Connect Claude Cowork to Capsule Security for complete visibility into Claude AI activity, including user prompts, tool execution, model API calls, errors, and session lifecycle. This integration uses Claude's native OpenTelemetry (OTLP) logs exporter — no hooks, scripts, or custom binaries required.
Claude emits structured telemetry as OpenTelemetry log records. Capsule provisions a dedicated OTLP endpoint and a long-lived bearer token scoped to your tenant, which Claude can be configured to export to via standard OTEL environment variables.
The following events are captured:
| OTEL Event | Description |
|---|---|
| user_prompt | User prompts submitted to Claude |
| tool_result | Tool execution results, including MCP tool invocations |
| api_request | Model API requests with token usage, duration, and cost |
| api_error | Model API errors |
| tool_decision | Tool permission decisions (allow / deny / source) |
| session_start | Session initialization |
Each event is correlated to an agent identified by user email or user ID, and entities (working directories, tools, MCP servers, models) are materialized automatically into your inventory.
Before you begin, ensure you have:
- Claude Cowork enabled for your organization
- A Capsule Security account with admin access
- Permission to set environment variables on developer machines (locally, via shell profile, or via MDM)
Log in to the Capsule Security portal
Navigate to Integrations and locate Claude Cowork
Click Install — Capsule generates an OTLP configuration containing:
- The OTLP HTTP/JSON endpoint URL scoped to your tenant
- A bearer token (JWT) embedding your tenant, environment, and platform IDs
- The transport protocol (
http/json)
The token is valid for 365 days and binds telemetry to a single environment in your tenant. Treat it as a secret.
Copy the three values shown in the portal:
endpoint— e.g.https://otel.capsule.security/v1/claude-cowork/otel/v1/logsprotocol—http/jsonauthorizationHeader—Bearer <jwt>
Claude reads OTEL configuration from standard OpenTelemetry environment variables. Set the following on each machine running Claude:
| Variable | Value |
|---|---|
CLAUDE_CODE_ENABLE_TELEMETRY | 1 |
OTEL_LOGS_EXPORTER | otlp |
OTEL_EXPORTER_OTLP_PROTOCOL | http/json |
OTEL_EXPORTER_OTLP_ENDPOINT | The endpoint from Step 1 (without the /v1/logs suffix if your client appends it; otherwise paste the full URL) |
OTEL_EXPORTER_OTLP_HEADERS | Authorization=Bearer <jwt> |
Note: Claude exports OTLP logs to the path
/v1/logsrelative toOTEL_EXPORTER_OTLP_ENDPOINT. The Capsule endpoint already includes the full path — setOTEL_EXPORTER_OTLP_ENDPOINTto the exact URL Capsule provided.
Add the variables to your shell profile (~/.zshrc, ~/.bashrc, or equivalent):
export CLAUDE_CODE_ENABLE_TELEMETRY=1
export OTEL_LOGS_EXPORTER=otlp
export OTEL_EXPORTER_OTLP_PROTOCOL=http/json
export OTEL_EXPORTER_OTLP_ENDPOINT="https://otel.capsule.security/v1/claude-cowork/otel/v1/logs"
export OTEL_EXPORTER_OTLP_HEADERS="Authorization=Bearer eyJhbGciOiJIUzI1NiIs..."Reload your shell (source ~/.zshrc) and restart Claude.
For organization-wide deployment, distribute the environment variables via your MDM solution:
| Platform | Recommended Mechanism |
|---|---|
| macOS | Configuration Profile setting EnvironmentVariables, or launchctl setenv via Jamf/Kandji preinstall script |
| Linux | /etc/environment or /etc/profile.d/claude-otel.sh deployed via Ansible / Salt / Intune |
| Windows | Group Policy → User Configuration → Preferences → Windows Settings → Environment, or Intune Configuration Profile |
Refer to the Jamf Pro, Kandji, Intune, SCCM, and Tanium guides for platform-specific deployment patterns.
Security: The bearer token grants write access to your Capsule telemetry endpoint. Distribute it via your MDM's secure variable mechanism, never commit it to version control, and rotate it from the Capsule portal if it is exposed.
For the OTEL exporter to pick up the new configuration:
- Exit Claude
- Open a new shell session (so the updated environment variables are loaded)
- Start Claude
Run a simple prompt in Claude to generate activity, for example:
List the files in the current directory.Log in to the Capsule Security portal
Navigate to Inventory > Agents and confirm a new agent appears named
Cowork/<username>(derived from the user's email)Click the agent to review:
- Audit logs — user prompts, tool invocations, API requests, errors, session lifecycle
- Entities — working directories, tools, MCP servers, models
- Owner — mapped from the OTEL
user.emailattribute
To inspect full conversations, navigate to Observability and filter by Activity Type — Session
| Resource | How It's Created |
|---|---|
| Agent | One per unique user.email (or user.id), named Cowork/<email-prefix> |
| Owner (User) | Mapped from user.email — appears in the agent's Owner column |
| Working Directory entities | One per path in workspace.host_paths |
| Tool entities | One per built-in tool used (Bash, Read, Edit, etc.) |
| MCP Tool entities | One per <mcp_server_name>:<mcp_tool_name> combination, tagged with protocol MCP |
| Model entities | One per Claude model invoked (e.g., claude-opus-4-7) |
If events are not appearing in Capsule:
Confirm telemetry is enabled —
CLAUDE_CODE_ENABLE_TELEMETRY=1must be set in the same shell environment Claude runs in. Runecho $CLAUDE_CODE_ENABLE_TELEMETRYin the terminal where Claude is launched.Verify the endpoint and headers —
echo $OTEL_EXPORTER_OTLP_ENDPOINTandecho $OTEL_EXPORTER_OTLP_HEADERSshould match the values from the Capsule portal exactly.Check network connectivity — from the developer machine, the OTEL endpoint must be reachable:
curl -i -X POST "$OTEL_EXPORTER_OTLP_ENDPOINT" \ -H "Content-Type: application/json" \ -H "$OTEL_EXPORTER_OTLP_HEADERS" \ -d '{"resourceLogs":[]}'A
200or204response confirms the token is valid. A401indicates the token is malformed or expired — regenerate it from the portal.Confirm the user has an email — agent identity is derived from
user.email. If onlyuser.idis present in the OTEL attributes, the agent is still created but the Owner column will show the raw ID.Inspect Claude's exporter logs — set
OTEL_LOG_LEVEL=debugand look for OTLP export errors in Claude's stderr.Contact Capsule Security support if the issue persists.
- The bearer token is a long-lived JWT (365 days). Store it in a secret manager and distribute via MDM-protected channels.
- Each token is scoped to a single tenant + environment. Compromising one token does not affect other environments.
- To rotate the token, uninstall and reinstall the integration from the Capsule portal — this issues a new token; the old token continues to work until manually revoked.
- The OTLP endpoint accepts only POST requests with a valid
Authorization: Bearer <token>header. Unauthenticated requests are rejected with401.
For help with this integration:
- Email: support@capsule.security
- Include: Your tenant ID, the integration's environment external ID (visible in the portal), and any error messages from Claude's exporter logs