This feature is currently in early preview. Behavior, configuration steps, and tooling may change before general availability.

The SurePath AI Gateway and Model Router enables organizations to intercept Claude Code traffic and redirect inference requests to private models connected to their SurePath AI tenant. When configured, Claude Code requests that would otherwise go directly to the Anthropic API are routed through the SurePath AI platform to a designated private model, allowing organizations to apply the same governance controls and policy enforcement used for other AI services.

This feature requires configuration in two places: the Claude Code Model Router settings in the SurePath AI admin, and the Claude Code settings file on each developer's machine.

Organizations that have deployed Claude models through a cloud provider — such as AWS Bedrock, Google Vertex AI, or Azure AI Foundry — can use this feature to redirect Claude Code traffic to those privately hosted models instead of the public Anthropic API. This gives development teams access to the same Claude Code experience while keeping inference traffic within the organization's own cloud environment.

Two common drivers for this are data privacy and cost. Organizations with strict data residency requirements or internal policies that restrict sending code and prompts to third-party APIs can use the model router to ensure that inference requests stay within their controlled infrastructure. Organizations that have negotiated committed use agreements or reserved capacity with a cloud provider can also route Claude Code traffic through those arrangements rather than incurring separate Anthropic API costs.

The Claude Code Model Router is configured at the policy level. Admins can enable it on the Default Policy or on any Group Policy. To access the router settings, navigate to either Default Policy or Group Policies in the GOVERN section, then scroll to the Claude Code Model Router section.

The router is enabled using the toggle at the top of the Claude Code Model Router section. All three model routes must be configured before the router can function correctly. The three Claude models that require a route are:

Each model route maps a Claude model to a private model available in the organization's SurePath AI tenant. The dropdown for each route only shows private models that belong to a compatible model family. Claude Haiku 4.5 can only be routed to private models in the Haiku family. Claude Sonnet 4.6 and Claude Opus 4.6 each support routing to models from either the Sonnet or Opus family, though a 1:1 family match is recommended for optimal performance.

When the selected private model matches the same model family as the Claude model being routed, a Recommended label appears next to the selection. This label indicates that the routing configuration meets the recommended capability equivalence.

Routing Claude Code traffic through SurePath AI requires two changes to the Claude Code configuration on each developer's machine: adding an auth helper script and setting the base URL for API requests.

By default, Claude Code authenticates directly to the Anthropic API using a static API key. When requests are routed through the SurePath AI model router, Claude Code must instead authenticate using OAuth 2.0 tokens issued by the organization's SurePath AI identity service. The auth helper script replaces the static API key with this token-based flow: Claude Code calls the script before each session, and the script returns a valid bearer token that is sent with every model request.

The script implements the OAuth 2.0 Device Authorization Grant flow (RFC 8628). On first use, it contacts the SurePath AI authorization server and prompts the developer to visit a URL in their browser to complete a one-time login. After the developer authorizes the session, the script receives and caches access and refresh tokens locally at ~/.config/claude-code/tokens.json. On subsequent uses, the script checks whether the cached access token is still valid. If the token has expired, it automatically refreshes it using the stored refresh token without requiring the developer to log in again. A new browser-based login is only required if both the access token and refresh token have expired.

Token storage to disk is a temporary approach used during early preview. A more robust credential management solution is planned for general availability.

The auth helper scripts are available from the SurePath AI Field CTO. On macOS and Linux, use auth-helper.sh. On Windows, use auth-helper.ps1. Organizations should distribute the appropriate script to developer machines through their standard software distribution or MDM process.

Claude Code reads its configuration from settings.json located in the .claude directory in the user's home folder. The path varies by operating system:

The following settings must be added to ~/.claude/settings.json on each developer's machine:

On Windows, use auth-helper.ps1 instead of auth-helper.sh. PowerShell 5.1 is built into Windows 10 and Windows 11, so no additional shell environment such as Git Bash or WSL is required.

The apiKeyHelper value on Windows invokes the script using the powershell command rather than a direct file path:

The path must use native Windows backslash notation, with each backslash escaped as \\ in JSON. The -NoProfile flag prevents PowerShell from loading the user profile on startup. The -ExecutionPolicy Bypass flag allows the script to run without requiring a change to the machine's execution policy.

Tokens are cached at %USERPROFILE%\.config\claude-code\tokens.json.

Organizations can distribute the settings.json configuration and the auth helper script to developer machines through MDM. The settings file can be deployed as a managed configuration. If developers already have an existing settings.json, the apiKeyHelper and env values should be merged into the existing file rather than replacing it.