localhost in Claude Cowork monitoring settings. Cowork exports
from Anthropic’s VM, so localhost points at the Cowork environment, not your
developer machine. To test with a real Cowork session against a local Runlayer
stack, expose your local app through a reachable HTTPS tunnel and use that
tunnel URL as the OTLP endpoint.
Requirements
- Claude Team or Enterprise with Cowork monitoring access
- Claude desktop app version 1.1.4173 or later
- A Runlayer organization API key with the Shadow AI Scan role
- Full session scanning enabled for Claude Cowork in Runlayer
Create the Runlayer API key
1
Open Organization API keys
In Runlayer, go to Settings -> Organization API keys.
2
Create a scoped key
Click Create Organization API Key, give it a name such as
Claude Cowork OTLP, and select Shadow AI Scan.3
Copy the key
Copy the generated
rl_org_... value. Cowork uses this key in the OTLP
header, and Runlayer rejects user API keys or org keys without the
Shadow AI Scan role.Enable Cowork in Runlayer
1
Open Full session scanning
In Runlayer, go to Settings -> General -> Full session scanning.
2
Enable the API
Turn on Full session scanning APIs.
3
Enable Claude Cowork
Under Hook clients, turn on Claude Cowork, then save the settings.
Configure Claude Cowork
In Claude admin settings, open Cowork monitoring settings and set:
If your organization restricts Cowork network egress, allowlist your Runlayer
tenant hostname, such as
<your-tenant>.runlayer.com. Cowork exports telemetry
from its VM, so blocked egress prevents events from reaching Runlayer.
After saving the Cowork monitoring settings, start a new Cowork session. Cowork
loads monitoring settings when a session starts, so already-running sessions do
not pick up the new OTLP destination.
Verify in Runlayer
- Start a new Cowork session and submit a prompt.
- Open Sessions in Runlayer.
- Filter by client Claude Cowork.
Troubleshooting
No Cowork sessions appear
No Cowork sessions appear
- Confirm Full session scanning APIs is on.
- Confirm Claude Cowork is enabled under Hook clients.
- Confirm the Cowork OTLP endpoint includes
/api/v1/hooks/cowork/otlp/v1/logs. - Confirm the OTLP header uses an organization API key with Shadow AI Scan.
- Start a new Cowork session after changing monitoring settings.
- If Cowork egress allowlisting is enabled, allowlist your Runlayer tenant hostname.
Runlayer returns 403
Runlayer returns 403
Use an organization API key with the Shadow AI Scan role. Personal user
API keys and org keys without that role are rejected for Cowork OTLP
ingestion.
JSON or protobuf
JSON or protobuf
Use
http/protobuf for normal deployments. Use http/json when you need to
inspect payloads while testing. Runlayer accepts both protocols on the same
endpoint.