For most of their short history, AI agents have been something you sit and watch. You open a session, give the agent a task, and stay at the keyboard to approve commands and review output. That works for one-off jobs, but it falls apart for the kind of recurring, unglamorous work that fills an IT or operations queue: the nightly sync, the weekly compliance scan, the morning digest that nobody wants to assemble by hand.
In 2026 Anthropic closed that gap from two directions. Claude Managed Agents can now run on a cron schedule and securely reach CLI tools and other authenticated services, and Claude Code Routines brought scheduled, event-driven automation to engineering workflows. Both let an agent fire on its own, do its job, and stop — no scheduler for you to build or babysit. This guide explains what each one is, who can use it, and how to wire up a recurring job without handing your API keys to a robot that runs while you sleep.
What "scheduled agents" actually means
There are now two distinct hosted surfaces, and it's worth keeping them straight because they target different jobs.
Managed Agents live on the Claude Platform (the Claude Console). They are general-purpose hosted agents that Anthropic runs for you. A scheduled deployment attaches a cron schedule to an agent; each time the schedule fires, the agent starts a new session, completes its task, and exits. There is nothing for you to host. Once a deployment is live you can pause, resume, or archive it, or trigger an extra run on demand.
Claude Code Routines are cloud-hosted Claude Code jobs aimed at software work. You configure a routine once — a prompt, a repository, and any connectors — and it runs on Anthropic's infrastructure rather than your laptop. Routines can fire three ways: on a schedule, via an API call, or in response to a GitHub event.
A simple way to remember it: Managed Agents are for operational and back-office automation on the Platform; Routines are for engineering automation tied to a repo. Both run in the cloud, so they don't care whether your machine is on.
Why it matters for IT and ops teams
The value here is set-and-forget automation that you don't have to maintain. Traditionally, "run this job every night" meant standing up a cron host, a CI pipeline, or a serverless function — plus the glue code, the secrets management, and the on-call burden when it breaks. A scheduled agent collapses that into a prompt and a schedule.
That changes the economics of small automations. Jobs that were never worth a dedicated pipeline — a weekly review of expiring certificates, a daily summary of new tickets, a monthly license-usage report — become a five-minute setup. And because the agent reasons rather than just executes a fixed script, it can handle the messy parts: reading an alert payload, finding the owning service, drafting a sensible first step.
Who can use it, and where
The two surfaces have different availability.
| Managed Agents (scheduled) | Claude Code Routines | |
|---|---|---|
| Where it runs | Claude Platform (Console) | Claude Code cloud |
| Status | Public beta (~June 9, 2026) | Research preview (Apr 14, 2026) |
| Triggers | Cron schedule + on-demand runs | Schedule, API call, GitHub event |
| Auth to services | Vault env vars (placeholder model) | Connectors per task |
| Min interval | Cron-based | 1 hour (cloud) |
| Plans | Claude Platform / Console access | Pro, Max, Team, Enterprise |
Claude Code also has two local scheduling options worth knowing about, because they are easy to confuse with cloud routines:
- Desktop scheduled tasks run on your own machine and only fire while the Desktop app is open and the computer is awake. They have full access to local files and tools, with a minimum interval of one minute.
/loopis session-scoped polling that runs only during an open session.
If a job must run reliably without your machine, use a cloud routine or a Managed Agent. If it needs local files, use a Desktop task. For more on driving sessions remotely, see How to Use Claude Code From Your Phone.
How to set up a recurring job
The mechanics differ slightly between surfaces, but the shape is the same: write instructions, pick a schedule, grant access to whatever the agent needs.
For a Managed Agent, you create a scheduled deployment in the Claude Console, give it a cron expression, and attach a vault that holds the environment variables it needs. The agent runs headless on each fire.
For a Claude Code Routine, you create the routine from claude.ai/code or the Desktop Routines page, choose Cloud, set a cadence (hourly, nightly, weekly), point it at a repository, and add connectors for any external services. Existing /schedule CLI tasks were migrated into routines automatically.
A concrete example of a scheduled routine prompt:
Every night at 2:00 AM:
1. Pull the highest-priority open bug from Linear.
2. Reproduce it, attempt a fix in a new branch.
3. Open a draft PR with the fix and a short summary.
4. Post the PR link to #eng-triage.
And an example Managed Agent deployment for an ops cadence:
Schedule: 0 7 * * 1 (Mondays at 07:00)
Task: Scan all production hosts for OS packages with known CVEs,
summarize new findings since last week, and email the report
to the security distribution list.
How agents reach authenticated services safely
This is the part that matters most for security teams, and it's where the design is genuinely thoughtful.
Managed Agents use vaults that store environment variables. You register an API key under a variable name and specify the domains it is allowed to reach. The CLIs installed in the agent's sandbox can then make authenticated calls — but here's the key detail: the agent never sees your key. The sandbox only holds a placeholder. The real credential is attached at the network boundary, and only on outbound requests to the domains you allowed.
Vault entry:
NAME: SENTRY_AUTH_TOKEN
VALUE: (stored encrypted, never exposed to the agent)
DOMAINS: sentry.io
In the sandbox the agent sees:
SENTRY_AUTH_TOKEN=<placeholder>
→ On a request to sentry.io, the real token is swapped in at the edge.
→ On a request to anywhere else, the placeholder goes nowhere useful.
This works with most CLIs that send their key in an HTTP request — the documented examples include the Browserbase, KERNEL, Notion, Ramp, and Sentry CLIs. Updates to a vaulted credential are picked up automatically by running sessions on their next call, so rotating a key doesn't mean redeploying.
Claude Code Routines reach external services through connectors configured per task, which keeps service auth out of the prompt and managed centrally rather than pasted into instructions.
Security considerations
A scheduled agent is, by definition, a credential holder that runs unattended. That deserves the same scrutiny you'd give any service account — arguably more, because it reasons about what to do rather than following a fixed script. The vault placeholder model is a strong control, but it isn't a substitute for good hygiene:
- Least privilege. Scope each vaulted key to the narrowest permission set the job needs. Prefer read-only tokens for scan-and-report jobs; reserve write access for routines that genuinely need it.
- Tight domain allowlists. The network boundary only protects you if the allowed-domains list is precise. Don't allow broad wildcards.
- Rotate and review. Set short rotation windows and review run history regularly. An unattended job that quietly fails — or quietly succeeds at the wrong thing — can run for weeks unnoticed.
- Watch autonomy. Cloud routines run without permission prompts. Keep destructive actions behind a review step (a draft PR rather than a direct merge, a report rather than an auto-remediation) until you trust the routine's judgment.
- Treat output as untrusted input. If a routine reads external data (alerts, tickets, web pages) and then acts, guard against prompt-injection in that data steering the agent toward your credentials.
If you're hardening Claude Code more broadly, the Claude Code security guidance plugin and our AI coding CLI best practices cover the surrounding workflow.
The bottom line
Scheduled agents turn Claude from something you operate into something that operates on your behalf. Managed Agents put cron-driven automation and secure credential handling on the Claude Platform for operational work, while Claude Code Routines bring schedules, API triggers, and GitHub events to engineering workflows. Both run in the cloud, so the laptop-on-your-desk constraint is gone.
For IT and ops teams, the practical win is that small recurring jobs no longer need a pipeline and a babysitter. The practical caution is that an unattended agent with credentials is a service account that thinks — so scope it tightly, allowlist its domains, keep destructive actions behind review, and check the run history. Start with one low-stakes, read-only job (a weekly scan, a daily digest), confirm it behaves, then expand from there.