[BUG] Claude Code hits error 403 when using AWS Bedrock API key

Resolved 💬 1 comment Opened Apr 8, 2026 by CroxxN Closed Apr 8, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code 2.1.94 fails against Amazon Bedrock when authentication is provided via AWS_BEARER_TOKEN_BEDROCK.

The request is sent to the correct Bedrock runtime endpoint, but the outgoing request does not include the Authorization: Bearer ... header. Bedrock then returns:

403 {"Message":"Authorization header is missing"}

What Should Happen?

When AWS_BEARER_TOKEN_BEDROCK is set, Claude Code should send:

Authorization: Bearer <token>

to the Bedrock runtime endpoint.

Error Messages/Logs

[API:request] Creating client, ANTHROPIC_CUSTOM_HEADERS present: false, has Authorization header: false
[API REQUEST] /model/us.anthropic.claude-haiku-4-5-20251001-v1:0/invoke-with-response-stream source=sdk
API error (attempt 1/11): 403 403 {"Message":"Authorization header is missing"}

Steps to Reproduce

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_BEARER_TOKEN_BEDROCK='<valid token>'

Reproduction

1. Set relevant environment variables

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_BEARER_TOKEN_BEDROCK='<valid token>'

2. Confirm Claude is using Bedrock

claude auth status --json

Observed result:

{
  "loggedIn": true,
  "authMethod": "third_party",
  "apiProvider": "bedrock"
}

2. Run Claude and send any prompt.

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.1.94

Platform

AWS Bedrock

Operating System

Other Linux

Terminal/Shell

Other

Additional Information

Static analysis of the 2.1.94 packed binary suggests the Bedrock bearer-token branch is internally inconsistent:

  1. In the Bedrock client factory, when AWS_BEARER_TOKEN_BEDROCK is present, Claude constructs the Bedrock client with both:
  • skipAuth: true
  • defaultHeaders.Authorization = Bearer <token>
  1. In the embedded AnthropicBedrock client, prepareRequest() contains logic equivalent to:
if (this.skipAuth) {
  H.headers.delete("Authorization");
  return;
}
  1. In the base client request flow, headers are built first and prepareRequest() runs after that.

The net effect is:

  • Claude adds the bearer token to headers
  • prepareRequest() then deletes Authorization
  • the request is sent without auth

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗