Keyless Access to Claude Code

Point Claude Code at your agent network endpoint as its Anthropic base URL. NetBird holds the Anthropic API key server-side, so no key lives on your machine.

Running Claude Code through Agent Network turns it from a tool that needs a shared Anthropic key into one your team reaches with their existing identity:

Keyless access through your IdP. No Anthropic API key is distributed to or stored on any developer's machine. Each person runs Claude Code over the NetBird tunnel, and the request is tied to their real identity from your identity provider (Okta, Microsoft Entra ID, Google, …). Onboarding and offboarding follow the same IdP groups you already manage — there's no key to hand out, copy, or revoke.
Usage tracking per developer and group. Every request is metered by identity, model, tokens, and cost, so you can see exactly who is using Claude Code and how much it costs, broken down per person and aggregated per IdP group (team, department, project) in Usage & Logs.
Budget and token limits. Attach per-user or per-group token and spend caps over a rolling window in your policies, so Claude Code usage stays within budget and a single user can't run up the whole account's bill.

The rest of this page walks through connecting the provider and pointing Claude Code at your endpoint.

Connect the Provider

Go to Agent Network → Providers and click Connect Provider.
Select Anthropic and paste your Anthropic API key.
Save the provider. The key is now held server-side — the next step authorizes who can use it.

connect Anthropic provider in NetBird Agent Network

See Providers for details.

Create a Policy

By default nothing is allowed — a policy must connect a source group to the Anthropic provider before anyone can route Claude Code through it.

Go to Agent Network → Policies and add a policy.
Set the Source to the users or agents who should be able to use Claude Code (for example your Engineering group from your IdP).
Set the Provider to the Anthropic provider you just connected.
Optionally attach per-user or per-group token and budget limits so Claude Code usage stays within budget, and guardrails such as a model allowlist.

create a NetBird Agent Network policy authorizing Claude Code

See Policies for details.

Configure with `settings.json`

Add the following to ~/.claude/settings.json. The apiKeyHelper returns a dummy value so Claude Code doesn't prompt for a key — NetBird supplies the real one.

{
  "apiKeyHelper": "echo '-'",
  "env": {
    "ANTHROPIC_BASE_URL": "https://<your-endpoint>"
  }
}

Configure with Shell Variables

Alternatively, export the variables before launching Claude Code:

export ANTHROPIC_BASE_URL=https://<your-endpoint>
export ANTHROPIC_API_KEY=none
claude

That's it — Claude Code now sends every request over the NetBird tunnel, where it's tied to your identity, checked against your policies and limits, and recorded in Usage & Logs — broken down per developer and aggregated per IdP group.

NetBird Agent Network access logs showing per-request Claude Code identity, group, model, cost, and status

Install NetBird

Platforms

Policies

Usage & Logs

Integrations

Peers

Access Control

Networks

Routes

Reverse Proxy

DNS

Team

Activity

Settings

Integrations

Public API

For Partners

Cloud Marketplaces

Maintenance

Observability

Authentication

Troubleshooting

Migration Guides

Settings

Remote Access

Homelab

Cloud