Article Library

All 800 Articles

Everything in the Claude 3P 101 library, grouped by theme. Start with Getting Started if you're new; jump to your industry or function if you already know the basics.

Claude 3P 101 · Updated July 2026 · Unofficial guide

800 articles

Getting Started 12 articles

Platform Deep Dives 13 articles

Security & Compliance 13 articles

Cost & Operations 12 articles

Industry Use Cases 13 articles

Business Function Use Cases 12 articles

Architecture & Integration 13 articles

Migration & Adoption 12 articles

Amazon Bedrock in Practice 50 articles

Google Vertex AI in Practice 50 articles

Microsoft Foundry in Practice 50 articles

Claude Platform on AWS in Practice 50 articles

API Features & Capabilities 50 articles

SDKs & Developer Experience 50 articles

Prompt Engineering & Output Quality 50 articles

Enterprise Governance & Risk 50 articles

Cost Optimization & FinOps 50 articles

Solution Patterns & Playbooks 50 articles

Streaming, Errors & Resilience 25 articles

Advanced Tool Use & Agent Engineering 25 articles

  • MCP Connector Platform Availability: The Hard Split ExplainedWhy the API-native MCP connector works on the Claude API, Claude Platform on AWS, and Foundry Hosted-on-Anthropic but is blocked on Amazon Bedrock and Google Vertex AI — and what each of those platforms offers instead.
  • Inside the MCP Connector Request: mcp_servers, mcp_toolset, and Block TypesThe two-part structure every MCP connector call requires — one mcp_servers entry and one matching mcp_toolset per server — and how the mcp_tool_use and mcp_tool_result blocks differ from ordinary tool_use blocks.
  • MCP Tool Filtering: Allowlists, Denylists, and Mixed PatternsUsing mcp_toolset default_config and per-tool configs to control exactly which tools from a connected MCP server Claude is allowed to call, including precedence rules when defaults and overrides conflict.
  • OAuth for MCP Servers: Running the Auth Flow YourselfThe connector does not handle OAuth on your behalf — you run the authorization flow, pass the resulting token as authorization_token, and are responsible for refreshing it before each API call.
  • Combining MCP Toolsets with defer_loading to Control Context CostWhen an MCP server exposes dozens or hundreds of tools, pairing mcp_toolset with defer_loading and the tool search tool keeps unused tool definitions out of the context window without removing them from the request.
  • Client-Side MCP Helpers for Local and STDIO ServersThe anthropic[mcp] package ships four helper functions — mcpTools, mcpMessages, mcpResourceToContent, and mcpResourceToFile — for developers running their own MCP client against local servers that the remote connector cannot reach.
  • Agent SDK vs. Managed Agents: Same Loop, Different HostingBoth options run Claude's agentic tool loop, but the Agent SDK runs in your process with JSONL session state on your filesystem, while Managed Agents runs on Anthropic's infrastructure with a hosted container and REST sessions — here is how to pick.
  • Running the Agent SDK on Amazon BedrockThe CLAUDE_CODE_USE_BEDROCK env var, how the credential chain resolves, the CLAUDE_CODE_USE_MANTLE flag that switches to Bedrock's native Anthropic API shape, required IAM permissions, and the WebSearch tool gap on Bedrock.
  • Running the Agent SDK on Google CloudCLAUDE_CODE_USE_VERTEX setup, CLOUD_ML_REGION values including the global multi-region option, per-model region overrides with VERTEX_REGION_CLAUDE_* vars, and why MCP tool search is disabled by default on Vertex and how to re-enable it for Sonnet 4.5+.
  • Running the Agent SDK on Microsoft FoundryCLAUDE_CODE_USE_FOUNDRY is the only configuration path — there is no setup wizard — covering env var setup, Azure credential chain fallback, startup behavior differences versus Bedrock and Vertex, and base URL override for custom endpoints.
  • Agent SDK Lifecycle Hooks and the Permission ModelPreToolUse, PostToolUse, Stop, SessionStart, and SessionEnd callbacks let you validate, log, or block agent actions; combined with allowed_tools and permission_mode settings they define a layered policy model for safe autonomous operation.
  • Building Subagent Systems with the Agent SDKDefine specialized agents via the agents option using AgentDefinition, invoke them through the built-in Agent tool, control which tools each subagent can access, and trace delegation chains via the parent_tool_use_id field on subagent context messages.
  • Session Continuity: Resume, Fork, and JSONL StorageThe Agent SDK assigns a session_id in the first query's init message; pass resume=session_id to continue with full context, or fork the session to explore two approaches from the same point — all backed by JSONL files on your filesystem.
  • Agent Skills Three-Level Loading: Keeping Context LeanOnly the name and description from a skill's YAML frontmatter enter the system prompt at startup (~100 tokens per skill); the SKILL.md body and bundled scripts load on demand through bash, so unused skills cost almost nothing.
  • Agent Skills on 3P Platforms: What Is and Is Not SupportedPre-built and custom Agent Skills are available on the Claude API, Claude Platform on AWS, and Microsoft Foundry with a Hosted-on-Anthropic deployment; they are absent on Amazon Bedrock and Google Vertex AI.
  • Agent Skills Runtime Constraints Differ by SurfaceAPI skills run without network access and cannot install packages at runtime; Claude Code skills have full network access; claude.ai skills depend on workspace admin settings — the same SKILL.md behaves differently depending on where it runs.
  • Auditing Agent Skills Like Installing SoftwareA skill with bundled scripts can execute arbitrary code in Claude's environment; Anthropic's own guidance says to treat skills like installed software — including auditing all bundled files and applying heightened scrutiny to any skill that fetches external URLs.
  • Server-Side Context Editing: Trimming Tool Results and Thinking Before They Reach the ModelThe context-management-2025-06-27 beta header enables two server-applied strategies — clear_tool_uses_20250919 and clear_thinking_20251015 — that prune old content before Claude processes the prompt, with applied_edits in the response reporting exactly what was removed.
  • Context Editing and Prompt Caching: Managing the Cache Invalidation CostClearing tool results removes cached prompt prefixes at the cleared point; the clear_at_least parameter lets you set a minimum bytes-cleared threshold so the context window savings always outweigh the cache miss penalty.
  • Using Claude with Amazon Bedrock AgentCore HarnessThe AgentCore Harness defaults to Claude Sonnet 4.6 via the converse_stream API format; you can switch to the responses or chat_completions format for Bedrock's Mantle endpoint, and you can even reach Anthropic's 1P API from AgentCore using liteLlmModelConfig with a key stored in AgentCore Identity.
  • Amazon Bedrock AgentCore Services Overview: Where Claude FitsAgentCore's twelve services — Harness, Runtime, Memory, Gateway, Identity, Code Interpreter, Browser, and more — work independently or together; Claude is one of many supported models, not a special first-class citizen, and AgentCore's Skills and MCP support are AWS-native concepts distinct from Anthropic's.
  • Bedrock Agents Classic Is Closing to New Customers July 30, 2026Amazon Bedrock Agents (launched November 2023) is now Bedrock Agents Classic and will not accept new customers after July 30, 2026; existing customers continue as normal, and AWS points newcomers to AgentCore — here is what to evaluate when choosing between AgentCore, the Anthropic Agent SDK, and Managed Agents.
  • Foundry Hosted-on-Azure vs. Hosted-on-Anthropic: Which Features UnlockFoundry offers Claude in two deployment modes; Hosted-on-Azure (GA) supports the core Messages API but not the MCP connector, Agent Skills, or code execution; Hosted-on-Anthropic (preview) unlocks all three — and Fable 5 — at the cost of data leaving Azure infrastructure.
  • Claude on Google Cloud Has No Server Tools: Building Agents Around the GapGoogle's official docs confirm Claude partner models on the platform support Client tools only — no web search, code execution, web fetch, or MCP connector via the API; this article maps the architectural implications and where Google's own Agent Runtime docs are silent on Claude support.
  • Multiagent Coordination in Managed AgentsA coordinator agent delegates tasks to up to 20 roster agents within a single session; all share the container filesystem but maintain isolated conversation threads with their own models and tool sets; delegation is one level deep only, and cross-thread tool confirmations surface on the primary session stream.

Networking, Identity & Private Connectivity 25 articles

  • The bedrock-mantle VPC Endpoint Service ExplainedHow the Messages-API surface gets its own PrivateLink endpoint service (`com.amazonaws.{region}.bedrock-mantle`) separate from `bedrock-runtime`, and how to create and scope VPC endpoint policies for both.
  • FIPS 140-3 Endpoints for Amazon BedrockWhich regions offer `bedrock-fips` and `bedrock-runtime-fips`, what they validate, why no FIPS variant exists yet for the bedrock-mantle surface, and when a government workload needs them.
  • The Dual-ARN Requirement When Using Inference Profiles in IAMWhy an IAM policy that scopes `Resource` only to an inference-profile ARN silently fails, how to add the matching foundation-model ARN for every destination region, and how the `bedrock:InferenceProfileArn` condition key locks callers to a specific profile.
  • SCPs and Cross-Region Inference: the aws:RequestedRegion TrapHow geographic inference profiles require all destination regions to be allowed in SCPs, why global profiles use `aws:RequestedRegion = "unspecified"`, and how to add an explicit Deny to block global routing entirely.
  • Auditing Where Cross-Region Bedrock Inference Actually RanHow to find the `additionalEventData.inferenceRegion` field in CloudTrail records to confirm which region processed a cross-region inference request, and why logs always appear in the source region.
  • What AWS KMS Encryption Covers — and Does Not Cover — on BedrockMapping customer-managed KMS key support across model customization, agents, knowledge bases, and evaluation jobs, and why on-demand inference prompts fall outside customer-KMS scope under the Model Deployment Accounts architecture.
  • VPC Service Controls Blocks Request-Response Logging on Vertex AIWhy enabling a VPC-SC perimeter around Vertex AI disables prompt-and-completion logging, what the documented alternatives are for capturing audit evidence inside a perimeter, and how to plan for this before locking down a production environment.
  • Enforcing Regional Endpoints with a GCP Org Policy ConstraintHow to apply `constraints/gcp.restrictEndpointUsage` to prevent Vertex AI traffic from hitting the global endpoint, and how to configure clients to use the regional domains (`aiplatform.us.rep.googleapis.com` / `aiplatform.eu.rep.googleapis.com`) instead.
  • Enabling Cloud Audit Logs for Vertex AI Claude PredictionsHow to turn on Data Access (DATA_READ) audit logging for `endpoints.predict` calls, why these logs are disabled by default, and the `roles/logging.privateLogViewer` role required to read them.
  • Workload Identity Federation for Non-GKE Workloads Calling Claude on Vertex AISetting up WIF pools and OIDC providers for workloads running on AWS, GitHub Actions, GitLab, or any standards-compliant IdP so they can obtain short-lived Google Cloud credentials without exporting service account keys.
  • The Two IAM Roles Every Vertex AI Claude Deployment NeedsWhy both `roles/consumerprocurement.entitlementManager` (to enable models in Model Garden) and `roles/aiplatform.user` (to call the predict endpoint) are required, which persona gets each, and the `roles/serviceusage.serviceUsageAdmin` prerequisite for enabling the API itself.
  • Enforcing Keyless-Only Access by Disabling API Keys in FoundryHow to set `disableLocalAuth: true` via PowerShell, Bicep, or ARM template to eliminate key-based auth once all consumers have migrated to Entra ID, and how to verify no callers still depend on keys before flipping the switch.
  • Foundry RBAC Roles for Claude: Which Role to Assign and WhereThe Foundry User, Foundry Owner, Foundry Agent Consumer, and Foundry Project Manager role taxonomy, why Microsoft warns against assigning "Cognitive Services" or "Azure AI Developer" roles for Foundry work, and how scoping a role to a resource versus project versus individual agent changes the blast radius.
  • How Azure DNS Routes Foundry Traffic Through a Private EndpointThe mechanics of Azure CNAME rewriting into a `privatelink` subdomain, why the same Foundry hostname resolves to a private IP inside the VNet and a public IP outside it, and how to configure custom or on-premises DNS servers to forward to Azure DNS at 168.63.129.16.
  • Letting Trusted Azure Services Bypass Foundry Network RulesHow to grant Azure AI Search, Azure Machine Learning, and other trusted Azure services access to a Foundry resource whose public network access is disabled, using managed identity combined with a role assignment rather than opening network rules.
  • Foundry's Three Public Network Access Modes and Their Network ImplicationsA plain-English walkthrough of Disabled, Enabled from selected IP addresses, and public PNA settings, including why removing a private endpoint does not automatically re-enable public access and how to reach a fully locked-down resource for management.
  • The aws-external-anthropic SigV4 Service Name: Why It MattersWhy the SigV4 service name for Claude Platform on AWS is `aws-external-anthropic` rather than a Bedrock alias, how to set it correctly in cURL and SDK clients, and the misleading generic signature-rejection error produced by a service-name mismatch.
  • The One-Time STS Prerequisite for Claude Platform on AWSWhy the gateway must call `sts:GetWebIdentityToken` server-side and why `aws iam enable-outbound-web-identity-federation` must be run once per account before any SigV4-authenticated call can succeed.
  • Federating IAM Roles into the Claude ConsoleHow the `aws-external-anthropic:AssumeConsole` IAM action generates a short-lived JWT redirect to `platform.claude.com`, the just-in-time user provisioning it triggers, and the difference between Admin and Developer console roles.
  • Workspace Region vs. Inference Geography on Claude Platform on AWSWhat the `inference_geo` parameter controls (where inference actually runs on Anthropic infrastructure) versus what the workspace's AWS region controls (gateway endpoint, IAM, CloudTrail, billing), and the 1.1x cost multiplier that applies to `us` geography.
  • CloudTrail Coverage for Claude Platform on AWS: Management vs. Data EventsWhy inference, batch, file, and skill API calls are Data events that require explicit opt-in and incur extra charges, how to enable them, and how to correlate logs using the dual request IDs (`x-amzn-requestid` from AWS and `request-id` from Anthropic).
  • Anthropic's Native Workload Identity Federation for the Claude APIHow to configure service accounts, federation issuers (OIDC discovery, explicit JWKS URL, or inline for air-gapped clusters), and federation rules to exchange external JWTs for short-lived `sk-ant-oat01-...` tokens without storing long-lived API keys.
  • Fixed IP Ranges for Claude API Firewall RulesAnthropic's documented inbound CIDR (`160.79.104.0/23`) and outbound tool-call CIDR (`160.79.104.0/21`), why Claude Platform on AWS inbound traffic uses AWS IP ranges instead, and how to phase out the legacy `34.162.*` /32s that are being decommissioned.
  • Workspace Isolation: API Keys, Prompt Caches, and Spend LimitsHow workspace scoping differs across platforms (per-workspace on the Claude API, Claude Platform on AWS, and Foundry versus per-organization on Bedrock and Vertex AI), the 100-active-workspace limit, and why archiving a workspace immediately and irreversibly revokes all its API keys.
  • Admin API Keys vs. OAuth org:admin Tokens: When to Use EachThe difference between `sk-ant-admin` keys and OAuth bearer tokens with `org:admin` scope, why the Admin API deliberately prevents creating new API keys programmatically, and which of the five organization roles can obtain each credential type.

Observability, Usage & Analytics 25 articles

  • The AWS/BedrockMantle CloudWatch Namespace: Why Your Dashboards May Miss Half Your TrafficHow the current bedrock-mantle surface publishes to a completely separate namespace from the legacy AWS/Bedrock, which metrics the two namespaces share and which differ (Project dimension, missing TTFT and latency equivalents on mantle), and how to build a unified dashboard that covers both surfaces.
  • Enabling CloudTrail Audit Coverage for bedrock-mantle Inference CallsWhy inference on the current Claude in Amazon Bedrock surface is a CloudTrail data event (off by default, incurs charges), how to enable data event capture with advanced event selectors, and why existing filters on bedrock.amazonaws.com miss the bedrock-mantle.amazonaws.com eventSource entirely.
  • Inside a Bedrock ModelInvocationLog Record: Fields, Size Limits, and Overflow HandlingA field-by-field walkthrough of the ModelInvocationLog schema — timestamp, accountId, identity.arn, requestMetadata, inputBodyJson/outputBodyJson — the 100 KB body cap, how larger payloads and binary data overflow into separate S3 objects, and what the log entry's reference to those objects looks like.
  • Using requestMetadata Tags for Per-Call Attribution on Amazon BedrockHow to attach caller-supplied key-value tags to bedrock-runtime inference calls via the requestMetadata field, how Bedrock preserves them verbatim in invocation logs, and how to write CloudWatch Logs Insights queries that group token usage by those tags for per-team or per-feature chargeback.
  • Monitoring Bedrock's Invocation-Logging Pipeline with Delivery Health MetricsThe ModelInvocationLogsCloudWatchDeliverySuccess, ModelInvocationLogsCloudWatchDeliveryFailure, and three S3 delivery health metrics that AWS publishes under AWS/Bedrock, what failures look like, and how to build alarms that fire before logging gaps reach your compliance retention window.
  • Why EstimatedTPMQuotaUsage Cannot Replace Throttle-Based Capacity PlanningThe documented AWS caveat that EstimatedTPMQuotaUsage does not reflect the reservation-based accounting (input tokens plus max_tokens reserved upfront) that actually drives throttling, what InvocationThrottles and SDK retry settings show instead, and how to size max_tokens conservatively to reduce unintended throttle counts.
  • The CloudWatch Generative AI Observability Dashboard for BedrockWhat the pre-built CloudWatch gen-AI dashboard shows (invocation count, latency, token counts by model, throttles, error rates), why drilling into per-request prompt content requires bedrock-runtime invocation logging enabled to CloudWatch Logs first, and how to extend the dashboard with OTel traces from ADOT-instrumented frameworks.
  • Setting Up Vertex AI Request-Response Logging for Claude: REST-Only, Regional-OnlyWhy Claude on Vertex AI requires the REST API (not gRPC) and a regional endpoint (not the global endpoint) to configure request-response logging, the setPublisherModelConfig API call structure with samplingRate and bigqueryDestination, and the few-minute propagation delay before changes take effect.
  • Field-by-Field Guide to the Vertex AI Request-Response Log Table in BigQueryWhat each column in the auto-created request_response_logging BigQuery table contains — endpoint, logging_time, request_id, request_payload, response_payload, full_request, full_response, metadata latency, otel_log — the 10 MB row-size limit that silently drops large conversations, and how sampling rate affects completeness.
  • The otel_log Column: Vertex AI's Only OpenTelemetry Hook for ClaudeHow enabling enableOtelLogging on the Vertex publisher model config adds an otel_log JSON column in OpenTelemetry schema format alongside the standard request-response columns in BigQuery, why this is the only documented OTel sink for Claude on Vertex AI, and what the column contains versus what the standard columns already provide.
  • Vertex AI Tamper-Proof Log Sharing with Anthropic for Advanced AI ModelsHow to enable real-time tamper-proof sharing of Vertex request-response logs with Anthropic's trust-and-safety team for Claude Fable 5, Mythos Preview, and Mythos 5 using dataSharingEnabledProvider, why BigQuery logging does not need to be active for sharing to work, the Advanced AI Safety Addendum consent requirement, and the VPC Service Controls restriction that blocks sharing by default.
  • Reading the Vertex AI Pre-Built Model Observability Dashboard for ClaudeWhat the Vertex AI model observability dashboard shows for MaaS partner models like Claude (requests per second, token throughput, first-token latency, error rates), how to navigate to it (Gemini Enterprise Agent Platform console → Model observability), why the section only appears after real API calls exist, and the documented exclusion of Vertex AI Studio traffic.
  • Why the Vertex AI Quota Page Shows Inaccurate Token Counts for ClaudeThe documented inaccuracy of Quota page token figures caused by Anthropic's estimation-and-refund token model, why Metrics Explorer token_count metrics are the authoritative source for Claude token accounting on Vertex, and how to find the right quota lineage metrics (global_online_prediction_input_tokens_per_minute_per_base_model with base_model dimensions like anthropic-claude-opus).
  • Rate-Limit Visibility on Foundry Without anthropic-ratelimit-* HeadersWhy Foundry omits all nine anthropic-ratelimit-* response headers that the direct Claude API returns, what signals are available instead (ProvisionedUtilization metric crossing 100%, Azure portal quota page, 429 responses), and how to implement exponential back-off without header-based token budget tracking.
  • Two Correlation IDs in Every Foundry Response: request-id and apim-request-idWhat the Anthropic-side request-id and the Azure API Management apim-request-id each trace, why Anthropic support requires both to cross-reference a request across their system and Azure's, and how to extract and log both headers reliably from SDK responses.
  • OpenTelemetry Tracing for Claude in Foundry's Agent FrameworkHow Foundry's agent-framework tracer emits spans following OTel GenAI semantic conventions (gen_ai.provider.name, gen_ai.request.model, gen_ai.usage.input_tokens, gen_ai.usage.output_tokens), the three environment variables required to opt into recording prompt and completion content in spans, and how to route traces to a Log Analytics workspace.
  • Reconciling Claude Consumption Units Against Foundry Token MetricsHow Claude charges on Foundry appear as CCU-denominated metered entries on your Azure invoice billed monthly in arrears, the documented five-hour delay before charges appear in Azure Cost Management, and how to cross-check the CCU line items against InputTokens and OutputTokens metrics in Azure Monitor to surface discrepancies.
  • Admin API Keys, Standard API Keys, and Analytics API Keys: Which Does WhatThe three key types for the Claude API (sk-ant-admin01- Admin keys, standard sk-ant- API keys, and Claude Enterprise Analytics keys), which endpoints each unlocks, why the Usage and Cost Admin API is restricted to organizations (not individual accounts), and how organizations using Claude Enterprise Analytics get a separate Analytics API instead.
  • Group-By Dimensions and Filters in the Usage Report EndpointA practical guide to every group_by dimension in GET /v1/organizations/usage_report/messages (account_id, api_key_id, context_window, inference_geo, model, service_account_id, service_tier, speed, workspace_id), what each dimension enables (per-workspace chargeback, data-residency verification, model-level rollup), and the beta header required for speed-based grouping.
  • The Cost Endpoint: Daily Granularity, Cents Format, and What It OmitsHow GET /v1/organizations/cost_report differs from the usage endpoint (daily-only bucket_width, USD decimal strings in cents, grouping by description or workspace_id), why Priority Tier costs are absent (different billing model), and why code execution costs appear only here and not in the usage endpoint.
  • Closing the Attribution Gaps in the Admin Usage APIThe three documented blind spots in the Usage API — Workbench usage that returns api_key_id: null, usage from the default workspace appearing as workspace_id: null, and per-user Claude Code cost breakdowns requiring the separate Claude Code Analytics API — and practical workarounds for each.
  • Why the Usage and Cost Admin API Is Unavailable on Claude Platform on AWSThe documented exclusion of programmatic Usage and Cost API endpoints from Claude Platform on AWS, what the Console Usage and Cost pages provide instead (hourly/minute token breakdowns, rate-limited request counts, cache-rate charts, CSV export), and the access-role requirements that limit visibility to Developer, Billing, and Admin roles.
  • Usage Fields in Streaming Responses: message_start, message_delta, and the Cumulative TrapHow token counts appear at two points in a streaming response (initial message_start usage snapshot with output_tokens: 1, and the final message_delta with cumulative totals including cache fields and server_tool_use), why summing delta counts produces wrong totals, and how compaction iterations affect top-level usage figures.
  • usage.server_tool_use and usage.service_tier: Billing Fields Beyond Token CountsWhat the usage.server_tool_use object reports (web_search_requests and web_fetch_requests counts for server-tool billing reconciliation), what usage.service_tier tells you about which serving tier handled the request (standard, priority, batch), and why these fields are the authoritative per-response source for reconciling server-tool charges.
  • What Actually Lands in Platform Logs: A Cross-Platform Prompt-Content InventoryA factual comparison of what prompt and completion content reaches each platform's logging system — full JSON request and response bodies (up to 100 KB) in Bedrock invocation logs, full payloads in Vertex BigQuery request-response logs, status codes and latency only (no bodies documented) in Foundry diagnostic RequestResponse logs — and the governance implications of prompts containing personal data flowing into cloud-managed log stores.

Retrieval & Document Workflows 25 articles

Evaluation, Testing & Quality 25 articles

Multi-Platform Portability & Model Upgrades 25 articles

Scaling, Quotas & Capacity Planning 25 articles