[BUG] Organization-level policies bypassed when ANTHROPIC_BASE_URL is set, despite claude.ai OAuth authentication

Resolved 💬 3 comments Opened Apr 17, 2026 by ehgns852 Closed May 25, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When `ANTHROPIC_BASE_URL` is set (LLM gateway / custom proxy), organization-level policies configured in the Claude.ai admin console are not enforced — even when the user is authenticated via claude.ai OAuth with an Enterprise account.

I understand that server-managed settings (`managed-settings.json`) are bypassed by design when `ANTHROPIC_BASE_URL` is set — this is documented at https://code.claude.com/docs/en/server-managed-settings.

However, features like **Remote Control are NOT configured via `managed-settings.json`**. They are toggled directly in the web admin console as organization-level feature flags. Per the official docs:

> "Access to Remote Control and web sessions is **not controlled by a managed settings key**. On Team and Enterprise plans, an admin enables or disables these features in Claude Code admin settings."
> — https://code.claude.com/docs/en/permissions

So Remote Control is supposed to be a separate mechanism from `managed-settings.json`. Yet in practice it is also bypassed when `ANTHROPIC_BASE_URL` is set, contradicting the architectural separation the docs describe.

**Security implication:** If ALL organization-level policies can be bypassed simply by setting `ANTHROPIC_BASE_URL`, then any user who knows about this behavior can route traffic through a personal proxy and evade every organizational guardrail:

- Admin disables Remote Control → user bypasses by setting `ANTHROPIC_BASE_URL`
- Admin sets permission deny rules via managed settings → bypassed
- Admin sets `disableBypassPermissionsMode` → bypassed

This turns admin policies into suggestions, not controls. Any informed user can opt out by pointing at a proxy while still being authenticated as an organization member via OAuth.

What Should Happen?

`/remote-control` should return:

`Remote Control is disabled by your organization's policy.`

Remote Control is an organization feature toggle set in the web admin console — **not** a managed-settings key. The user is authenticated via claude.ai OAuth as an organization member. The org policy should apply regardless of `ANTHROPIC_BASE_URL`.

More broadly, organization-level policies that are delivered via the OAuth session / claude.ai account state (not via `managed-settings.json`) should be enforced even when a custom `ANTHROPIC_BASE_URL` is configured.

Error Messages/Logs

$ /status
Setting sources: User settings, Project local settings, Command line arguments
Login method: Claude Enterprise account
Organization: <org-name>
Anthropic base URL: https://<custom-proxy>/...

$ /remote-control
Remote Control connecting…
/remote-control is active · Code in CLI or at https://claude.ai/code/session_xxx

Steps to Reproduce

1. As an org admin: disable Remote Control in Claude.ai → Admin Settings → Claude Code (web console toggle, not `managed-settings.json`)
2. As a user: authenticate via `/login` with a Claude Enterprise account belonging to that organization
3. Set `ANTHROPIC_BASE_URL` to a custom LLM gateway (any non-default URL that proxies to Anthropic)
4. Run `claude` in the terminal
5. Run `/status` → confirms `Setting sources: User settings, Project local settings` (no managed settings, expected per docs)
6. Run `/remote-control`

Expected: `Remote Control is disabled by your organization's policy.`
Actual: `/remote-control is active` — Remote Control connects successfully.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.110 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

iTerm2

Additional Information

## Core Questions

If `ANTHROPIC_BASE_URL` disables **all** organization policy enforcement — not just `managed-settings.json` but also web console toggles like Remote Control — then:

1. Is this intended behavior?
2. If yes, how are admins expected to enforce org policies on Enterprise customers who use LLM gateways (which is a supported deployment pattern)?
3. If the only answer is network-level tenant restrictions, this should be explicitly documented as a hard requirement for any org using gateways.

Without this clarity, any knowledgeable user can bypass all org controls by proxying through their own endpoint while still authenticated as an org member.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗