CLAUDE COWORK. COMPLETELY OWNED. SKILLS, GATEWAY, MCP ALLOWLIST, PLUGINS. YOURS.

Cowork opens with a blank slate. No memory of last session, no record of the brand voice you shaped last week, no trace of the client-report template you wrote on Tuesday. The systemprompt.io connection changes that: click connect, approve in a browser tab, and every skill on your account loads into every Cowork session.

The handshake uses OAuth2 with PKCE. An authorisation code returns from the systemprompt.io auth endpoint, Cowork exchanges it at the token endpoint, and the session binds. No API key lands on disk. PKCE binds the code exchange to the one-time secret Cowork generated, so a captured code cannot be replayed from another machine. Staff engineers verifying this read the OIDC discovery document, authorize endpoint, and token exchange — all in one binary you run yourself.

A skill is a Markdown document plus a small config block. Edit it in the dashboard and the next Cowork session sees the update. Type / in Cowork and your skills appear as slash commands. Cancel your account and you walk away with the Markdown files.

Cowork's third-party inference setting expects an HTTP endpoint that speaks /v1/messages and forwards a specific header set. systemprompt.io is that endpoint, running in your VPC in front of the upstream you operate. Your own inference cluster, a self-hosted Llama or Qwen deployment, an internal model behind a private ingress. The gateway authenticates the user, checks scope, scans the prompt for secrets, applies rate and budget limits, and writes an audit_events row with trace_id before a token leaves your network.

The same gateway fronts commodity providers when you need them (Bedrock, Vertex, Azure Foundry, Anthropic direct, OpenAI, Gemini, Groq) through one routing table keyed on department, model, cost, or failover. The switch between your own inference and a commodity provider is a YAML change, not a replatforming. Cost lands in one microdollar column regardless of upstream.

Anthropic's documented data flow says prompts route to your cloud provider and Anthropic never sees them. With systemprompt.io in front, the cloud provider never sees raw traffic either. It sees a policy-checked request from your governance layer, stamped with your attribution headers.

Cowork's third-party inference form exposes a credential helper script field whose contract is an absolute path to an executable that prints the credential on stdout. Most deployments skip it and ship one shared bearer to every laptop over MDM. One compromised device then exposes organisation-wide AI spend and audit identity.

systemprompt.io is the counterpart to that field. The helper is a small binary that trades the workstation's SSO identity for a short-lived, user-scoped JWT against the gateway's auth endpoint. Cowork invokes it per token expiry, reads the JWT from stdout, and uses it as the Authorization header on every /v1/messages request. The user never sees a key. Upstream credentials stay on the gateway. Revocation is a database update. Rotation happens on the next refresh.

The helper's JSON also carries seven canonical headers that Cowork merges into every request: x-user-id, x-session-id, x-trace-id, x-client-id, x-tenant-id, x-policy-version, x-call-source. Real identity propagates into every audit row. Paired with the Skip login-mode chooser toggle, a user opens Cowork and is signed in through the organisation's identity with no API-key paste step.

Cowork on third-party inference supports remote MCP servers only against an admin-maintained allowlist. Tool policies are allow, ask, or block. isLocalDevMcpEnabled disables user-added servers. isDesktopExtensionSignatureRequired enforces signed extensions. The settings exist in Cowork. The signing authority, the registry, and the revocation path do not ship with it.

systemprompt.io fills those three gaps. Register each MCP server once, scope it by RBAC role or department, sign its manifest with your keys, and distribute the allowlist to every Cowork install from one source. Revoke a server centrally and every laptop converges on the next session. Tool policy evaluates per-principal and per-context, so the same Stripe tool can be allowed for the payments team and blocked for the same developer working on marketing.

Every allowed tool call writes into the same audit_events table as the inference request, linked by trace_id. "What MCP servers did this agent reach, and was it allowed to" becomes one SQL query.

Cowork distributes plugins (skills, commands, subagents, MCP servers) through a local mount: /Library/Application Support/Claude/org-plugins/ on macOS, C:\\ProgramData\\Claude\\org-plugins\\ on Windows. The manifests are plugin.json and .mcp.json. The mechanism ends at "files on disk". Provenance, revocation, version history, and department scoping are left to the enterprise.

systemprompt.io is the supply chain behind that mount. Authors sign plugins in the dashboard. Versions land in your database. Entitlement scopes by RBAC role and department. A sync agent on each laptop writes only the user's entitled set into the org-plugins/ path. An update propagates on the next Cowork session. A withdrawal removes the plugin from every install before the next invocation.

The local directory is the delivery mechanism Anthropic specifies. The marketplace (browse, install, fork, publish, review) lives in systemprompt.io, so authors ship once and distribute everywhere under one policy.

Cowork emits OpenTelemetry metrics on third-party inference. Useful for dashboards. Insufficient when an auditor asks which prompt caused a tool call, who authorised it, and what the model returned. systemprompt.io captures the full lineage (prompt, completion, tool calls, MCP invocations, cost) as structured JSON, keyed on trace_id, stored in your PostgreSQL.

The same trace_id appears on the gateway log row, the MCP call row, the plugin load event, and the session record. Forward the JSON stream to Splunk, ELK, Datadog, or Sumo Logic and the SIEM ingests it without a custom parser. Query it from the systemprompt.io CLI for ad-hoc work. Export CSV for an auditor. The record is the same, surfaced differently.

Cowork reads a macOS .mobileconfig under com.anthropic.claudefordesktop and a Windows .reg under HKCU\\SOFTWARE\\Policies\\Claude. systemprompt.io ships template profiles for both. IT sets the gateway URL, delivers the helper binary path, and applies the profile. Cowork launches with the /v1/messages endpoint selected, the MCP allowlist URL populated, the plugin sync agent bootstrapped, and tool policies set from central policy.

A user opens Cowork for the first time and lands in a governed environment. No Developer-mode toggle. No API-key paste. No "which MCP server should I add" question.