[BUG] Bedrock "Session token not found or invalid" on interactive requests despite valid, confirmed-working credentials

Open 💬 9 comments Opened Jul 11, 2026 by PhamQuangBach

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Bug Report: Bedrock "Session token not found or invalid" on interactive requests despite valid, confirmed-working credentials

Environment

  • Claude Code version: 2.1.207
  • OS: Ubuntu 26.04 on WSL2 (Windows)
  • AWS CLI version: 2.35.1
  • Installed via: curl -fsSL https://claude.ai/install.sh | bash
  • Auth method: AWS SSO (also reproduced with static IAM credentials — see below)
  • Region: eu-central-1
  • Model: eu.anthropic.claude-sonnet-4-6

What's Wrong

Every interactive request in Claude Code fails immediately with:
"API Error: UnauthorizedException: Session token not found or invalid"

This happens on every prompt, every session, regardless of restart, model pinning, or reinstall — despite credentials being fully valid and independently confirmed to work for the same model, region, and account.

What I've Ruled Out

  • No conflicting AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN env vars (env | grep -i AWS_ clean, only AWS_PROFILE set)
  • ~/.aws/config SSO profile correctly configured, aws sso login succeeds
  • aws sts get-caller-identity succeeds and returns the expected role/user
  • Claude Code's own setup wizard ("choose different models") successfully test-invokes the same model (eu.anthropic.claude-sonnet-4-6) with a one-token request
  • Raw aws bedrock-runtime invoke-model succeeds with the same SSO credentials, same model, same region — full response returned
  • Raw aws bedrock-runtime invoke-model also succeeds with static IAM credentials (AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, no session token) — ruling out session-token-specific handling as the cause
  • Claude Code fails identically with static IAM credentials as with SSO — same error, same behavior
  • Fresh reinstall via the official installer (curl -fsSL https://claude.ai/install.sh | bash -s -- --force) — same failure persists
  • System clock synchronized, NTP active (timedatectl status confirms)
  • Claude Code auto-update: confirmed same version installed as a coworker who does not reproduce this bug
  • Confirmed AWS_REGION was explicitly exported before testing (per a comment on #54083 suggesting this as a fix for a similar issue) — did not resolve the problem in this case.

Comparison with a non-repro coworker (same team, same AWS account/org)

| | Me (repro) | Coworker (no repro) |
|---|---|---|
| Claude Code version | 2.1.207 | 2.1.207 |
| AWS CLI version | 2.35.1 | 2.34.46 |
| Ubuntu version (WSL2) | 26.04 | 24.04 |
| Region | eu-central-1 | eu-central-1 |
| Auth method | SSO | SSO |

The Ubuntu version difference (26.04 vs 24.04 LTS) is the most notable remaining variable — 26.04 ships newer OpenSSL/glibc that Claude Code's bundled Node.js binary links against at runtime, which could plausibly affect low-level request signing behavior in a way that wouldn't show up in the separately-bundled system AWS CLI.

Timeline

  • Was working normally as of ~3 hours before the first occurrence
  • WSL2 crashed once before the error first appeared (noting this as context only — clock was confirmed synced afterward, so this may be coincidental rather than causative)

What Should Happen?

Claude Code should successfully authenticate and dispatch requests to Bedrock using the same credentials that are independently confirmed to work via the AWS CLI and Claude Code's own setup wizard.

Error Messages/Logs

2026-07-11T15:07:48.034Z [DEBUG] attribution header x-anthropic-billing-header: cc_version=2.1.207.19f; cc_entrypoint=cli;
2026-07-11T15:07:48.063Z [DEBUG] [API:timing] dispatching to bedrock model=eu.anthropic.claude-haiku-4-5-20251001-v1:0
2026-07-11T15:07:48.068Z [DEBUG] [API:auth] resolving default AWS provider chain (region: eu-central-1)
2026-07-11T15:07:48.270Z [ERROR] API error (attempt 1/11): UnauthorizedException: Session token not found or invalid
2026-07-11T15:07:48.807Z [DEBUG] [API:auth] AWS credential resolve start
2026-07-11T15:07:48.807Z [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2026-07-11T15:07:49.859Z [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2026-07-11T15:07:49.860Z [DEBUG] [API:auth] AWS credential resolve done in 1052ms
2026-07-11T15:07:49.861Z [DEBUG] [API:timing] dispatching to bedrock model=eu.anthropic.claude-haiku-4-5-20251001-v1:0
2026-07-11T15:07:49.864Z [DEBUG] [API:auth] resolving default AWS provider chain (region: eu-central-1)
2026-07-11T15:07:49.916Z [ERROR] API error (attempt 2/11): UnauthorizedException: Session token not found or invalid
2026-07-11T15:07:51.022Z [DEBUG] [API:auth] AWS credential resolve start
2026-07-11T15:07:51.022Z [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2026-07-11T15:07:52.042Z [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2026-07-11T15:07:52.042Z [DEBUG] [API:auth] AWS credential resolve done in 1019ms
2026-07-11T15:07:52.042Z [DEBUG] [API:timing] dispatching to bedrock model=eu.anthropic.claude-haiku-4-5-20251001-v1:0
2026-07-11T15:07:52.044Z [DEBUG] [API:auth] resolving default AWS provider chain (region: eu-central-1)
2026-07-11T15:07:52.217Z [ERROR] API error (attempt 3/11): UnauthorizedException: Session token not found or invalid
2026-07-11T15:07:52.227Z [ERROR] Error in API request: UnauthorizedException: Session token not found or invalid
2026-07-11T15:07:52.236Z [DEBUG] [shoji-engine] turn 1 end (turns=1 usage in=0 out=0 cost=$0.0000 api=0ms stop=stop_sequence resultLen=0)
2026-07-11T15:07:52.237Z [ERROR] [shoji] turn ended in error: API Error: UnauthorizedException: Session token not found or invalid

Steps to Reproduce

Steps to Reproduce

  1. Set up AWS SSO authentication for Amazon Bedrock in ~/.aws/config:

[sso-session my-sso]
sso_start_url = https://******.awsapps.com/start
sso_region = eu-north-1
sso_registration_scopes = scope

[profile my-profile]
sso_session = session
sso_account_id = my-id
sso_role_name = my-role
region = eu-central-1
output = json

  1. Authenticate:

export AWS_PROFILE=my-profile
aws sso login --profile my-profile

  1. Confirm credentials resolve correctly outside Claude Code:

aws sts get-caller-identity --profile my-profile
→ Returns valid identity.

  1. Confirm the same credentials work directly against Bedrock:

aws bedrock-runtime invoke-model
--model-id eu.anthropic.claude-sonnet-4-6
--body '{"anthropic_version":"bedrock-2023-05-31","max_tokens":10,"messages":[{"role":"user","content":"hi"}]}'
--region eu-central-1
--profile my-profile
--cli-binary-format raw-in-base64-out
output.txt
→ Returns a valid model response.

  1. Launch Claude Code with Bedrock enabled:

export CLAUDE_CODE_USE_BEDROCK=1
claude

  1. Use the setup wizard to select/pin the model (eu.anthropic.claude-sonnet-4-6) — the wizard's own one-token test call succeeds.
  2. Send any prompt in the resulting interactive session.

Actual Behavior

Step 7 fails immediately with:
API Error: UnauthorizedException: Session token not found or invalid
This happens on every prompt, every session — even immediately after the successful wizard test in step 6, with no configuration changes in between.

Expected Behavior

The interactive session should authenticate successfully, using the same credentials that steps 3, 4, and 6 already confirm are valid.

Claude Model

Not sure / Multiple models

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.207 (Claude Code)

Platform

AWS Bedrock

Operating System

Windows

Terminal/Shell

WSL (Windows Subsystem for Linux)

Additional Information

  • This may not be a true regression: Claude Code version is identical between my machine (repro) and a coworker's (no repro), suggesting the trigger is environment-specific (see Ubuntu version comparison above) rather than a code change affecting all users on this version.
  • I cannot confirm what Claude Code version was running 3 hours prior when the setup was last working, since Claude Code auto-updates in the background and no local update history was available to check retroactively. It's possible an auto-update occurred around the time of the first failure, though this is unconfirmed.
  • Willing to test further if maintainers have specific diagnostics they'd like run (e.g. testing on Ubuntu 24.04 in a fresh WSL distro to directly confirm the OS-version hypothesis, testing with an older/pinned AWS SDK if that's configurable, etc.)

View original on GitHub ↗

This issue has 9 comments on GitHub. Read the full discussion on GitHub ↗