[BUG] Claude Code hits error 403 when using AWS Bedrock API key
Resolved 💬 1 comment Opened Apr 8, 2026 by CroxxN Closed Apr 8, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code 2.1.94 fails against Amazon Bedrock when authentication is provided via AWS_BEARER_TOKEN_BEDROCK.
The request is sent to the correct Bedrock runtime endpoint, but the outgoing request does not include the Authorization: Bearer ... header. Bedrock then returns:
403 {"Message":"Authorization header is missing"}
What Should Happen?
When AWS_BEARER_TOKEN_BEDROCK is set, Claude Code should send:
Authorization: Bearer <token>
to the Bedrock runtime endpoint.
Error Messages/Logs
[API:request] Creating client, ANTHROPIC_CUSTOM_HEADERS present: false, has Authorization header: false
[API REQUEST] /model/us.anthropic.claude-haiku-4-5-20251001-v1:0/invoke-with-response-stream source=sdk
API error (attempt 1/11): 403 403 {"Message":"Authorization header is missing"}
Steps to Reproduce
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_BEARER_TOKEN_BEDROCK='<valid token>'
Reproduction
1. Set relevant environment variables
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_BEARER_TOKEN_BEDROCK='<valid token>'
2. Confirm Claude is using Bedrock
claude auth status --json
Observed result:
{
"loggedIn": true,
"authMethod": "third_party",
"apiProvider": "bedrock"
}
2. Run Claude and send any prompt.
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.94
Platform
AWS Bedrock
Operating System
Other Linux
Terminal/Shell
Other
Additional Information
Static analysis of the 2.1.94 packed binary suggests the Bedrock bearer-token branch is internally inconsistent:
- In the Bedrock client factory, when
AWS_BEARER_TOKEN_BEDROCKis present, Claude constructs the Bedrock client with both:
skipAuth: truedefaultHeaders.Authorization = Bearer <token>
- In the embedded
AnthropicBedrockclient,prepareRequest()contains logic equivalent to:
if (this.skipAuth) {
H.headers.delete("Authorization");
return;
}
- In the base client request flow, headers are built first and
prepareRequest()runs after that.
The net effect is:
- Claude adds the bearer token to headers
prepareRequest()then deletesAuthorization- the request is sent without auth
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗