2.1.94 regression: AWS_BEARER_TOKEN_BEDROCK auth header not sent to Bedrock

Resolved 💬 3 comments Opened Apr 8, 2026 by siemens-TAG Closed Apr 11, 2026

Description

AWS_BEARER_TOKEN_BEDROCK authentication is broken in Claude Code 2.1.94. The bearer token is not attached as an Authorization header when making requests to Amazon Bedrock. Version 2.1.92 works correctly with the same environment and configuration.

Environment

  • OS: macOS (Darwin 25.3.0, arm64)
  • Claude Code 2.1.94: broken
  • Claude Code 2.1.92: works
  • Auth method: AWS_BEARER_TOKEN_BEDROCK (Bedrock API key)
  • Provider: Amazon Bedrock (not Mantle)

Environment variables

CLAUDE_CODE_USE_BEDROCK=1
AWS_REGION=eu-west-1
AWS_BEARER_TOKEN_BEDROCK=<valid token>
ANTHROPIC_MODEL=eu.anthropic.claude-opus-4-6-v1

CLAUDE_CODE_USE_MANTLE is not set.

Steps to reproduce

  1. Set the environment variables above with a valid Bedrock API key
  2. Run claude (v2.1.94)
  3. Send any message
  4. All requests fail with 403 {"Message":"Authorization header is missing"}

Debug log evidence (2.1.94)

[DEBUG] [API:request] Creating client, ANTHROPIC_CUSTOM_HEADERS present: false, has Authorization header: false
[DEBUG] [API:auth] OAuth token check starting
[DEBUG] [API:auth] OAuth token check complete
[DEBUG] [API REQUEST] /model/eu.anthropic.claude-opus-4-6-v1/invoke-with-response-stream source=repl_main_thread
[ERROR] API error (attempt 1/11): 403 403 {"Message":"Authorization header is missing"}

The key line is has Authorization header: false — the client is not picking up AWS_BEARER_TOKEN_BEDROCK at all.

Verified via process inspection

Both 2.1.92 (working) and 2.1.94 (broken) were started from the same terminal session with identical environment variables. Confirmed via ps -E:

  • PID running 2.1.92: has Authorization header not logged (requests succeed)
  • PID running 2.1.94: has Authorization header: false (all requests fail with 403)

Additional observations

  • Setting ANTHROPIC_CUSTOM_HEADERS="Authorization: Bearer $AWS_BEARER_TOKEN_BEDROCK" makes the debug log show has Authorization header: true, but requests still return 403. This suggests the header format or signing may have changed.
  • The word "bedrock" does not appear anywhere in the 2.1.94 debug logs, suggesting the Bedrock credential path is not being activated.
  • No other environment changes between versions — same shell, same token, same region.

Workaround

Pin to version 2.1.92 by running the binary directly:

/path/to/.local/share/claude/versions/2.1.92

Or create a wrapper script earlier in PATH that points to 2.1.92.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗