AWS centralizes access, spending, and governance for Claude
Claude apps gateway for AWS is a self-hosted control plane that gives organizations a single point of control over access, costs, and policies for Claude Code and Claude Desktop. It replaces per-developer cloud credentials, manual distribution of managed settings to developer laptops, and centralizes usage attribution and spending controls. The gateway can be deployed with Amazon Bedrock or Claude Platform on AWS, providing the same capabilities in either environment.

Claude apps gateway architecture for AWS (Source: AWS)
How the gateway works
Built into the Claude Code CLI, the gateway lets developers use the same client they already have. It runs as a stateless service with a PostgreSQL database for authentication state and rate limiting. Managed settings are applied automatically during sign-in, and policies are enforced on every request.
“Onboarding and offboarding follow your existing identity workflows. To grant access, add a developer to your identity provider (IdP). To revoke it, remove them, and their session expires within the configured token lifetime (one hour by default). No long-lived secrets live on developer machines,” the blog authors explained.
Its five core functions are identity, policy, telemetry, routing, and spend caps.
The gateway integrates with OpenID Connect (OIDC) identity providers for single sign-on and issues short-lived tokens to developers after authentication. Administrators can centrally manage policies, including model access, tool permissions, and settings based on user groups. It exports usage telemetry through OpenTelemetry to monitoring platforms, routes inference requests to Amazon Bedrock or Claude Platform on AWS, supports cross-Region and cross-account deployments, and enforces spending limits for organizations, groups, and individual users.