Instead of distributing a shared gateway API key, you can have each user sign in with their own work account. The first time a user opens Cowork, the app opens their browser to your organization’s normal sign-in page (Microsoft Entra ID, Okta, or any OpenID Connect provider). After they sign in, the app sends a per-user token to your gateway on every request, and your gateway checks that token to confirm who the user is. This gives you per-user attribution in your gateway logs, lets your identity provider enforce MFA and conditional access, and means there is no long-lived credential to distribute or rotate.Documentation Index
Fetch the complete documentation index at: https://claude.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
Requires Claude Desktop 1.5.0 or later.
Before you start
You need three things in place:- An LLM gateway that can validate JSON Web Tokens (LiteLLM, Kong, Envoy, and Azure API Management all support this)
- Admin access to your identity provider to register a new application
- A way to push managed configuration to user devices (your existing MDM)
Set up single sign-on
Register an application in Entra ID
In the Microsoft Entra admin center, go to Identity → Applications → App registrations and select New registration. Give it a name such as A few details that matter here: use
Claude Cowork gateway, choose Accounts in this organizational directory only, and select Register.On the overview page, copy the Application (client) ID and Directory (tenant) ID. You will use both in the next two steps.Open the Authentication blade, select Add a platform, and choose Mobile and desktop applications. Under Custom redirect URIs, add exactly:127.0.0.1 (not localhost), include the /callback path, and add it under the Mobile and desktop applications platform specifically. That platform is the only one Entra allows to use any local port, which the app needs because it picks a free port at sign-in time. You do not need a client secret or any additional API permissions.Configure your gateway to validate the token
Tell your gateway to accept the bearer token only if it was issued by your tenant for this application. In LiteLLM that looks like:Replace
YOUR_TENANT_ID and YOUR_CLIENT_ID with the values from step 1.For Kong, Envoy, or Azure API Management, configure the equivalent JWT validation policy with the same JWKS URL and audience.Configure in the app
Open the in-app configuration window (Developer → Configure third-party inference). In the Connection section, set Inference provider to Gateway and Credential kind to Interactive sign-in. This hides the API-key field and reveals Gateway SSO IdP (OIDC):
Then click Export to produce a
| Field | Value |
|---|---|
| Gateway base URL | https://llm-gateway.example.corp |
| Credential kind | Interactive sign-in |
| Gateway SSO IdP (OIDC) → Client ID | YOUR_CLIENT_ID |
| Gateway SSO IdP (OIDC) → Issuer URL | https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0 |
| Gateway SSO IdP (OIDC) → Scopes | leave empty for the default |
| Gateway SSO IdP (OIDC) → Redirect port | leave empty |
.mobileconfig (macOS) or .reg (Windows) file for your MDM. See Installation and setup for the export and deployment workflow.When a user next opens Cowork, they see a Sign in to your organization button. Clicking it opens their browser to your Entra sign-in page; once they approve, they return to the app and can start working. The app keeps them signed in and refreshes the token in the background, so they will not see the browser again unless their session is revoked or expires under your tenant’s policy.Using Okta instead
In the Okta Admin Console, create a Native application with the Authorization Code and Refresh Token grant types. Okta requires the redirect URI to match exactly, including the port, so pick a fixed port (for example53180), register http://127.0.0.1:53180/callback, and set that same port in Gateway SSO IdP (OIDC):
| Field | Value |
|---|---|
| Client ID | YOUR_CLIENT_ID |
| Issuer URL | https://YOUR_ORG.okta.com |
| Scopes | leave empty for the default |
| Redirect port | 53180 |
Use the issuer value, not the Metadata URI. Okta’s admin console shows the metadata URI (ending in
/.well-known/openid-configuration) prominently — that is the discovery document the app fetches from the issuer, not the issuer itself. If you are unsure, open the metadata URI in a browser and copy the "issuer" field from the JSON response. For a custom Okta authorization server the issuer is https://YOUR_ORG.okta.com/oauth2/AUTH_SERVER_ID.https://YOUR_ORG.okta.com/oauth2/v1/keys with audience set to the Okta client ID.
Map users at the gateway
Cowork forwards the identity provider’s token to your gateway verbatim — it does not add, remove, or rewrite any claims. With the default scopes (openid profile email offline_access), the ID token your gateway receives contains the standard OIDC sub, email, and name claims, plus whatever your provider includes for the profile scope. You can confirm exactly what is present by base64-decoding the middle segment of the Authorization: Bearer value your gateway receives.
Key the gateway’s user record on the provider’s immutable user ID rather than email, so the record survives email or name changes:
| Provider | Stable user-ID claim |
|---|---|
| Entra ID | oid |
| Okta and most other OIDC providers | sub |
groups claim for team-level budgets), add them on your identity provider’s authorization server — they pass through to the gateway unchanged. To request a non-default scope, set scopes in inferenceGatewayOidc (see the table below).
Configuration keys
This feature is enabled by settinginferenceCredentialKind to interactive and supplying inferenceGatewayOidc. Both are required — interactive alone (without inferenceGatewayOidc) selects a different mode where the gateway itself acts as the authorization server.
| Setting | MDM key | Required | Description |
|---|---|---|---|
| Credential kind | inferenceCredentialKind | Yes — must be interactive | Selects sign-in instead of an API key. Existing configurations that set inferenceGatewayAuthScheme: "sso" continue to work and are treated as equivalent. |
| Gateway SSO IdP (OIDC) | inferenceGatewayOidc | Yes | A single JSON object describing the identity provider (fields below). The resulting token is sent to the gateway as the bearer credential. |
inferenceGatewayOidc value is one JSON object with these fields:
| Field | Required | Description |
|---|---|---|
clientId | Yes | Application (client) ID registered with the identity provider. |
issuer | Yes* | OIDC issuer URL — the base URL only, without /.well-known/openid-configuration. The app appends that path itself to discover the authorization and token endpoints. |
authorizationUrl | No* | Explicit OIDC authorization endpoint. Use together with tokenUrl instead of issuer when the identity provider does not serve /.well-known/openid-configuration. Ignored when issuer is set. |
tokenUrl | No* | Explicit OIDC token endpoint. Must be set together with authorizationUrl. Ignored when issuer is set. |
scopes | No | Space-separated OIDC scopes. Defaults to openid profile email offline_access. Required when bearerTokenType is access_token. |
redirectPort | No | Fixed local port for the loopback redirect. Leave unset to let the app choose an ephemeral port (Entra). Set when the provider requires an exact port match (Okta). |
bearerTokenType | No | Which token the app sends to the gateway as the Authorization: Bearer value. id_token (the default) sends the OIDC ID token — the gateway validates it offline against the provider’s JWKS with aud equal to the client ID. access_token sends the OAuth access token instead — use this for gateways that validate as an OAuth resource server rather than validating the ID token directly. When set to access_token, scopes is required. |
issuer, or both authorizationUrl and tokenUrl, is required.
In a macOS .mobileconfig payload (Okta example):
<key>inferenceGatewayAuthScheme</key><string>sso</string> instead of inferenceCredentialKind do not need to change — both are accepted.
The remaining gateway keys (inferenceGatewayBaseUrl, inferenceModels) are documented on the Gateway page.
Troubleshooting
gateway SSO: server does not advertise device_authorization_endpoint — The app could not read your inferenceGatewayOidc value, so it fell back to treating the gateway itself as the sign-in server. Almost always this means the value is not a valid JSON string (for example, separate dotted keys, or a plist <dict> instead of a <string>). Re-export from the in-app configuration window, or copy the .mobileconfig snippet above.
OIDC discovery failed (HTTP 404) or (HTTP 405) — The issuer value is not the issuer base URL. Most often the metadata URI (ending in /.well-known/openid-configuration) was pasted instead, which doubles the path. Remove that suffix so issuer is just https://YOUR_ORG.okta.com (or the equivalent for your provider).
no credential configured for provider "gateway": set inferenceCredentialKind or one of the credential fields — Neither inferenceCredentialKind: "interactive" nor the legacy inferenceGatewayAuthScheme: "sso" is present in the pushed configuration.
Browser shows “Connected” but the app reports the sign-in failed, or Token exchange failed (HTTP 401) — The browser step succeeded, but the identity provider rejected the follow-up token request. This usually means the IdP application is registered as a confidential (Web) client, which expects a client secret. Claude is a public PKCE client and doesn’t send one. Register a public/native client instead: Native Application in Okta, or the Mobile and desktop applications platform in Entra ID. Application type generally can’t be changed after creation, so you may need to create a new one.
Google Workspace can be used as the identity provider, but in the default
id_token mode Google does not issue a fresh ID token on background refresh, so users are prompted to sign in again roughly once an hour. Setting bearerTokenType to access_token avoids this. Entra ID and Okta are not affected in either mode.