How a request travels
Each Slack thread runs in its own sandbox, and every outbound call from that sandbox passes through the same checkpoints.| Checkpoint | The guarantee |
|---|---|
| The sandbox | Runs on Anthropic’s infrastructure and holds no credentials |
| Agent Proxy | Injects credentials from the credential store at request time, and blocks traffic to unlisted hosts by default |
| Your systems | See the agent’s own accounts, so its actions there are attributable |
Compute and the sandbox
Sessions run in sandboxes Anthropic hosts, the same managed compute behind Claude Code on the web. Each Slack thread gets its own sandbox. When a thread goes quiet, its sandbox is released; replying in the thread builds a fresh one. What persists across that release and rebuild:- Persists: The thread, its visible work, and anything pushed to a branch, opened as a pull request, or posted into Slack.
- Does not persist: Files that existed only inside the sandbox. To keep generated files, ask Claude to push them to a branch or post them in the thread.
Credential storage
Credentials you provision are kept in a separate credential store, not in the proxy itself. When an outbound request matches a rule, Agent Proxy, the network layer between the sandbox and any external host, retrieves the credential from that store and injects it at the boundary, so the model and the sandbox are not given the key. This means:- A saved credential is not displayed again. The setup screens are write-only.
- The credential travels only to the hosts you named when you added the connection.
- You can narrow the credential further, to one host, one path prefix, or read-only methods, in Add connections.
Network egress
Outbound traffic from a channel session’s sandbox is default-deny. Requests go only to hosts an allow layer covers, and the layers are a connection’s Allowed websites, the bundle’s Domains tab, and the network access setting of the environment the scope’s sessions run on. A new environment’s Trusted default already covers a documented set of package registries and developer hosts. Every request gets one of three outcomes:- Matches a credential rule. The credential is attached at the boundary and the request proceeds.
- Matches only an allowlist. The host is on the Domains tab or allowed by the environment’s network access setting; the request is sent without credentials.
- Matches nothing. The request is blocked outright; the host is unreachable rather than merely unauthenticated.
claude.ai/code and defaults to the Trusted level. See Set allowed websites and Allow a host without a credential.
Organizations can opt in to allow-all egress, where a * entry on a bundle’s Domains tab admits requests to any host on the ports that entry lists, still without credentials. Private and internal network addresses and cloud metadata endpoints remain blocked. Allow-all egress is off by default and enabled per organization by Anthropic; see Allow all hosts.
Service accounts
In channels, Claude acts under service credentials of its own, not under the account of the person who tagged it. The Slack surface is the Claude app, code work goes through the Claude GitHub App, and every other connected tool uses a service account an Owner provisions in an Access bundle. See How agent identity works for the full model. A connection belongs to that agent identity and is shared by everyone the bundle’s scope covers. Anyone in a channel under that scope can ask Claude to act with the credential, so whatever the connected account can read or write is available to every member of those channels. Connect a dedicated identity you control for each service, such as aclaude@yourcompany.example.com seat or a native service account, rather than a personal login. A dedicated account keeps the agent’s actions separately auditable in each tool’s logs and lets you revoke its access without affecting a person; see Create a dedicated account per service.
DMs with @Claude run on the user’s own claude.ai account instead, with that user’s personal connectors, and work there is attributed to them. Personal connectors apply only in DMs, never in channels. Admins can disable DMs organization-wide; see Allow or disable direct messages.
Member access
By default, anyone in a connected Slack workspace can invoke Claude in channels, with or without a Claude account. An Owner or Admin can turn on a restriction toggle to narrow that: on Team plans it limits Claude to people with a Claude account in your organization, and on Enterprise plans it limits Claude to members whose role grants the Claude Tag in Slack capability. See Restrict who can use Claude. The toggle governs DMs as well as channels.Related resources
- How agent identity works: the identity model in full, including DM attribution
- Restrict where Claude Tag operates: the controls that exist and the ones that don’t
- Audit Claude Tag activity: the trails for tracing what it did