[FEATURE] ExpiredTokenException (403) from AWS Bedrock should fast-fail instead of retrying

Resolved 💬 2 comments Opened Feb 24, 2026 by sarahzuck Closed Mar 24, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

When using Claude Code with AWS Bedrock and temporary STS credentials (e.g., via AWS SSO), expired tokens cause the client to retry up to 10 times with exponential backoff (~2.5 minutes) before surfacing the error. Expired tokens will never self-heal via retry, so this wastes time and delays the user from taking action.

Current behavior

  1. AWS STS credentials expire mid-session
  2. Next API call returns HTTP 403 with ExpiredTokenException: "The security token included in the request is expired"
  3. Client retries 10 times with exponential backoff (delays escalating from ~500ms to ~40s)
  4. After ~2.5 minutes, surfaces: API Error: 403 The security token included in the request is expired · Please run /login
  5. If the user sends another message before refreshing creds externally, the cycle repeats

Expected behavior

  1. Client recognizes ExpiredTokenException as non-retryable
  2. Immediately surfaces a clear error: e.g., "AWS credentials expired — re-authenticate and retry"
  3. No retry loop for this specific error class

Details

  • Auth setup: AWS SSO → STS temporary credentials written to ~/.aws/credentials
  • Error source: ExpiredTokenException:http://internal.amazon.com/coral/com.amazon.coral.service/
  • Observed in: Two separate incidents across a multi-day session. Both times the session recovered after the user refreshed credentials externally, but each incident wasted ~2.5 minutes on futile retries.
  • The existing OAuth token check ([DEBUG] [API:auth] OAuth token check complete) passes fine — it doesn't catch the underlying Bedrock credential expiration.

Proposed Solution

Suggestion

  • Treat ExpiredTokenException (and possibly other AWS auth errors like AccessDeniedException) as non-retryable 403s
  • Optionally: support a configurable credential refresh command (similar to apiKeyHelper) for Bedrock auth that could be triggered on credential expiration

Alternative Solutions

_No response_

Priority

Low - Nice to have

Feature Category

Configuration and settings

Use Case Example

_No response_

Additional Context

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗