[FEATURE] ExpiredTokenException (403) from AWS Bedrock should fast-fail instead of retrying
Resolved 💬 2 comments Opened Feb 24, 2026 by sarahzuck Closed Mar 24, 2026
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
When using Claude Code with AWS Bedrock and temporary STS credentials (e.g., via AWS SSO), expired tokens cause the client to retry up to 10 times with exponential backoff (~2.5 minutes) before surfacing the error. Expired tokens will never self-heal via retry, so this wastes time and delays the user from taking action.
Current behavior
- AWS STS credentials expire mid-session
- Next API call returns HTTP 403 with ExpiredTokenException: "The security token included in the request is expired"
- Client retries 10 times with exponential backoff (delays escalating from ~500ms to ~40s)
- After ~2.5 minutes, surfaces: API Error: 403 The security token included in the request is expired · Please run /login
- If the user sends another message before refreshing creds externally, the cycle repeats
Expected behavior
- Client recognizes ExpiredTokenException as non-retryable
- Immediately surfaces a clear error: e.g., "AWS credentials expired — re-authenticate and retry"
- No retry loop for this specific error class
Details
- Auth setup: AWS SSO → STS temporary credentials written to ~/.aws/credentials
- Error source: ExpiredTokenException:http://internal.amazon.com/coral/com.amazon.coral.service/
- Observed in: Two separate incidents across a multi-day session. Both times the session recovered after the user refreshed credentials externally, but each incident wasted ~2.5 minutes on futile retries.
- The existing OAuth token check ([DEBUG] [API:auth] OAuth token check complete) passes fine — it doesn't catch the underlying Bedrock credential expiration.
Proposed Solution
Suggestion
- Treat ExpiredTokenException (and possibly other AWS auth errors like AccessDeniedException) as non-retryable 403s
- Optionally: support a configurable credential refresh command (similar to apiKeyHelper) for Bedrock auth that could be triggered on credential expiration
Alternative Solutions
_No response_
Priority
Low - Nice to have
Feature Category
Configuration and settings
Use Case Example
_No response_
Additional Context
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗