inferenceProvider to gateway and supply the base URL and credentials described below.
The gateway must implement the Anthropic Messages API:
POST /v1/messageswith streaming and tool use is required.GET /v1/modelsis optional. If the gateway implements it, Claude Desktop on 3P auto-discovers available models; if not, setinferenceModelsexplicitly.
Choose an authentication approach
Prepare devices
Static API key
No per-device preparation is required. Generate an API key in your gateway and place it in the managed configuration asinferenceGatewayApiKey (see Configure the app).
Single sign-on with your identity provider
Instead of distributing a shared gateway API key, you can have each user sign in with their own work account. The first time a user opens Claude Desktop, the app opens their browser to your organization’s normal sign-in page (Microsoft Entra ID, Okta, or any OpenID Connect provider). After they sign in, the app sends a per-user token to your gateway on every request, and your gateway checks that token to confirm who the user is. This gives you per-user attribution in your gateway logs, lets your identity provider enforce MFA and conditional access, and means there is no long-lived credential to distribute or rotate. You need three things in place:- An LLM gateway that can validate JSON Web Tokens (LiteLLM, Kong, Envoy, and Azure API Management all support this)
- Admin access to your identity provider to register a new application
- A way to push managed configuration to user devices (your existing MDM)
Set up single sign-on
1
Register an application in Entra ID
In the Microsoft Entra admin center, go to Identity → Applications → App registrations and select New registration. Give it a name such as A few details that matter here: use
Claude Desktop gateway, choose Accounts in this organizational directory only, and select Register.On the overview page, copy the Application (client) ID and Directory (tenant) ID. You will use both in the next two steps.Open the Authentication blade, select Add a platform, and choose Mobile and desktop applications. Under Custom redirect URIs, add exactly:127.0.0.1 (not localhost), include the /callback path, and add it under the Mobile and desktop applications platform specifically. That platform is the only one Entra allows to use any local port, which the app needs because it picks a free port at sign-in time. You do not need a client secret or any additional API permissions.2
Configure your gateway to validate the token
Tell your gateway to accept the bearer token only if it was issued by your tenant for this application. In LiteLLM that looks like:Replace
YOUR_TENANT_ID and YOUR_CLIENT_ID with the values from step 1.For Kong, Envoy, or Azure API Management, configure the equivalent JWT validation policy with the same JWKS URL and audience.3
Configure in the app
Open the in-app configuration window (Developer → Configure Third-Party Inference…). In the Connection section, set Inference provider to Gateway and Credential kind to Interactive sign-in. This hides the API-key field and reveals Gateway SSO IdP (OIDC):
Then click Export to produce a
.mobileconfig (macOS) or .reg (Windows) file for your MDM. See Deploy with MDM for the export and deployment workflow.When a user next opens Claude Desktop, they see a Sign in to your organization button. Clicking it opens their browser to your Entra sign-in page; once they approve, they return to the app and can start working. The app keeps them signed in and refreshes the token in the background. If the session is revoked or expires under your tenant’s policy, the app shows a Sign in again prompt; clicking it reopens the sign-in page in the browser.Using Okta instead
In the Okta Admin Console, create a Native application with the Authorization Code and Refresh Token grant types. Okta requires the redirect URI to match exactly, including the port, so pick a fixed port (for example53180), register http://127.0.0.1:53180/callback, and set that same port in Gateway SSO IdP (OIDC):
Use the issuer value, not the Metadata URI. Okta’s admin console shows the metadata URI (ending in
/.well-known/openid-configuration) prominently — that is the discovery document the app fetches from the issuer, not the issuer itself. If you are unsure, open the metadata URI in a browser and copy the "issuer" field from the JSON response. For a custom Okta authorization server the issuer is https://YOUR_ORG.okta.com/oauth2/AUTH_SERVER_ID.https://YOUR_ORG.okta.com/oauth2/v1/keys with audience set to the Okta client ID.
Map users at the gateway
Claude Desktop forwards the identity provider’s token to your gateway verbatim — it does not add, remove, or rewrite any claims. With the default scopes (openid profile email offline_access), the ID token your gateway receives contains the standard OIDC sub, email, and name claims, plus whatever your provider includes for the profile scope. You can confirm exactly what is present by base64-decoding the middle segment of the Authorization: Bearer value your gateway receives.
Key the gateway’s user record on the provider’s immutable user ID rather than email, so the record survives email or name changes:
If your gateway has no existing user records to preserve, the simplest setup is to auto-provision on first sign-in. For LiteLLM, extend the validation block from step 2:
groups claim for team-level budgets), add them on your identity provider’s authorization server — they pass through to the gateway unchanged. To request a non-default scope, set scopes in inferenceGatewayOidc (see Single sign-on configuration keys).
Refresh tokens and session lifetime
Silent token refresh requires a refresh token from your identity provider, which in turn requires theoffline_access scope on the authorization request. Whether Claude Desktop sends that scope depends on how you set scopes and bearerTokenType:
scopesleft unset — the default (openid profile email offline_access) includesoffline_access, so a refresh token is issued.bearerTokenType: "access_token"— Claude Desktop automatically appendsoffline_accessto whateverscopesvalue you supply, unlessappendOfflineAccessis set tofalse.bearerTokenType: "id_token"(the default) withscopesset explicitly — Claude Desktop does not addoffline_accessfor you. Include it in yourscopesvalue if you want silent refresh; without it, users are prompted to sign in again each time the ID token expires (commonly about one hour).
offline_access signals that the client may use the refresh token while the user is not present, and the provider must obtain consent for it. Claude Desktop therefore does not add this scope to an administrator-supplied scopes value in the default mode, so that requesting offline access remains an explicit choice.
Authorization servers that reject offline_access. Standard OIDC providers (Entra ID, Okta, Auth0) accept offline_access and require it to issue a refresh token, so the automatic append is what you want. If your authorization server instead rejects unrecognized scopes with an invalid_scope error — for example, servers that issue refresh tokens via a provider-specific scope rather than offline_access — set appendOfflineAccess to false and include your provider’s own refresh-token scope in scopes directly.
Configure the app
Open the in-app configuration window (Developer → Configure Third-Party Inference…). In the Connection section, set Inference provider to Gateway, then fill in the Gateway credentials card:
Then click Export to produce a
.mobileconfig (macOS) or .reg (Windows) file for your MDM. See Deploy with MDM for the export and deployment workflow.
Configuration keys
inferenceGatewayOidc details
inferenceGatewayOidc details
External IdP mode. The app discovers IdP setup. The app’s loopback callback binds
<issuer>/.well-known/openid-configuration, runs an OIDC authorization-code-with-PKCE flow in the system browser with clientId, and sends the resulting token as Authorization: Bearer on every inference request — see Bearer token type below for how the gateway validates it.Bearer token type. id_token (the default) sends the OIDC ID token — the gateway validates signature + iss + aud, where aud is the clientId configured here. access_token sends the OAuth access token — the gateway validates as an OAuth resource server against the audience/scope the IdP issued the token for; set scopes to the gateway’s registered API scope (required in this mode). Use access_token for gateways that expect a resource-server token (Portkey, Kong, Envoy JWT filter, AWS API Gateway authorizers).The gateway MUST validate iss AND aud, not just the signature. Signature + issuer alone accepts any token from the same tenant, including tokens issued to unrelated apps. In id_token mode the audience is the clientId:http://127.0.0.1:<port>/callback (RFC 8252 §7.3). Register 127.0.0.1; most IdPs do not treat localhost and 127.0.0.1 as interchangeable. Entra: register a public-client app, add a Mobile and desktop applications redirect URI of http://127.0.0.1/callback. (Microsoft’s docs say the path is wildcarded for loopback; in practice it is not: http://127.0.0.1 without /callback fails with AADSTS50011. The port IS wildcarded.) Grant openid profile email offline_access (delegated, no admin consent); in access_token mode also add the gateway API’s delegated permission under API permissions (and ensure the gateway’s own app registration exposes that scope via Expose an API) — without it Entra rejects the sign-in with AADSTS65001. Okta: register a Native app with the exact redirect URI http://127.0.0.1:<port>/callback and set redirectPort here to that port (Okta requires an exact match).Refresh: offline_access returns a refresh token; the app refreshes the bearer silently before expiry. When refresh fails (revoked, idle past the IdP’s window), the user re-authenticates in the browser. Google Workspace caveat (id_token mode only): Google never returns id_token on a refresh-token grant, so a Google-backed gateway in id_token mode will prompt a browser sign-in roughly once per ID-token TTL (~1h). Entra and Okta return a fresh id_token and are unaffected; access_token mode is unaffected on all IdPs.Leave this unset for a gateway that hosts its own RFC 8414 metadata at <baseUrl>/.well-known/oauth-authorization-server (the original gateway-as-AS path).inferenceCustomHeaders. It applies to all providers, not just gateways.
Single sign-on configuration keys
Single sign-on is enabled by settinginferenceCredentialKind to interactive and supplying inferenceGatewayOidc. Both are required — interactive alone (without inferenceGatewayOidc) selects a different mode where the gateway itself acts as the authorization server.
The
inferenceGatewayOidc value is one JSON object with these fields:
* Either
issuer, or both authorizationUrl and tokenUrl, is required.
In a macOS .mobileconfig payload (Okta example):
inferenceGatewayAuthScheme: "sso" to select this mode. That value is deprecated; set inferenceCredentialKind: "interactive" instead. Existing deployments that still send inferenceGatewayAuthScheme: "sso" continue to work.
Models
WheninferenceModels is unset, Claude Desktop on 3P populates the model picker from your gateway’s GET /v1/models response. Auto-discovery shows only models whose IDs are recognizably Claude; if your gateway advertises models under opaque aliases, set inferenceModels explicitly. Set inferenceModels to override discovery with an explicit list — the picker will show exactly the entries you provide. Use the model IDs your gateway expects (for example bedrock/us.anthropic.claude-opus-4-7 for a LiteLLM-style routing prefix).
MCP tool search
MCP tool search loads MCP tool schemas on demand instead of inlining every schema into the context window. It reduces context pressure when many MCP tools are configured (sessions that otherwise compact every turn or two). Claude Desktop on 3P turns it off by default, along with Claude Code’s other experimental beta features, because strict gateways reject the experimentalanthropic-beta request headers and request fields those features add. This suppression takes precedence over the ENABLE_TOOL_SEARCH environment variable, so setting that variable has no effect on Claude Desktop sessions. The variable applies only to terminal Claude Code running outside Claude Desktop.
To turn tool search on for Claude Desktop, set the toolSearchEnabled configuration key. Requires app version 1.21459.0 or later.
Troubleshoot
gateway SSO: server does not advertise device_authorization_endpoint — The app could not read your inferenceGatewayOidc value, so it fell back to treating the gateway itself as the sign-in server. Almost always this means the value is not a valid JSON string (for example, separate dotted keys, or a plist <dict> instead of a <string>). Re-export from the in-app configuration window, or copy the .mobileconfig snippet above.
OIDC discovery failed (HTTP 404) or (HTTP 405) — The issuer value is not the issuer base URL. Most often the metadata URI (ending in /.well-known/openid-configuration) was pasted instead, which doubles the path. Remove that suffix so issuer is just https://YOUR_ORG.okta.com (or the equivalent for your provider).
no credential configured for provider "gateway": set inferenceCredentialKind or one of the credential fields — inferenceCredentialKind: "interactive" is not present in the pushed configuration.
Browser shows “Connected” but the app reports the sign-in failed, or Token exchange failed (HTTP 401) — The browser step succeeded, but the identity provider rejected the follow-up token request. This usually means the IdP application is registered as a confidential (Web) client, which expects a client secret. Claude is a public PKCE client and doesn’t send one. Register a public/native client instead: Native Application in Okta, or the Mobile and desktop applications platform in Entra ID. Application type generally can’t be changed after creation, so you may need to create a new one.
Google Workspace can be used as the identity provider, but in the default
id_token mode Google does not issue a fresh ID token on background refresh, so users are prompted to sign in again roughly once an hour. Setting bearerTokenType to access_token avoids this. Entra ID and Okta are not affected in either mode.