Claude Apps Gateway: Self-Hosted Control Plane for Enterprise Claude Code with OIDC and Spend Limits
What's new
- OIDC identity: Acts as an OpenID Connect relying party against Google Workspace, Microsoft Entra ID, Okta, or any standards-compliant OIDC provider
- Central policy enforcement: Define and enforce managed settings across all client machines
- Per-user telemetry: Collect usage data via OTLP to your own infrastructure
- Provider routing: Routes inference to Claude API, Amazon Bedrock, or Google Cloud with optional failover
- Spend controls: Daily, weekly, and monthly limits by organization, group, or individual user
- Technical: Single stateless container on Linux backed by PostgreSQL; ships within the existing Claude binary
Why it matters
For enterprises wanting to give developers Claude Code access without losing governance control — this addresses SSO, audit logging, spend management, and cloud routing in one self-hosted solution. No new software deployment beyond OIDC app registration.
How to try it
Documentation available at code.claude.com/docs. The gateway runs as a Docker container using the existing Claude binary.
Open original source
Anthropic