Use Case · Engineering

Keyless employee access to AI providers

Engineers live in coding agents like Claude Code and Codex, backed by Vertex AI and AWS Bedrock. Instead of long-lived API keys that leak into dotfiles and CI secrets, NetBird ties access to groups in your identity provider.

NetBird Control Center showing a Developers group with policy-based access to OpenAI, Anthropic, Google Vertex AI, and AWS Bedrock

One private endpoint, every provider behind it

Engineers point Claude Code, Codex, or any other agent at a single NetBird base URL.

Configure Your Agent dialog: point Claude Code at the NetBird endpoint as its base URL, with no provider API key on the client
AnthropicAnthropic
OpenAIOpenAI
Vertex AIVertex AI
Amazon BedrockAmazon Bedrock
LiteLLMLiteLLM
CloudflareCloudflare
VercelVercel
vvLLM

How it works

01

Connect your identity provider

NetBird syncs users and groups from Okta, Entra ID, Google Workspace, or any OIDC IdP — your existing org structure becomes the source of truth for who can reach what.

02

Get a private endpoint

Agent Network gives you a private endpoint inside your network. It's reachable only when users are connected to NetBird and authenticated through your IdP, never from the public internet.

03

Add your providers behind it

The endpoint is a secure access layer in front of your backends. Add Anthropic, OpenAI, Vertex AI, and Amazon Bedrock — or an existing gateway like LiteLLM. Teams keep using one endpoint while you manage routing centrally.

04

Authorize by group, not by key

NetBird's policy engine maps groups from your IdP to the providers it may reach. Set token and dollar budgets per policy, and optionally pass user or group identity upstream for full attribution.

05

Point your agent at the endpoint

Engineers configure Claude Code, Codex, or any other tool with the base URL NetBird provides — no key to paste. They connect, the tunnel opens, and they're working. Remove them from the IdP group and access drops within seconds.

Why engineering teams switch

No keys to leak

Nothing long-lived lands on a laptop, in a dotfile, or in a CI secret. There is no shared key to exfiltrate, and nothing to rotate when someone leaves.

Onboard and offboard instantly

Access follows IdP group membership. Joiners get reach the moment they're in the group; leavers lose it the second they're out — no ticket, no cleanup.

Real attribution

Costs and usage map to people and teams instead of one anonymous key, so you can see who spent what across Claude Code, Codex, Vertex AI, and Bedrock.

Policy and limits in one place

Token and dollar caps, model allow-lists, and audit logging live on the network policy — consistent across every provider, streamed to your SIEM.

Give your engineers AI access without handing out a single API key.

Get Started Free