feat: add AWS Bedrock provider support alongside Anthropic #159
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added multi-provider support to allow using both Anthropic's direct API
and AWS Bedrock for accessing Claude models.
**Database Changes:**
- Renamed `anthropic_credentials` table to `credentials`
- Added `provider` column ('anthropic' | 'bedrock')
- Added AWS Bedrock columns: `aws_api_key`, `aws_region`
- Made OAuth columns nullable (only needed for Anthropic)
- Added validation constraints for provider-specific fields
**Type System:**
- Created discriminated union types for credentials
- `Credential` = `AnthropicCredential | BedrockCredential`
- Separate safe types that exclude sensitive data
- Provider-specific create request types
**Proxy Service:**
- Created `BedrockApiClient` with model ID mapping
- Updated `AuthenticationService` to handle both providers
- Modified `ProxyService` to route based on provider type
- Bedrock requests include `anthropic_version: 'bedrock-2023-05-31'`
**Model Mapping:**
- Maps Anthropic model IDs to Bedrock model IDs
- Supports both streaming and non-streaming requests
- Allows pass-through of Bedrock-specific model IDs
**Dashboard UI:**
- Updated credentials page with provider badges (🔵 Anthropic / 🟠 Bedrock)
- Provider-specific details display (OAuth expiry vs AWS region)
- Instructions for both login scripts
**Scripts:**
- `bedrock-login.ts`: Interactive CLI for adding Bedrock credentials
- Updated `oauth-login.ts` to use new function names
**Migration:**
- `017-multi-provider-support.ts`: Idempotent schema migration
- Supports rollback with `down` migration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>
- Add Claude Haiku 4.5 (October 2025 release) - Add Claude Opus 4.1 (August 2025 release) - Add core model ID mappings (claude-haiku-4-5, claude-sonnet-4-5, claude-opus-4-1) - Add dated snapshot mappings for precise version control - Update timestamp comment to November 2025 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Remove deprecated createCredential function (not used anywhere) - Remove CreateCredentialRequest type (no longer needed) - Use createAnthropicCredential and createBedrockCredential directly - Clean up imports in credential-queries.ts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Add ADR-030: Multi-Provider Support for Claude API Access - Update scripts/README.md with bedrock-login.ts documentation - Update IMPLEMENTATION_GUIDE.md to use createAnthropicCredential - Document Bedrock provider setup and prerequisites - Reference multi-provider architecture and model mapping 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Show first 3 and last 4 chars for Bearer tokens (e.g., "Bearer cnp...kZwU") - Show first 10 and last 4 chars for API keys (e.g., "sk-ant-api...AbCd") - Show first 3 and last 4 chars for other sensitive values - Better debugging while maintaining security 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Log API key verification results with token preview - Log project ID context setting in client auth - Log project ID extractor decision making - Show whether projectId was set by auth or header - Help diagnose why fallback is being used 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- AWS Bedrock long-term API keys require Authorization header - Add detailed error logging for Bedrock API responses - Log URL, status, error body, and response headers - Helps diagnose authentication and API issues Fixes 403 "Authorization header is missing" error 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Use x-api-key header for Bedrock authentication (not Authorization) - Build Bedrock-specific headers directly instead of using createHeaders() - Prevents client's Authorization header from being forwarded to Bedrock - Add detailed request logging for debugging Fixes: 403 "Authorization header must begin with algorithm name" error The issue was that the client's Authorization header (Bearer token for proxy) was being forwarded to Bedrock, which interpreted it as a malformed SigV4 signature. Bedrock requires only the x-api-key header. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Blacklist only: authorization, host, content-length - Pass through all other headers (anthropic-beta, user-agent, etc.) - Preserves important client headers while removing proxy-specific ones - More maintainable than whitelist approach 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Extract raw request headers from Hono context and pass them to BedrockApiClient. Headers are filtered through a blacklist (removes authorization, host, content-length, connection) to prevent conflicts while preserving important headers like anthropic-beta, user-agent, and x-stainless-*. This ensures Bedrock requests include all necessary client headers for proper API functionality. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Bedrock API does not accept 'stream' or 'model' fields in the request body: - Model ID is specified in the URL path - Streaming mode is determined by endpoint suffix (/invoke vs /invoke-with-response-stream) Also removed excessive debug logging from: - client-auth.ts: Removed API key verification debug logs - project-id-extractor.ts: Removed project ID checking debug logs - BedrockApiClient.ts: Removed request details debug log Updated ADR-030 to document this Bedrock API requirement. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds multi-provider support to the proxy, enabling users to access Claude models through either Anthropic's direct API or AWS Bedrock. Projects can now configure credentials for either provider, and the proxy automatically routes requests based on the credential type.
Key Changes
Database Schema
anthropic_credentials→credentialstableproviderenum column ('anthropic' | 'bedrock')aws_api_key,aws_regionType System
Credential=AnthropicCredential | BedrockCredentialProxy Implementation
anthropic_version: 'bedrock-2023-05-31'Model Mapping
Dashboard UI
Scripts
bedrock-login.ts: Interactive CLI for adding Bedrock credentialsoauth-login.tsto use new function namesMigration
017-multi-provider-support.ts: Idempotent schema migrationupanddownmigrations for rollback supportTesting
Usage
Adding Bedrock Credentials
Adding Anthropic Credentials
Running Migration
Breaking Changes
None. Existing Anthropic credentials are automatically migrated and continue to work.
🤖 Generated with Claude Code