[DOCS] `forceLoginMethod` and `forceLoginOrgUUID` docs omit API-key and third-party-provider enforcement scope
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/settings
Section/Topic
Available settings entries for forceLoginMethod and forceLoginOrgUUID
Current Documentation
The settings page currently says:
forceLoginMethod| Useclaudeaito restrict login to Claude.ai accounts,consoleto restrict login to Claude Console (API usage billing) accountsforceLoginOrgUUID| Require login to belong to a specific organization. Accepts a single UUID string, which also pre-selects that organization during login, or an array of UUIDs where any listed organization is accepted without pre-selection. When set in managed settings, login fails if the authenticated account does not belong to a listed organization; an empty array fails closed and blocks login with a misconfiguration message
Related docs currently say:
* Cloud providers: if your organization uses Amazon Bedrock, Google Vertex AI, or Microsoft Foundry, set the required environment variables before runningclaude. No browser login is needed. When multiple credentials are present, Claude Code chooses one in this order: 1. Cloud provider credentials... 2.ANTHROPIC_AUTH_TOKEN... 3.ANTHROPIC_API_KEY... 4.apiKeyHelper... If your organization mixes providers, configure server-managed settings for Claude.ai users plus a file-based or plist/registry fallback so other users still receive managed policy.
What's Wrong or Missing?
Changelog v2.1.146 says:
FixedforceLoginOrgUUIDandforceLoginMethodmanaged-settings policies not being enforced against third-party-provider and API-key sessions.
A. The settings page frames these as browser-login restrictions only
The current row text talks about restricting or failing "login", but it does not say these managed settings also enforce on sessions that authenticate through API keys or third-party providers.
B. The authentication page makes provider and API-key flows sound separate from login policy
The current auth docs say cloud providers need no browser login and that provider/API-key credentials take precedence over OAuth. Without an explicit cross-reference, readers can reasonably conclude that forceLoginMethod and forceLoginOrgUUID only apply to Claude.ai or Console login flows.
C. The mixed-provider admin guidance omits this concrete policy example
admin-setup says other providers still receive managed policy through file/plist/registry fallbacks, but it does not clarify that these two auth-lock settings are part of that coverage.
This leaves admins unable to tell whether mixed-provider or API-key deployments are expected to honor these policies, which matters for organization-lock and auth-method enforcement.
Suggested Improvement
Add an explicit scope note to the forceLoginMethod and forceLoginOrgUUID rows, and cross-reference it from the authentication page.
Suggested wording:
These managed settings apply to the effective authentication method for the session, not only the browser-based login flow. They also enforce on API-key and third-party-provider sessions. If the resolved auth method or organization does not satisfy policy, Claude Code rejects the session.
Also add a short note to the authentication and admin setup pages clarifying that cloud-provider and API-key credentials do not bypass forceLoginMethod or forceLoginOrgUUID when those are set in managed settings.
Impact
Medium - Makes feature difficult to understand
Additional Context
Affected Pages:
| Page | Line(s) | Context |
|------|---------|---------|
| https://code.claude.com/docs/en/settings | 214-215 | Setting definitions mention login restriction but not API-key or third-party-provider enforcement scope |
| https://code.claude.com/docs/en/authentication | 24, 127-140 | Cloud-provider setup says no browser login is needed and auth precedence favors provider/API-key credentials, but does not say managed login-lock policies still apply |
| https://code.claude.com/docs/en/admin-setup | 54-58 | Mixed-provider guidance says other users still receive managed policy, but does not connect that statement to these auth-lock settings |
Total scope: 3 pages affected
Source: Changelog v2.1.146
Exact changelog entry:
FixedforceLoginOrgUUIDandforceLoginMethodmanaged-settings policies not being enforced against third-party-provider and API-key sessions.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗