Introducing the Claude Apps gateway for AWS

Businesses using Claude Code and Claude Desktop across development teams need centralized control over access, costs, and policy. At scale, this is difficult to manage: each developer needs individual information, settings must be deployed manually, and spending is difficult to track or access. Without a central locus of control, governance is left to whatever tool each group can use independently.
Today, we're announcing the Claude applications gateway for AWS, a management plane that gives organizations a single place to control access, cost, and policy for Claude Code and Claude Desktop. It replaces the need to provide separate cloud information for each developer, push settings for every laptop manually, or set up different tools to track usage. You can use it with Amazon Bedrock to store data within the AWS security perimeter, or with the Claude Platform on AWS to get the same gateway controls through the Claude platform experience.
A high-level overview of Claude's applications portal for AWS
In this post, we show how to set up and use the Claude applications gateway for AWS with Amazon Bedrock and the Claude Platform on AWS.
How does the Claude apps portal work
Gateway is delivered by Anthropic within the same Claude Code CLI binary that your developers already use. You can run it in a single container in your infrastructure, backed by a PostgreSQL database that stores temporary login status and rate limit calculations. Because the gateway and the client are built together, the /login the flow is known through the gate. The client uses the managed settings automatically when they sign in, and the policy is applied consistently across the application.
Boarding and skipping follows your existing workflow. To grant access, add a developer to your identity provider (IdP). To revoke them, delete them, and their session expires within the specified token lifetime (one hour by default). There are no long-lasting secrets that reside in developer's devices.
Figure 1: Claude apps gateway architecture for AWS
The gateway handles five key responsibilities:
- Ownership: The gateway connects to any OpenID Connect (OIDC) standards-compliant identity provider. After a developer logs in via browser single sign-on (SSO), the gateway issues a temporary token that is used by the CLI on all subsequent requests.
- Policy: Defines managed settings once on the server. Clients receive the policy at login, and the gateway applies it to every request. You can configure allowed models, device permissions, and default settings centrally, across IdP groups.
- Telemetry: The client stamps the usage metric for every request, and the gateway transmits it via OpenTelemetry Protocol (OTLP) to the aggregator you configure, such as Amazon CloudWatch or Amazon Managed Service for Prometheus in your account, or a third-party platform. You control where the telemetry goes and how long it is stored.
- Route: The gateway manages your upstream data and routing requests to Amazon Bedrock or Claude Platform on AWS on behalf of developers, with optional failover between AWS regions or across multiple accounts.
- Use caps: Set daily, weekly, and monthly cash limits per organization, group, or user. If a developer exceeds their cap, the gateway blocks further requests until the time is reset or the administrator raises the limit.
When Claude's applications gateway is used with Amazon Bedrock, virtual requests go through Amazon Bedrock in the AWS Regions you configure, maintaining the same data management and privacy controls as any other Amazon Bedrock load in your account. When the Claude applications gateway is used with the Claude Platform on AWS, requests are processed by Anthropic.
Configuration
The gateway reads a single YAML file initially. Here's what a minimal production configuration looks like:
gateway.yaml — full configuration for Amazon Bedrock deployment
The file contains six sections and the secrets reside in environment variables. Upgrading Bedrock uses the IAM role for the container, so there are no static credentials to manage. To go through the Claude Platform on AWS instead, replace the ascending block:
Model IDs are the same as the Anthropic API (claude-sonnet-5, claude-opus-4-8). No Amazon Bedrock ARNs or descriptive profiles are required.
The gateway acts as a stateless container on your private network in Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Compute Cloud (Amazon EC2). You place it behind an internal Application Load Balancer with a Transport Layer Security (TLS) certificate from the AWS Certificate Manager. Amazon Relational Database Service (Amazon RDS) for PostgreSQL maintains a temporary login state. Developers access the gateway through your private network, and the gateway uses the IAM role to call the upstream provider on its behalf.
Developer login
Once the gate is deployed, developers are active claude /login. Administrators push a managed settings file to developer devices with their device management tool that pre-populates the gateway URL, so developers can see the gateway screen for Claude applications directly.
The login screen for the Claude Apps portal to Claude Code
They press Enter, and the browser opens with your corporate SSO.
SSO browser authentication with your identity provider
One login, and they are connected. The session is silently refreshed in the background using OIDC refresh tokens, so developers remain authenticated across restarts without repeated browser logins. If a user is removed from the IdP, their session expires at the next renewal.
Working with Claude Code
After signing in, developers use the Claude Code as they would with any other authentication method. They write code, run commands, and generally interact with Claude. The difference is invisible to them: every request is authenticated through a gateway, routed through your default escalation path, and governed by the policies you set centrally.
Claude's code responds to the prompt, relayed to Amazon Bedrock through the gateway
I /model The feature only shows the models allowed by your policy. Beyond model access, policies can control device permissions, such as restricting file writes or web access. They can also implement permission rules that developers can override locally, and push local variables or hooks to standardize workflows across teams. Usage is attributed to each developer's ownership, and revenue is tracked against their cap. If they leave the company, removing them from the IdP revokes access for the entire set lifetime.
The conclusion
With the Claude applications gateway for AWS, you can expand the adoption of Claude Desktop and across your organization while managing identity, policy, and costs in one place. Identity flows through your existing IdP, policy is enforced in one place, and costs are limited per user, with no long-term secrets on developer machines.
Because the gateway is self-contained, you can deploy it in any AWS Region and route it to Amazon Bedrock or Claude Platform on AWS, including cross-Region and cross-account setup. Choose Amazon Bedrock where data must stay within the AWS security perimeter, or Claude Platform on AWS to access the native Anthropic platform experience with AWS authentication and billing.
To get started, download the Claude Code CLI and review the Claude applications gateway documentation. Submit a response to AWS and: Submit to Amazon Bedrock or through the usual AWS support contacts.
About the writers



