wirjo 22085a9a17 feat(bedrock): support Bearer token auth for Converse API (#3125)
Adds bearer token authentication for the Bedrock Converse API, enabling
users to authenticate with an API key instead of SigV4/IAM credentials.

When a bearer token is available (via `options.bearerToken` or the
`AWS_BEARER_TOKEN_BEDROCK` env var), the provider:
1. Sets dummy credentials to prevent SDK credential resolution errors
2. Injects middleware after SigV4 signing that replaces the Authorization
   header with `Bearer <token>` and removes SigV4-specific headers

This uses the official `bedrock:CallWithBearerToken` IAM action, which
is a documented AWS feature for API key auth on Bedrock endpoints.

Use case: users who receive a Bedrock API key (bearer token) from the
AWS console or their admin, without having IAM access keys or instance
roles. Similar to how ANTHROPIC_API_KEY works for direct Anthropic API.

Required IAM permission on the token's identity:
  bedrock:CallWithBearerToken

Tested: Bearer token successfully authenticates against Bedrock Converse
API (returns correct 403 for missing IAM permission, not auth format error).
SigV4 path is unchanged when no bearer token is set.
2026-04-16 23:34:18 +02:00
2026-04-16 05:25:31 +00:00
2026-04-08 18:15:36 +02:00
2026-04-15 14:04:07 +02:00
2026-04-16 23:25:54 +02:00

pi logo

Discord Build status

pi.dev domain graciously donated by

Exy mascot
exe.dev

New issues and PRs from new contributors are auto-closed by default. Maintainers review auto-closed issues daily. See CONTRIBUTING.md.


Pi Monorepo

Looking for the pi coding agent? See packages/coding-agent for installation and usage.

Tools for building AI agents and managing LLM deployments.

Share your OSS coding agent sessions

If you use pi or other coding agents for open source work, please share your sessions.

Public OSS session data helps improve coding agents with real-world tasks, tool use, failures, and fixes instead of toy benchmarks.

For the full explanation, see this post on X.

To publish sessions, use badlogic/pi-share-hf. Read its README.md for setup instructions. All you need is a Hugging Face account, the Hugging Face CLI, and pi-share-hf.

You can also watch this video, where I show how I publish my pi-mono sessions.

I regularly publish my own pi-mono work sessions here:

Packages

Package Description
@mariozechner/pi-ai Unified multi-provider LLM API (OpenAI, Anthropic, Google, etc.)
@mariozechner/pi-agent-core Agent runtime with tool calling and state management
@mariozechner/pi-coding-agent Interactive coding agent CLI
@mariozechner/pi-mom Slack bot that delegates messages to the pi coding agent
@mariozechner/pi-tui Terminal UI library with differential rendering
@mariozechner/pi-web-ui Web components for AI chat interfaces
@mariozechner/pi-pods CLI for managing vLLM deployments on GPU pods

Contributing

See CONTRIBUTING.md for contribution guidelines and AGENTS.md for project-specific rules (for both humans and agents).

Development

npm install          # Install all dependencies
npm run build        # Build all packages
npm run check        # Lint, format, and type check
./test.sh            # Run tests (skips LLM-dependent tests without API keys)
./pi-test.sh         # Run pi from sources (can be run from any directory)

Note: npm run check requires npm run build to be run first. The web-ui package uses tsc which needs compiled .d.ts files from dependencies.

License

MIT

Description
sproutclaw - AI powered suite
Readme MIT 71 MiB
Languages
TypeScript 93.4%
JavaScript 5.7%
CSS 0.4%
Shell 0.3%
C 0.1%