[DOCS] `forceLoginMethod` and `forceLoginOrgUUID` docs omit API-key and third-party-provider enforcement scope

Open 💬 1 comment Opened May 21, 2026 by coygeek

Documentation Type

Missing documentation (feature not documented)

Documentation Location

https://code.claude.com/docs/en/settings

Section/Topic

Available settings entries for forceLoginMethod and forceLoginOrgUUID

Current Documentation

The settings page currently says:

forceLoginMethod | Use claudeai to restrict login to Claude.ai accounts, console to restrict login to Claude Console (API usage billing) accounts forceLoginOrgUUID | Require login to belong to a specific organization. Accepts a single UUID string, which also pre-selects that organization during login, or an array of UUIDs where any listed organization is accepted without pre-selection. When set in managed settings, login fails if the authenticated account does not belong to a listed organization; an empty array fails closed and blocks login with a misconfiguration message

Related docs currently say:

* Cloud providers: if your organization uses Amazon Bedrock, Google Vertex AI, or Microsoft Foundry, set the required environment variables before running claude. No browser login is needed. When multiple credentials are present, Claude Code chooses one in this order: 1. Cloud provider credentials... 2. ANTHROPIC_AUTH_TOKEN... 3. ANTHROPIC_API_KEY... 4. apiKeyHelper... If your organization mixes providers, configure server-managed settings for Claude.ai users plus a file-based or plist/registry fallback so other users still receive managed policy.

What's Wrong or Missing?

Changelog v2.1.146 says:

Fixed forceLoginOrgUUID and forceLoginMethod managed-settings policies not being enforced against third-party-provider and API-key sessions.

A. The settings page frames these as browser-login restrictions only

The current row text talks about restricting or failing "login", but it does not say these managed settings also enforce on sessions that authenticate through API keys or third-party providers.

B. The authentication page makes provider and API-key flows sound separate from login policy

The current auth docs say cloud providers need no browser login and that provider/API-key credentials take precedence over OAuth. Without an explicit cross-reference, readers can reasonably conclude that forceLoginMethod and forceLoginOrgUUID only apply to Claude.ai or Console login flows.

C. The mixed-provider admin guidance omits this concrete policy example

admin-setup says other providers still receive managed policy through file/plist/registry fallbacks, but it does not clarify that these two auth-lock settings are part of that coverage.

This leaves admins unable to tell whether mixed-provider or API-key deployments are expected to honor these policies, which matters for organization-lock and auth-method enforcement.

Suggested Improvement

Add an explicit scope note to the forceLoginMethod and forceLoginOrgUUID rows, and cross-reference it from the authentication page.

Suggested wording:

These managed settings apply to the effective authentication method for the session, not only the browser-based login flow. They also enforce on API-key and third-party-provider sessions. If the resolved auth method or organization does not satisfy policy, Claude Code rejects the session.

Also add a short note to the authentication and admin setup pages clarifying that cloud-provider and API-key credentials do not bypass forceLoginMethod or forceLoginOrgUUID when those are set in managed settings.

Impact

Medium - Makes feature difficult to understand

Additional Context

Affected Pages:

| Page | Line(s) | Context |
|------|---------|---------|
| https://code.claude.com/docs/en/settings | 214-215 | Setting definitions mention login restriction but not API-key or third-party-provider enforcement scope |
| https://code.claude.com/docs/en/authentication | 24, 127-140 | Cloud-provider setup says no browser login is needed and auth precedence favors provider/API-key credentials, but does not say managed login-lock policies still apply |
| https://code.claude.com/docs/en/admin-setup | 54-58 | Mixed-provider guidance says other users still receive managed policy, but does not connect that statement to these auth-lock settings |

Total scope: 3 pages affected

Source: Changelog v2.1.146

Exact changelog entry:

Fixed forceLoginOrgUUID and forceLoginMethod managed-settings policies not being enforced against third-party-provider and API-key sessions.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗