.
With the Claude apps gateway for AWS, you can expand Claude Code and Claude Desktop adoption across your organization while managing identity, policy, and cost from one place. Identity flows through your existing IdP, policy is enforced centrally, and cost is attributed per user, with no long-lived secrets on developer machines.
Because the gateway is self-hosted, you can deploy it in any AWS Region and route inference to Amazon Bedrock or Claude Platform on AWS, including cross-Region and cross-account setups. Choose Amazon Bedrock when data must stay within the AWS security boundary, or Claude Platform on AWS for access to Anthropic’s native platform experience with AWS authentication and billing.
To get started, download the Claude Code CLI and review the Claude apps gateway documentation. Send feedback to AWS re:Post for Amazon Bedrock or through your usual AWS Support contacts.
NVIDIA Nemotron 3 Ultra is offering leading performance at lower cost than top closed models…
The animal escaped after apparently arriving inside a package at Meta's Bangkok office, injuring one…
A Korean research team has developed a technology that enables the stable stacking of more…
Tools execute code.
... government of the people, by the people, for the people ... — Abraham Lincoln,…
This study focuses on Text-to-Sounding-Video (T2SV) generation, which aims to generate a video with synchronized…