AI Security Gateway

Appearance

Using Claude Code with AI Security Gateway

Overview

The AI Security Gateway now has built-in Provider Authentication that handles LLM provider credentials automatically. You no longer need to configure nginx proxies or custom header injection - the gateway manages provider authentication for you while your end users authenticate with the gateway using OAuth or API keys.

With the new Provider Authentication feature, setting up Claude Code takes just 3 simple steps:

Step 1: Configure Provider Authentication in the Web UI

  1. Open the AI Security Gateway Web UI
  2. Navigate to Proxies page
  3. Create or edit an LLM proxy for Anthropic
  4. In the Provider Authentication section:
    • Authentication Type: Select API Key
    • Provider: Select Anthropic from the dropdown
    • API Key: Enter your Anthropic API key (e.g., sk-ant-api03-...)
    • Click Validate Authentication to test the connection
    • Click Save to store the configuration (credentials are encrypted at rest)

Provider Authentication Configuration

Available Authentication Types:

  • API Key: For most providers (OpenAI, Anthropic, Cohere, etc.)
  • Custom Headers: For providers with custom authentication headers
  • AWS Bedrock: For AWS Bedrock with IAM credentials

Supported Providers:

  • Anthropic (Claude)
  • OpenAI (GPT models)
  • Azure OpenAI
  • AWS Bedrock (Anthropic, Amazon models)
  • Google Gemini
  • Cohere
  • Mistral AI
  • Perplexity AI
  • Together AI
  • Groq
  • OpenRouter
  • Fireworks AI

Step 2: Grant User Access

Ensure your user or team is assigned access to the proxy:

  1. Navigate to User Groups in the Web UI
  2. Find or create the user group for your API user
  3. Assign the LLM proxy to the group
  4. Generate an API key for the user (if not already done)

Step 3: Configure Claude Code Environment Variables

Set these environment variables for Claude Code to use the gateway:

bash
export ANTHROPIC_BASE_URL=http://ai-sec-gateway.local:8033/
export ANTHROPIC_AUTH_TOKEN="uag_kbx9abcdef1234567890..."  # Your AI Security Gateway API key
export ANTHROPIC_MODEL="custom--us.anthropic.claude-sonnet-4-5-20250929-v1"

Replace:

  • ai-sec-gateway.local:8033 with your gateway hostname and LLM proxy port
  • uag_kbx9... with your AI Security Gateway API key
  • Model name with your desired Claude model

That's it! Claude Code will now:

  1. Send requests to the AI Security Gateway
  2. Authenticate using your gateway API key (X-API-Key header)
  3. Gateway automatically injects the provider API key (from Provider Authentication)
  4. All traffic is monitored, logged, and protected by security policies

How It Works 

┌─────────────────┐
│   Claude Code   │  export ANTHROPIC_BASE_URL=http://gateway:8033/
└────────┬────────┘  export ANTHROPIC_AUTH_TOKEN="uag_kbx9..."
         │ Authorization: Bearer uag_kbx9...

┌─────────────────┐
│ AI Security     │  1. Validates gateway API key (X-API-Key)
│ Gateway         │  2. Injects provider credentials (encrypted at rest)
│ (Port 8033)     │  3. Applies security policies
└────────┬────────┘  4. Logs request + response
         │ Authorization: Bearer sk-ant-api03-... (from Provider Auth)

┌─────────────────┐
│ Anthropic API   │  Receives authenticated request
└─────────────────┘

Benefits:

  • No nginx or proxy scripts needed - Provider Authentication handles credentials
  • Encrypted credential storage - Provider keys encrypted at rest in the database
  • Automatic credential injection - Gateway adds provider auth to every request
  • User-level authentication - End users authenticate with gateway (OAuth/API keys)
  • Centralized credential management - Update provider keys in one place
  • Security monitoring - All requests logged and analyzed
  • Policy enforcement - Apply security rules before reaching the provider

Testing the Setup

Once you've configured Provider Authentication and set the environment variables, test your setup:

Test with curl

bash
curl -X POST http://ai-sec-gateway.local:8033/v1/messages \
  -H "X-API-Key: uag_kbx9abcdef1234567890..." \
  -H "Content-Type: application/json" \
  -d '{
    "model": "custom--us.anthropic.claude-sonnet-4-5-20250929-v1",
    "messages": [{"role": "user", "content": "Hello, how are you?"}],
    "max_tokens": 100
  }'

Expected result: 200 OK with Claude's response. The gateway automatically injected the provider API key.

Test with Claude Code

After setting the environment variables, start Claude Code and send a request. It should work seamlessly.

Check Gateway Logs

View the request logs in the Web UI:

  1. Navigate to Proxies page
  2. Click the Logs button on your LLM proxy
  3. You should see authenticated requests with your user/team information

Troubleshooting

Issue: 401 Unauthorized

Cause: Gateway API key is missing or invalid

Solution:

  1. Verify your ANTHROPIC_AUTH_TOKEN environment variable is set correctly
  2. Check that the API key exists in User GroupsAPI Keys
  3. Ensure the user/team has access to the LLM proxy
  4. Test the API key:
    bash
    curl -H "X-API-Key: uag_kbx9..." http://ai-sec-gateway.local:8033/v1/models

Issue: 403 Forbidden

Cause: User doesn't have access to the proxy

Solution:

  1. Navigate to User Groups in the Web UI
  2. Find your user group
  3. Assign the LLM proxy to the group

Issue: Provider Authentication Failed

Cause: Provider API key is invalid or expired

Solution:

  1. Go to Proxies → Edit your LLM proxy
  2. In Provider Authentication section, click Validate Authentication
  3. If validation fails, update the provider API key
  4. Save the configuration

Issue: Connection Refused

Cause: Gateway proxy is not running

Solution:

  1. Go to Proxies page
  2. Check the status of your LLM proxy
  3. Click Start if it's stopped
  4. Verify the port is correct in ANTHROPIC_BASE_URL

Advanced Configuration

Custom Headers Authentication

For providers with custom authentication headers:

  1. Authentication Type: Select Custom Headers
  2. Add header name/value pairs (e.g., X-Custom-Auth: token123)
  3. Click Validate Authentication to test
  4. Save the configuration

AWS Bedrock Authentication

For AWS Bedrock with IAM credentials:

  1. Authentication Type: Select AWS Bedrock
  2. Enter:
    • AWS Region: (e.g., us-east-1)
    • AWS Access Key ID: Your AWS access key
    • AWS Secret Access Key: Your AWS secret key
  3. Click Validate Authentication to test
  4. Save the configuration

Why Use Provider Authentication?

Security Benefits

  • Centralized credential management: Update provider keys in one place
  • Encrypted storage: Provider credentials encrypted at rest in the database
  • Audit trail: All requests logged with user attribution
  • Policy enforcement: Apply security rules before reaching the provider
  • User-level access control: OAuth/API key authentication for end users
  • No credential exposure: End users never see provider API keys

Operational Benefits

  • No proxy scripts needed: Built-in provider authentication
  • Simple setup: Just configure once in the Web UI
  • Cost tracking: Monitor token usage per user/team
  • Rate limiting: Control usage per user or globally
  • Multi-provider support: Switch providers without changing client code