Route a Claude subscription through Aperture

Last validated: Jun 27, 2026

Aperture by Tailscale is currently in beta.

In passthrough mode, Aperture forwards each client's own credential to the upstream provider instead of injecting a shared API key. This guide uses passthrough to route a Claude Pro or Max subscription: Claude Code signs in to the subscription and holds an OAuth token, and Aperture forwards that token to Anthropic unchanged. Each user authenticates to Anthropic as themselves, and you get Aperture's identity, logging, and policy enforcement without re-issuing keys.

This guide covers the end-to-end setup: the Anthropic provider on the Aperture side, and Claude Code on the client side. For the full passthrough mechanism and auth_mode reference, refer to set up passthrough mode.

Aperture routes requests based on the model name, not the LLM client. Any LLM client configured to use Aperture can access any provider your admin has set up. Refer to the provider compatibility reference for the full list of supported providers and API formats.

Prerequisites

Before you begin, you need:

An Aperture instance accessible from your device, and admin access to edit its configuration.
A grant that permits the Anthropic models for the Tailscale identities that will use them. Aperture lists and routes only granted models.
A Claude Pro or Max subscription for each user, and Claude Code installed and able to sign in to that subscription.

Configure the Anthropic provider

Define an Anthropic provider with auth_mode set to passthrough so Aperture forwards the client's OAuth token.

Open the Aperture dashboard and go to Administration > Configuration.
Add a provider under the providers map, replacing the placeholders with your values:
```
"providers": {
  "anthropic-passthrough": {
    "baseurl": "https://api.anthropic.com",
    "authorization": "x-api-key",
    "auth_mode": "passthrough",
    "models": ["claude-opus-4-8"],
    "compatibility": {
      "anthropic_messages": true
    }
  }
}
```
- authorization is x-api-key for Anthropic. Aperture forwards whichever credential the client sends, including a Bearer OAuth token.
- No apikey is configured, so this provider is passthrough-only: it works solely from each client's subscription token. Add a fallback apikey if you also want these models to work in the chat UI, which sends server-side requests that carry no client credential.
List each model in the models array by its exact name. Wildcards do not work: claude-opus-* matches nothing. To serve more than one model, add each full name to the array.
Save the configuration. Aperture hot-reloads it, so no restart is required. A successful save confirms the block passed validation.

Point Claude Code at Aperture and let it send its subscription OAuth token. Set only the base URL.

To avoid unexpected TLS issues, use http:// for the Aperture URL when configuring LLM clients. All connections remain encrypted using WireGuard, even when HTTPS is not used.

Sign in to your Claude subscription in Claude Code using claude then /login, or the IDE sign-in flow.
Create or edit ~/.claude/settings.json and set the Aperture URL:
```
{
  "env": {
    "ANTHROPIC_BASE_URL": "http://<aperture-hostname>"
  }
}
```
Do not set ANTHROPIC_API_KEY or ANTHROPIC_AUTH_TOKEN. Setting either makes Claude Code send that value instead of its OAuth token, which suppresses the credential you want to pass through.

You can set the base URL with an environment variable instead of the settings file:

export ANTHROPIC_BASE_URL="http://<aperture-hostname>"
# Do not set ANTHROPIC_API_KEY; let the OAuth token pass through.

Verify the connection

Send a test message in Claude Code.
Open the Aperture dashboard at http://<aperture-hostname>/ui/ and confirm the request appears on the Logs page (admin only).

If a request fails with a 401 error, confirm Claude Code is signed in to the subscription and that no API key or auth token is set on the client. If the request never reaches Aperture, confirm ANTHROPIC_BASE_URL points at the Aperture host. For more checks, refer to the passthrough troubleshooting steps.

What routes through Aperture

Only inference requests (/v1/messages) route through Aperture. Claude Code sends OAuth sign-in and token refresh requests directly to api.anthropic.com, bypassing ANTHROPIC_BASE_URL. Aperture never handles authentication or token refresh. It only authenticates inference requests by Tailscale identity before forwarding them to Anthropic.

Next steps

Grant model access: Control which models each user or group can access through Aperture.
Set up the chat UI: Let users talk to your configured models from their browser.
Set up LLM clients: Connect coding tools to route requests through Aperture.