Organizations can deploy Claude Code through Anthropic directly or through a cloud provider. This page helps you choose the right configuration.

Compare deployment options

For most organizations, Claude for Teams or Claude for Enterprise provides the best experience. Team members get access to both Claude Code and Claude on the web with a single subscription, centralized billing, and no infrastructure setup required.

Claude for Teams is self-service and includes collaboration features, admin tools, and billing management. Best for smaller teams that need to get started quickly.

Claude for Enterprise adds SSO and domain capture, role-based permissions, compliance API access, and managed policy settings for deploying organization-wide Claude Code configurations. Best for larger organizations with security and compliance requirements.

Learn more about Team plans and Enterprise plans.

If your organization has specific infrastructure requirements, compare the options below:

<tr>
  <td>Billing</td>
  <td><strong>Teams:</strong> \$150/seat (Premium) with PAYG available<br /><strong>Enterprise:</strong> <a href="https://claude.com/contact-sales?utm_source=claude_code&utm_medium=docs&utm_content=third_party_enterprise">Contact Sales</a></td>
  <td>PAYG</td>
  <td>PAYG through AWS</td>
  <td>PAYG through GCP</td>
  <td>PAYG through Azure</td>
</tr>

<tr>
  <td>Regions</td>
  <td>Supported [countries](https://www.anthropic.com/supported-countries)</td>
  <td>Supported [countries](https://www.anthropic.com/supported-countries)</td>
  <td>Multiple AWS [regions](https://docs.aws.amazon.com/bedrock/latest/userguide/models-regions.html)</td>
  <td>Multiple GCP [regions](https://cloud.google.com/vertex-ai/generative-ai/docs/learn/locations)</td>
  <td>Multiple Azure [regions](https://azure.microsoft.com/en-us/explore/global-infrastructure/products-by-region/)</td>
</tr>

<tr>
  <td>Prompt caching</td>
  <td>Enabled by default</td>
  <td>Enabled by default</td>
  <td>Enabled by default</td>
  <td>Enabled by default</td>
  <td>Enabled by default</td>
</tr>

<tr>
  <td>Authentication</td>
  <td>Claude.ai SSO or email</td>
  <td>API key</td>
  <td>API key or AWS credentials</td>
  <td>GCP credentials</td>
  <td>API key or Microsoft Entra ID</td>
</tr>

<tr>
  <td>Cost tracking</td>
  <td>Usage dashboard</td>
  <td>Usage dashboard</td>
  <td>AWS Cost Explorer</td>
  <td>GCP Billing</td>
  <td>Azure Cost Management</td>
</tr>

<tr>
  <td>Includes Claude on web</td>
  <td>Yes</td>
  <td>No</td>
  <td>No</td>
  <td>No</td>
  <td>No</td>
</tr>

<tr>
  <td>Enterprise features</td>
  <td>Team management, SSO, usage monitoring</td>
  <td>None</td>
  <td>IAM policies, CloudTrail</td>
  <td>IAM roles, Cloud Audit Logs</td>
  <td>RBAC policies, Azure Monitor</td>
</tr>

Select a deployment option to view setup instructions:

• Claude for Teams or Enterprise
• Anthropic Console
• Amazon Bedrock
• Google Vertex AI
• Microsoft Foundry

Configure proxies and gateways

Most organizations can use a cloud provider directly without additional configuration. However, you may need to configure a corporate proxy or LLM gateway if your organization has specific network or management requirements. These are different configurations that can be used together:

• Corporate proxy: Routes traffic through an HTTP/HTTPS proxy. Use this if your organization requires all outbound traffic to pass through a proxy server for security monitoring, compliance, or network policy enforcement. Configure with the HTTPS_PROXY or HTTP_PROXY environment variables. Learn more in Enterprise network configuration.
• LLM Gateway: A service that sits between Claude Code and the cloud provider to handle authentication and routing. Use this if you need centralized usage tracking across teams, custom rate limiting or budgets, or centralized authentication management. Configure with the ANTHROPIC_BASE_URL, ANTHROPIC_BEDROCK_BASE_URL, or ANTHROPIC_VERTEX_BASE_URL environment variables. Learn more in LLM gateway configuration.

The following examples show the environment variables to set in your shell or shell profile (.bashrc, .zshrc). See Settings for other configuration methods.

Amazon Bedrock

# Enable Bedrock
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-east-1
Configure corporate proxy
export HTTPS_PROXY='https://proxy.example.com:8080'

# Enable Bedrock
export CLAUDE_CODE_USE_BEDROCK=1
Configure LLM gateway
export ANTHROPIC_BEDROCK_BASE_URL='https://your-llm-gateway.com/bedrock'
export CLAUDE_CODE_SKIP_BEDROCK_AUTH=1 # If gateway handles AWS auth

Microsoft Foundry

# Enable Microsoft Foundry
export CLAUDE_CODE_USE_FOUNDRY=1
export ANTHROPIC_FOUNDRY_RESOURCE=your-resource
export ANTHROPIC_FOUNDRY_API_KEY=your-api-key  # Or omit for Entra ID auth
Configure corporate proxy
export HTTPS_PROXY='https://proxy.example.com:8080'

# Enable Microsoft Foundry
export CLAUDE_CODE_USE_FOUNDRY=1
Configure LLM gateway
export ANTHROPIC_FOUNDRY_BASE_URL='https://your-llm-gateway.com'
export CLAUDE_CODE_SKIP_FOUNDRY_AUTH=1 # If gateway handles Azure auth

Google Vertex AI

# Enable Vertex
export CLAUDE_CODE_USE_VERTEX=1
export CLOUD_ML_REGION=us-east5
export ANTHROPIC_VERTEX_PROJECT_ID=your-project-id
Configure corporate proxy
export HTTPS_PROXY='https://proxy.example.com:8080'

# Enable Vertex
export CLAUDE_CODE_USE_VERTEX=1
Configure LLM gateway
export ANTHROPIC_VERTEX_BASE_URL='https://your-llm-gateway.com/vertex'
export CLAUDE_CODE_SKIP_VERTEX_AUTH=1 # If gateway handles GCP auth

Best practices for organizations

Invest in documentation and memory

We strongly recommend investing in documentation so that Claude Code understands your codebase. Organizations can deploy CLAUDE.md files at multiple levels:

• Organization-wide: Deploy to system directories like /Library/Application Support/ClaudeCode/CLAUDE.md (macOS) for company-wide standards
• Repository-level: Create CLAUDE.md files in repository roots containing project architecture, build commands, and contribution guidelines. Check these into source control so all users benefit

Learn more in Memory and CLAUDE.md files.

Simplify deployment

If you have a custom development environment, we find that creating a "one click" way to install Claude Code is key to growing adoption across an organization.

Start with guided usage

Encourage new users to try Claude Code for codebase Q&A, or on smaller bug fixes or feature requests. Ask Claude Code to make a plan. Check Claude's suggestions and give feedback if it's off-track. Over time, as users understand this new paradigm better, then they'll be more effective at letting Claude Code run more agentically.

Pin model versions for cloud providers

If you deploy through Bedrock, Vertex AI, or Foundry, pin specific model versions using ANTHROPIC_DEFAULT_OPUS_MODEL, ANTHROPIC_DEFAULT_SONNET_MODEL, and ANTHROPIC_DEFAULT_HAIKU_MODEL. Without pinning, model aliases resolve to the latest version, which may not yet be enabled in your account when Anthropic releases an update. Pinning lets you control when your users move to a new model. See Model configuration for what each provider does when the latest version is unavailable.

Configure security policies

Security teams can configure managed permissions for what Claude Code is and is not allowed to do, which cannot be overwritten by local configuration. Learn more.

Leverage MCP for integrations

MCP is a great way to give Claude Code more information, such as connecting to ticket management systems or error logs. We recommend that one central team configures MCP servers and checks a .mcp.json configuration into the codebase so that all users benefit. Learn more.

At Anthropic, we trust Claude Code to power development across every Anthropic codebase. We hope you enjoy using Claude Code as much as we do.

Next steps

Once you've chosen a deployment option and configured access for your team:

1. Roll out to your team: Share installation instructions and have team members install Claude Code and authenticate with their credentials.
2. Set up shared configuration: Create a CLAUDE.md file in your repositories to help Claude Code understand your codebase and coding standards.
3. Configure permissions: Review security settings to define what Claude Code can and cannot do in your environment.

Prerequisites

Before configuring Claude Code with Bedrock, ensure you have:

• An AWS account with Bedrock access enabled
• Access to desired Claude models (for example, Claude Sonnet 4.6) in Bedrock
• AWS CLI installed and configured (optional - only needed if you don't have another mechanism for getting credentials)
• Appropriate IAM permissions

To sign in with your own Bedrock credentials, follow Sign in with Bedrock below. To deploy Claude Code across a team, use the manual setup steps and pin your model versions before rolling out.

Sign in with Bedrock

If you have AWS credentials and want to start using Claude Code through Bedrock, the login wizard walks you through it. You complete the AWS-side prerequisites once per account; the wizard handles the Claude Code side.

After you've signed in, run /setup-bedrock any time to reopen the wizard and change your credentials, region, or model pins.

Set up manually

To configure Bedrock through environment variables instead of the wizard, for example in CI or a scripted enterprise rollout, follow the steps below.

1. Submit use case details

First-time users of Anthropic models are required to submit use case details before invoking a model. This is done once per AWS account.

1. Ensure you have the right IAM permissions described below
2. Navigate to the Amazon Bedrock console
3. Select an Anthropic model from the Model catalog
4. Complete the use case form. Access is granted immediately after submission.

If you use AWS Organizations, you can submit the form once from the management account using the PutUseCaseForModelAccess API. This call requires the bedrock:PutUseCaseForModelAccess IAM permission. Approval extends to child accounts automatically.

2. Configure AWS credentials

Claude Code uses the default AWS SDK credential chain. Set up your credentials using one of these methods:

Option A: AWS CLI configuration

aws configure

Option B: Environment variables (access key)

export AWS_ACCESS_KEY_ID=your-access-key-id
export AWS_SECRET_ACCESS_KEY=your-secret-access-key
export AWS_SESSION_TOKEN=your-session-token

Option C: Environment variables (SSO profile)

aws sso login --profile=<your-profile-name>

export AWS_PROFILE=your-profile-name

Option D: AWS Management Console credentials

aws login

Learn more about aws login.

Option E: Bedrock API keys

export AWS_BEARER_TOKEN_BEDROCK=your-bedrock-api-key

Bedrock API keys provide a simpler authentication method without needing full AWS credentials. Learn more about Bedrock API keys.

Advanced credential configuration

Claude Code supports automatic credential refresh for AWS SSO and corporate identity providers. Add these settings to your Claude Code settings file (see Settings for file locations).

When Claude Code detects that your AWS credentials are expired (either locally based on their timestamp or when Bedrock returns a credential error), it will automatically run your configured awsAuthRefresh and/or awsCredentialExport commands to obtain new credentials before retrying the request.

Example configuration

{
  "awsAuthRefresh": "aws sso login --profile myprofile",
  "env": {
    "AWS_PROFILE": "myprofile"
  }
}

Configuration settings explained

awsAuthRefresh: Use this for commands that modify the .aws directory, such as updating credentials, SSO cache, or config files. The command's output is displayed to the user, but interactive input isn't supported. This works well for browser-based SSO flows where the CLI displays a URL or code and you complete authentication in the browser.

awsCredentialExport: Only use this if you can't modify .aws and must directly return credentials. Output is captured silently and not shown to the user. The command must output JSON in this format:

{
  "Credentials": {
    "AccessKeyId": "value",
    "SecretAccessKey": "value",
    "SessionToken": "value"
  }
}

3. Configure Claude Code

Set the following environment variables to enable Bedrock:

# Enable Bedrock integration
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-east-1  # or your preferred region

# Optional: Override the region for the small/fast model (Haiku).
# Also applies to Bedrock Mantle.
export ANTHROPIC_SMALL_FAST_MODEL_AWS_REGION=us-west-2

# Optional: Override the Bedrock endpoint URL for custom endpoints or gateways
# export ANTHROPIC_BEDROCK_BASE_URL=https://bedrock-runtime.us-east-1.amazonaws.com

When enabling Bedrock for Claude Code, keep the following in mind:

• AWS_REGION is a required environment variable. Claude Code does not read from the .aws config file for this setting.
• When using Bedrock, the /login and /logout commands are disabled since authentication is handled through AWS credentials.
• You can use settings files for environment variables like AWS_PROFILE that you don't want to leak to other processes. See Settings for more information.

4. Pin model versions

Set these environment variables to specific Bedrock model IDs:

export ANTHROPIC_DEFAULT_OPUS_MODEL='us.anthropic.claude-opus-4-6-v1'
export ANTHROPIC_DEFAULT_SONNET_MODEL='us.anthropic.claude-sonnet-4-6'
export ANTHROPIC_DEFAULT_HAIKU_MODEL='us.anthropic.claude-haiku-4-5-20251001-v1:0'

These variables use cross-region inference profile IDs (with the us. prefix). If you use a different region prefix or application inference profiles, adjust accordingly. For current and legacy model IDs, see Models overview. See Model configuration for the full list of environment variables.

Claude Code uses these default models when no pinning variables are set:

To customize models further, use one of these methods:

# Using inference profile ID
export ANTHROPIC_MODEL='global.anthropic.claude-sonnet-4-6'
export ANTHROPIC_DEFAULT_HAIKU_MODEL='us.anthropic.claude-haiku-4-5-20251001-v1:0'

# Using application inference profile ARN
export ANTHROPIC_MODEL='arn:aws:bedrock:us-east-2:your-account-id:application-inference-profile/your-model-id'

# Optional: Disable prompt caching if needed
export DISABLE_PROMPT_CACHING=1

Map each model version to an inference profile

The ANTHROPIC_DEFAULT_*_MODEL environment variables configure one inference profile per model family. If your organization needs to expose several versions of the same family in the /model picker, each routed to its own application inference profile ARN, use the modelOverrides setting in your settings file instead.

This example maps three Opus versions to distinct ARNs so users can switch between them without bypassing your organization's inference profiles:

{
  "modelOverrides": {
    "claude-opus-4-6": "arn:aws:bedrock:us-east-2:123456789012:application-inference-profile/opus-46-prod",
    "claude-opus-4-5-20251101": "arn:aws:bedrock:us-east-2:123456789012:application-inference-profile/opus-45-prod",
    "claude-opus-4-1-20250805": "arn:aws:bedrock:us-east-2:123456789012:application-inference-profile/opus-41-prod"
  }
}

When a user selects one of these versions in /model, Claude Code calls Bedrock with the mapped ARN. Versions without an override fall back to the built-in Bedrock model ID or any matching inference profile discovered at startup. See Override model IDs per version for details on how overrides interact with availableModels and other model settings.

Startup model checks

When Claude Code starts with Bedrock configured, it verifies that the models it intends to use are accessible in your account. This check requires Claude Code v2.1.94 or later.

If you have pinned a model version that is older than the current Claude Code default, and your account can invoke the newer version, Claude Code prompts you to update the pin. Accepting writes the new model ID to your user settings file and restarts Claude Code. Declining is remembered until the next default version change. Pins that point to an application inference profile ARN are skipped, since those are managed by your administrator.

If you have not pinned a model and the current default is unavailable in your account, Claude Code falls back to the previous version for the current session and shows a notice. The fallback is not persisted. Enable the newer model in your Bedrock account or pin a version to make the choice permanent.

IAM configuration

Create an IAM policy with the required permissions for Claude Code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowModelAndInferenceProfileAccess",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream",
        "bedrock:ListInferenceProfiles"
      ],
      "Resource": [
        "arn:aws:bedrock:*:*:inference-profile/*",
        "arn:aws:bedrock:*:*:application-inference-profile/*",
        "arn:aws:bedrock:*:*:foundation-model/*"
      ]
    },
    {
      "Sid": "AllowMarketplaceSubscription",
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:ViewSubscriptions",
        "aws-marketplace:Subscribe"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:CalledViaLast": "bedrock.amazonaws.com"
        }
      }
    }
  ]
}

For more restrictive permissions, you can limit the Resource to specific inference profile ARNs.

For details, see Bedrock IAM documentation.

1M token context window

Claude Opus 4.6 and Sonnet 4.6 support the 1M token context window on Amazon Bedrock. Claude Code automatically enables the extended context window when you select a 1M model variant.

To enable the 1M context window for your pinned model, append [1m] to the model ID. See Pin models for third-party deployments for details.

AWS Guardrails

Amazon Bedrock Guardrails let you implement content filtering for Claude Code. Create a Guardrail in the Amazon Bedrock console, publish a version, then add the Guardrail headers to your settings file. Enable Cross-Region inference on your Guardrail if you're using cross-region inference profiles.

Example configuration:

{
  "env": {
    "ANTHROPIC_CUSTOM_HEADERS": "X-Amzn-Bedrock-GuardrailIdentifier: your-guardrail-id\nX-Amzn-Bedrock-GuardrailVersion: 1"
  }
}

Use the Mantle endpoint

Mantle is an Amazon Bedrock endpoint that serves Claude models through the native Anthropic API shape rather than the Bedrock Invoke API. It uses the same AWS credentials, IAM permissions, and awsAuthRefresh configuration described earlier on this page.

Enable Mantle

With AWS credentials already configured, set CLAUDE_CODE_USE_MANTLE to route requests to the Mantle endpoint:

export CLAUDE_CODE_USE_MANTLE=1
export AWS_REGION=us-east-1

Claude Code constructs the endpoint URL from AWS_REGION. To override it for a custom endpoint or gateway, set ANTHROPIC_BEDROCK_MANTLE_BASE_URL.

Run /status inside Claude Code to confirm. The provider line shows Amazon Bedrock (Mantle) when Mantle is active.

Select a Mantle model

Mantle uses model IDs prefixed with anthropic. and without a version suffix, for example anthropic.claude-haiku-4-5. The models available to your account depend on what your organization has been granted; additional model IDs are listed in your onboarding materials from AWS. Contact your AWS account team to request access to allowlisted models.

Set the model with the --model flag or with /model inside Claude Code:

claude --model anthropic.claude-haiku-4-5

Run Mantle alongside the Invoke API

The models available to you on Mantle may not include every model you use today. Setting both CLAUDE_CODE_USE_BEDROCK and CLAUDE_CODE_USE_MANTLE lets Claude Code call both endpoints from the same session. Model IDs that match the Mantle format are routed to Mantle, and all other model IDs go to the Bedrock Invoke API.

export CLAUDE_CODE_USE_BEDROCK=1
export CLAUDE_CODE_USE_MANTLE=1

To surface a Mantle model in the /model picker, list its ID in availableModels in your settings file. This setting also restricts the picker to the listed entries, so include every alias you want to keep available:

{
  "availableModels": ["opus", "sonnet", "haiku", "anthropic.claude-haiku-4-5"]
}

Entries with the anthropic. prefix are added as custom picker options and routed to Mantle. Replace anthropic.claude-haiku-4-5 with the model ID your account has been granted. See Restrict model selection for how availableModels interacts with other model settings.

When both providers are active, /status shows Amazon Bedrock + Amazon Bedrock (Mantle).

Route Mantle through a gateway

If your organization routes model traffic through a centralized LLM gateway that injects AWS credentials server-side, disable client-side authentication so Claude Code sends requests without SigV4 signatures or x-api-key headers:

export CLAUDE_CODE_USE_MANTLE=1
export CLAUDE_CODE_SKIP_MANTLE_AUTH=1
export ANTHROPIC_BEDROCK_MANTLE_BASE_URL=https://your-gateway.example.com

Mantle environment variables

These variables are specific to the Mantle endpoint. See Environment variables for the full list.

Troubleshooting

Authentication loop with SSO and corporate proxies

If browser tabs spawn repeatedly when using AWS SSO, remove the awsAuthRefresh setting from your settings file. This can occur when corporate VPNs or TLS inspection proxies interrupt the SSO browser flow. Claude Code treats the interrupted connection as an authentication failure, re-runs awsAuthRefresh, and loops indefinitely.

If your network environment interferes with automatic browser-based SSO flows, use aws sso login manually before starting Claude Code instead of relying on awsAuthRefresh.

Region issues

If you encounter region issues:

• Check model availability: aws bedrock list-inference-profiles --region your-region
• Switch to a supported region: export AWS_REGION=us-east-1
• Consider using inference profiles for cross-region access

If you receive an error "on-demand throughput isn’t supported":

• Specify the model as an inference profile ID

Claude Code uses the Bedrock Invoke API and does not support the Converse API.

Mantle endpoint errors

If /status does not show Amazon Bedrock (Mantle) after you set CLAUDE_CODE_USE_MANTLE, the variable is not reaching the process. Confirm it is exported in the shell where you launched claude, or set it in the env block of your settings file.

A 403 from the Mantle endpoint with valid credentials means your AWS account has not been granted access to the model you requested. Contact your AWS account team to request access.

A 400 that names the model ID means that model is not served on Mantle. Mantle has its own model lineup separate from the standard Bedrock catalog, so inference profile IDs such as us.anthropic.claude-sonnet-4-6 will not work. Use a Mantle-format ID, or enable both endpoints so Claude Code routes each request to the endpoint where the model is available.

Additional resources

• Bedrock documentation
• Bedrock pricing
• Bedrock inference profiles
• Bedrock token burndown and quotas
• Claude Code on Amazon Bedrock: Quick Setup Guide
• Claude Code Monitoring Implementation (Bedrock)

Prerequisites

Before configuring Claude Code with Vertex AI, ensure you have:

• A Google Cloud Platform (GCP) account with billing enabled
• A GCP project with Vertex AI API enabled
• Access to desired Claude models (for example, Claude Sonnet 4.6)
• Google Cloud SDK (gcloud) installed and configured
• Quota allocated in desired GCP region

To sign in with your own Vertex AI credentials, follow Sign in with Vertex AI below. To deploy Claude Code across a team, use the manual setup steps and pin your model versions before rolling out.

Sign in with Vertex AI

If you have Google Cloud credentials and want to start using Claude Code through Vertex AI, the login wizard walks you through it. You complete the GCP-side prerequisites once per project; the wizard handles the Claude Code side.

After you've signed in, run /setup-vertex any time to reopen the wizard and change your credentials, project, region, or model pins.

Region configuration

Claude Code can be used with both Vertex AI global and regional endpoints.

Set up manually

To configure Vertex AI through environment variables instead of the wizard, for example in CI or a scripted enterprise rollout, follow the steps below.

1. Enable Vertex AI API

Enable the Vertex AI API in your GCP project:

# Set your project ID
gcloud config set project YOUR-PROJECT-ID

# Enable Vertex AI API
gcloud services enable aiplatform.googleapis.com

2. Request model access

Request access to Claude models in Vertex AI:

1. Navigate to the Vertex AI Model Garden
2. Search for "Claude" models
3. Request access to desired Claude models (for example, Claude Sonnet 4.6)
4. Wait for approval (may take 24-48 hours)

3. Configure GCP credentials

Claude Code uses standard Google Cloud authentication.

For more information, see Google Cloud authentication documentation.

4. Configure Claude Code

Set the following environment variables:

# Enable Vertex AI integration
export CLAUDE_CODE_USE_VERTEX=1
export CLOUD_ML_REGION=global
export ANTHROPIC_VERTEX_PROJECT_ID=YOUR-PROJECT-ID

# Optional: Override the Vertex endpoint URL for custom endpoints or gateways
# export ANTHROPIC_VERTEX_BASE_URL=https://aiplatform.googleapis.com

# Optional: Disable prompt caching if needed
export DISABLE_PROMPT_CACHING=1

# When CLOUD_ML_REGION=global, override region for models that don't support global endpoints
export VERTEX_REGION_CLAUDE_HAIKU_4_5=us-east5
export VERTEX_REGION_CLAUDE_4_6_SONNET=europe-west1

Most model versions have a corresponding VERTEX_REGION_CLAUDE_* variable. See the Environment variables reference for the full list. Check Vertex Model Garden to determine which models support global endpoints versus regional only.

Prompt caching is automatically supported when you specify the cache_control ephemeral flag. To disable it, set DISABLE_PROMPT_CACHING=1. For heightened rate limits, contact Google Cloud support. When using Vertex AI, the /login and /logout commands are disabled since authentication is handled through Google Cloud credentials.

5. Pin model versions

Set these environment variables to specific Vertex AI model IDs:

export ANTHROPIC_DEFAULT_OPUS_MODEL='claude-opus-4-6'
export ANTHROPIC_DEFAULT_SONNET_MODEL='claude-sonnet-4-6'
export ANTHROPIC_DEFAULT_HAIKU_MODEL='claude-haiku-4-5@20251001'

For current and legacy model IDs, see Models overview. See Model configuration for the full list of environment variables.

Claude Code uses these default models when no pinning variables are set:

To customize models further:

export ANTHROPIC_MODEL='claude-opus-4-6'
export ANTHROPIC_DEFAULT_HAIKU_MODEL='claude-haiku-4-5@20251001'

Startup model checks

When Claude Code starts with Vertex AI configured, it verifies that the models it intends to use are accessible in your project. This check requires Claude Code v2.1.98 or later.

If you have pinned a model version that is older than the current Claude Code default, and your project can invoke the newer version, Claude Code prompts you to update the pin. Accepting writes the new model ID to your user settings file and restarts Claude Code. Declining is remembered until the next default version change.

If you have not pinned a model and the current default is unavailable in your project, Claude Code falls back to the previous version for the current session and shows a notice. The fallback is not persisted. Enable the newer model in Model Garden or pin a version to make the choice permanent.

IAM configuration

Assign the required IAM permissions:

The roles/aiplatform.user role includes the required permissions:

• aiplatform.endpoints.predict - Required for model invocation and token counting

For more restrictive permissions, create a custom role with only the permissions above.

For details, see Vertex IAM documentation.

1M token context window

Claude Opus 4.6, Sonnet 4.6, Sonnet 4.5, and Sonnet 4 support the 1M token context window on Vertex AI. Claude Code automatically enables the extended context window when you select a 1M model variant.

To enable the 1M context window for your pinned model, append [1m] to the model ID. See Pin models for third-party deployments for details.

Troubleshooting

If you encounter quota issues:

• Check current quotas or request quota increase through Cloud Console

If you encounter "model not found" 404 errors:

• Confirm model is Enabled in Model Garden
• Verify you have access to the specified region
• If using CLOUD_ML_REGION=global, check that your models support global endpoints in Model Garden under "Supported features". For models that don't support global endpoints, either:
  • Specify a supported model via ANTHROPIC_MODEL or ANTHROPIC_DEFAULT_HAIKU_MODEL, or
  • Set a regional endpoint using VERTEX_REGION_<MODEL_NAME> environment variables

If you encounter 429 errors:

• For regional endpoints, ensure the primary model and small/fast model are supported in your selected region
• Consider switching to CLOUD_ML_REGION=global for better availability

Additional resources

• Vertex AI documentation
• Vertex AI pricing
• Vertex AI quotas and limits

Prerequisites

Before configuring Claude Code with Microsoft Foundry, ensure you have:

• An Azure subscription with access to Microsoft Foundry
• RBAC permissions to create Microsoft Foundry resources and deployments
• Azure CLI installed and configured (optional - only needed if you don't have another mechanism for getting credentials)

Setup

1. Provision Microsoft Foundry resource

First, create a Claude resource in Azure:

1. Navigate to the Microsoft Foundry portal
2. Create a new resource, noting your resource name
3. Create deployments for the Claude models:
   • Claude Opus
   • Claude Sonnet
   • Claude Haiku

2. Configure Azure credentials

Claude Code supports two authentication methods for Microsoft Foundry. Choose the method that best fits your security requirements.

Option A: API key authentication

1. Navigate to your resource in the Microsoft Foundry portal
2. Go to the Endpoints and keys section
3. Copy API Key
4. Set the environment variable:

export ANTHROPIC_FOUNDRY_API_KEY=your-azure-api-key

Option B: Microsoft Entra ID authentication

When ANTHROPIC_FOUNDRY_API_KEY is not set, Claude Code automatically uses the Azure SDK default credential chain. This supports a variety of methods for authenticating local and remote workloads.

On local environments, you commonly may use the Azure CLI:

az login

3. Configure Claude Code

Set the following environment variables to enable Microsoft Foundry:

# Enable Microsoft Foundry integration
export CLAUDE_CODE_USE_FOUNDRY=1

# Azure resource name (replace {resource} with your resource name)
export ANTHROPIC_FOUNDRY_RESOURCE={resource}
# Or provide the full base URL:
# export ANTHROPIC_FOUNDRY_BASE_URL=https://{resource}.services.ai.azure.com/anthropic

4. Pin model versions

Set the model variables to match the deployment names you created in step 1:

export ANTHROPIC_DEFAULT_OPUS_MODEL='claude-opus-4-6'
export ANTHROPIC_DEFAULT_SONNET_MODEL='claude-sonnet-4-6'
export ANTHROPIC_DEFAULT_HAIKU_MODEL='claude-haiku-4-5'

For current and legacy model IDs, see Models overview. See Model configuration for the full list of environment variables.

Azure RBAC configuration

The Azure AI User and Cognitive Services User default roles include all required permissions for invoking Claude models.

For more restrictive permissions, create a custom role with the following:

{
  "permissions": [
    {
      "dataActions": [
        "Microsoft.CognitiveServices/accounts/providers/*"
      ]
    }
  ]
}

For details, see Microsoft Foundry RBAC documentation.

Troubleshooting

If you receive an error "Failed to get token from azureADTokenProvider: ChainedTokenCredential authentication failed":

• Configure Entra ID on the environment, or set ANTHROPIC_FOUNDRY_API_KEY.

Additional resources

• Microsoft Foundry documentation
• Microsoft Foundry models
• Microsoft Foundry pricing

Claude Code supports various enterprise network and security configurations through environment variables. This includes routing traffic through corporate proxy servers, trusting custom Certificate Authorities (CA), and authenticating with mutual Transport Layer Security (mTLS) certificates for enhanced security.

Proxy configuration

Environment variables

Claude Code respects standard proxy environment variables:

# HTTPS proxy (recommended)
export HTTPS_PROXY=https://proxy.example.com:8080

# HTTP proxy (if HTTPS not available)
export HTTP_PROXY=http://proxy.example.com:8080

# Bypass proxy for specific requests - space-separated format
export NO_PROXY="localhost 192.168.1.1 example.com .example.com"
# Bypass proxy for specific requests - comma-separated format
export NO_PROXY="localhost,192.168.1.1,example.com,.example.com"
# Bypass proxy for all requests
export NO_PROXY="*"

Basic authentication

If your proxy requires basic authentication, include credentials in the proxy URL:

export HTTPS_PROXY=http://username:[email protected]:8080

CA certificate store

By default, Claude Code trusts both its bundled Mozilla CA certificates and your operating system's certificate store. Enterprise TLS-inspection proxies such as CrowdStrike Falcon and Zscaler work without additional configuration when their root certificate is installed in the OS trust store.

CLAUDE_CODE_CERT_STORE accepts a comma-separated list of sources. Recognized values are bundled for the Mozilla CA set shipped with Claude Code and system for the operating system trust store. The default is bundled,system.

To trust only the bundled Mozilla CA set:

export CLAUDE_CODE_CERT_STORE=bundled

To trust only the OS certificate store:

export CLAUDE_CODE_CERT_STORE=system

Custom CA certificates

If your enterprise environment uses a custom CA, configure Claude Code to trust it directly:

export NODE_EXTRA_CA_CERTS=/path/to/ca-cert.pem

mTLS authentication

For enterprise environments requiring client certificate authentication:

# Client certificate for authentication
export CLAUDE_CODE_CLIENT_CERT=/path/to/client-cert.pem

# Client private key
export CLAUDE_CODE_CLIENT_KEY=/path/to/client-key.pem

# Optional: Passphrase for encrypted private key
export CLAUDE_CODE_CLIENT_KEY_PASSPHRASE="your-passphrase"

Network access requirements

Claude Code requires access to the following URLs:

• api.anthropic.com: Claude API endpoints
• claude.ai: authentication for claude.ai accounts
• platform.claude.com: authentication for Anthropic Console accounts

Ensure these URLs are allowlisted in your proxy configuration and firewall rules. This is especially important when using Claude Code in containerized or restricted network environments.

The native installer and update checks also require the following URLs. Allowlist both, since the installer and auto-updater fetch from storage.googleapis.com while plugin downloads use downloads.claude.ai. If you install Claude Code through npm or manage your own binary distribution, end users may not need access:

• storage.googleapis.com: download bucket for the Claude Code binary and auto-updater
• downloads.claude.ai: CDN hosting the install script, version pointers, manifests, signing keys, and plugin executables

The Chrome integration connects to the browser extension over a WebSocket bridge. If you use Claude in Chrome, allowlist bridge.claudeusercontent.com for outbound WebSocket connections.

Claude Code on the web and Code Review connect to your repositories from Anthropic-managed infrastructure. If your GitHub Enterprise Cloud organization restricts access by IP address, enable IP allow list inheritance for installed GitHub Apps. The Claude GitHub App registers its IP ranges, so enabling this setting allows access without manual configuration. To add the ranges to your allow list manually instead, or to configure other firewalls, see the Anthropic API IP addresses.

For self-hosted GitHub Enterprise Server instances behind a firewall, allowlist the same Anthropic API IP addresses so Anthropic infrastructure can reach your GHES host to clone repositories and post review comments.

Additional resources

• Claude Code settings
• Environment variables reference
• Troubleshooting guide

LLM gateways provide a centralized proxy layer between Claude Code and model providers, often providing:

• Centralized authentication - Single point for API key management
• Usage tracking - Monitor usage across teams and projects
• Cost controls - Implement budgets and rate limits
• Audit logging - Track all model interactions for compliance
• Model routing - Switch between providers without code changes

Gateway requirements

For an LLM gateway to work with Claude Code, it must meet the following requirements:

API format

The gateway must expose to clients at least one of the following API formats:

1. Anthropic Messages: /v1/messages, /v1/messages/count_tokens

   • Must forward request headers: anthropic-beta, anthropic-version

2. Bedrock InvokeModel: /invoke, /invoke-with-response-stream

   • Must preserve request body fields: anthropic_beta, anthropic_version

3. Vertex rawPredict: :rawPredict, :streamRawPredict, /count-tokens:rawPredict

   • Must forward request headers: anthropic-beta, anthropic-version

Failure to forward headers or preserve body fields may result in reduced functionality or inability to use Claude Code features.

Request headers

Claude Code includes the following headers on every API request:

Configuration

Model selection

By default, Claude Code will use standard model names for the selected API format.

If you have configured custom model names in your gateway, use the environment variables documented in Model configuration to match your custom names.

LiteLLM configuration

Prerequisites

• Claude Code updated to the latest version
• LiteLLM Proxy Server deployed and accessible
• Access to Claude models through your chosen provider

Basic LiteLLM setup

Configure Claude Code:

Authentication methods

Static API key

Simplest method using a fixed API key:

# Set in environment
export ANTHROPIC_AUTH_TOKEN=sk-litellm-static-key

# Or in Claude Code settings
{
  "env": {
    "ANTHROPIC_AUTH_TOKEN": "sk-litellm-static-key"
  }
}

This value will be sent as the Authorization header.

Dynamic API key with helper

For rotating keys or per-user authentication:

1. Create an API key helper script:

#!/bin/bash
# ~/bin/get-litellm-key.sh

# Example: Fetch key from vault
vault kv get -field=api_key secret/litellm/claude-code

# Example: Generate JWT token
jwt encode \
  --secret="${JWT_SECRET}" \
  --exp="+1h" \
  '{"user":"'${USER}'","team":"engineering"}'

2. Configure Claude Code settings to use the helper:

{
  "apiKeyHelper": "~/bin/get-litellm-key.sh"
}

3. Set token refresh interval:

# Refresh every hour (3600000 ms)
export CLAUDE_CODE_API_KEY_HELPER_TTL_MS=3600000

This value will be sent as Authorization and X-Api-Key headers. The apiKeyHelper has lower precedence than ANTHROPIC_AUTH_TOKEN or ANTHROPIC_API_KEY.

Unified endpoint (recommended)

Using LiteLLM's Anthropic format endpoint:

export ANTHROPIC_BASE_URL=https://litellm-server:4000

Benefits of the unified endpoint over pass-through endpoints:

• Load balancing
• Fallbacks
• Consistent support for cost tracking and end-user tracking

Provider-specific pass-through endpoints (alternative)

Claude API through LiteLLM

Using pass-through endpoint:

export ANTHROPIC_BASE_URL=https://litellm-server:4000/anthropic

Amazon Bedrock through LiteLLM

Using pass-through endpoint:

export ANTHROPIC_BEDROCK_BASE_URL=https://litellm-server:4000/bedrock
export CLAUDE_CODE_SKIP_BEDROCK_AUTH=1
export CLAUDE_CODE_USE_BEDROCK=1

Google Vertex AI through LiteLLM

Using pass-through endpoint:

export ANTHROPIC_VERTEX_BASE_URL=https://litellm-server:4000/vertex_ai/v1
export ANTHROPIC_VERTEX_PROJECT_ID=your-gcp-project-id
export CLAUDE_CODE_SKIP_VERTEX_AUTH=1
export CLAUDE_CODE_USE_VERTEX=1
export CLOUD_ML_REGION=us-east5

For more detailed information, refer to the LiteLLM documentation.

Additional resources

• LiteLLM documentation
• Claude Code settings
• Enterprise network configuration
• Third-party integrations overview

The reference devcontainer setup and associated Dockerfile offer a preconfigured development container that you can use as is, or customize for your needs. This devcontainer works with the Visual Studio Code Dev Containers extension and similar tools.

The container's enhanced security measures (isolation and firewall rules) allow you to run claude --dangerously-skip-permissions to bypass permission prompts for unattended operation.

Key features

• Production-ready Node.js: Built on Node.js 20 with essential development dependencies
• Security by design: Custom firewall restricting network access to only necessary services
• Developer-friendly tools: Includes git, ZSH with productivity enhancements, fzf, and more
• Seamless VS Code integration: Pre-configured extensions and optimized settings
• Session persistence: Preserves command history and configurations between container restarts
• Works everywhere: Compatible with macOS, Windows, and Linux development environments

Getting started in 4 steps

1. Install VS Code and the Dev Containers extension
2. Clone the Claude Code reference implementation repository
3. Open the repository in VS Code
4. When prompted, click "Reopen in Container" (or use Command Palette: Cmd+Shift+P → "Dev Containers: Reopen in Container")

Once the container finishes building, open a terminal in VS Code with Ctrl+` and run claude to authenticate and start your first session. The container has Claude Code preinstalled, so you can begin working immediately. Your project files are mounted into the container, and any code Claude writes appears in your local repository.

Configuration breakdown

The devcontainer setup consists of three primary components:

• devcontainer.json: Controls container settings, extensions, and volume mounts
• Dockerfile: Defines the container image and installed tools
• init-firewall.sh: Establishes network security rules

Security features

The container implements a multi-layered security approach with its firewall configuration:

• Precise access control: Restricts outbound connections to whitelisted domains only (npm registry, GitHub, Claude API, etc.)
• Allowed outbound connections: The firewall permits outbound DNS and SSH connections
• Default-deny policy: Blocks all other external network access
• Startup verification: Validates firewall rules when the container initializes
• Isolation: Creates a secure development environment separated from your main system

Customization options

The devcontainer configuration is designed to be adaptable to your needs:

• Add or remove VS Code extensions based on your workflow
• Modify resource allocations for different hardware environments
• Adjust network access permissions
• Customize shell configurations and developer tooling

Example use cases

Secure client work

Use devcontainers to isolate different client projects, ensuring code and credentials never mix between environments.

Team onboarding

New team members can get a fully configured development environment in minutes, with all necessary tools and settings pre-installed.

Consistent CI/CD environments

Mirror your devcontainer configuration in CI/CD pipelines to ensure development and production environments match.

Related resources

• VS Code devcontainers documentation
• Claude Code security best practices
• Enterprise network configuration