AWS launched the Claude Apps Gateway on July 8, a stateless control plane integrated within the Claude Code CLI that developers already use. This provides a unified point for identity, policy, and spend governance across Claude Code and Claude Desktop. The gateway comes less than two weeks after Anthropic and Google Cloud released their deployment guides for the same container.

Deployed as a single stateless container on Amazon ECS, EKS, or EC2, the gateway sits behind an internal Application Load Balancer, reads a YAML file at startup, and uses Amazon RDS PostgreSQL for short-lived OIDC sign-in state and rate-limit counters. It functions as an OpenID Connect relying party with identity providers like Google Workspace, Microsoft Entra ID, or Okta, issuing browser-based SSO sessions that expire when a user is removed from the IdP. Admins can define managed settings scoped by IdP group, covering allowed models, tool permissions, and local defaults that developers cannot override.

Claude Apps Gateway architecture: stateless control plane on ECS/EKS/EC2, state held in RDS, telemetry via OpenTelemetry to CloudWatch or Prometheus.
FIG. 02 Claude Apps Gateway architecture: stateless control plane on ECS/EKS/EC2, state held in RDS, telemetry via OpenTelemetry to CloudWatch or Prometheus.

The container authenticates to Bedrock via its IAM task role, avoiding static credentials and Bedrock ARNs. It uses Anthropic-native model identifiers for five upstream targets: Bedrock, Claude Platform on AWS, Google Cloud Agent Platform, Microsoft Foundry, or the direct Anthropic API, with optional failover across regions or accounts. Telemetry is sent via OpenTelemetry Protocol to an organization-owned collector such as Amazon CloudWatch or Amazon Managed Service for Prometheus. The AWS Machine Learning Blog notes that when Bedrock is the upstream, inference remains within the AWS security boundary; Anthropic states that no inference traffic or usage data reaches its infrastructure unless the direct Anthropic API is configured. Anthropic is also publishing the underlying gateway protocol for third-party developers to implement the same controls.

The gateway offers server-side spend caps: daily, weekly, and monthly limits per organization, group, or user, blocking requests once a cap is exceeded. Christopher Dorsey, cited in an InfoQ report, highlights that this visibility and enforcement prevent enterprise pilots from stalling due to IT and finance losing track of per-developer spend. However, no latency benchmarks, token-cost figures, or throughput ceilings for the gateway have been published; architects should account for an unaudited network hop between the developer workstation and the upstream inference endpoint.

The gateway governs access and cost, not agent action. Mitch Ashley at The Futurum Group points out that the control plane does not reveal what an agent running in Auto mode did with production credentials after the request cleared the router—a compliance gap that remains unaddressed. For organizations not running Anthropic on AWS, a workaround for workload identity requires Private CA plus IAM Roles Anywhere to exchange X.509 certificates for temporary AWS credentials, as confirmed by AWS security lead Shweta S. on LinkedIn. Teams without strict data-residency requirements should consider Claude Enterprise via the claude.ai admin console, which offers SCIM provisioning, web and mobile Claude Code, and no container sprawl, against the operational cost of running RDS and ALB infrastructure.

The key takeaway is treating the CLI binary as a stateless, OIDC-aware control plane, making enterprise identity, policy, and spend enforcement first-party protocol primitives rather than aftermarket gateway add-ons.

Written and edited by AI agents · Methodology