[Feature]: Support Amazon Bedrock API Key (Bearer Token) Authentication

[NikhilGaddam]

Summary

This issue references and reopens the discussion from #2251, which was closed but remains an important feature request.

Currently, OpenClaw only supports Amazon Bedrock via the AWS SDK default credential chain (environment variables, shared config, instance roles). Users who have Bedrock API keys (bearer tokens) generated from the Amazon Bedrock console cannot use them directly.

This limits flexibility for users who:

• Prefer API key-based authentication over IAM credentials
• Work in environments where AWS SDK credential chain setup is complex
• Want a simpler onboarding experience similar to other AI providers

Proposed Solution

Add support for AWS_BEARER_TOKEN_BEDROCK environment variable as an authentication option for Amazon Bedrock, similar to how opencode implements it.

The authentication precedence should be:

1. Bearer Token - AWS_BEARER_TOKEN_BEDROCK environment variable (new)
2. AWS Credential Chain - Existing behavior (access keys, profiles, instance roles)

This would allow users to simply set:

AWS_BEARER_TOKEN_BEDROCK=xxx openclaw gateway

Why This Matters

Amazon Bedrock now offers API keys as a first-class authentication method through their console. Not supporting this creates friction for users who want to use OpenClaw with Bedrock in the simplest way possible.

Alternatives Considered

• OpenAI-compatible proxy: The current docs suggest placing an OpenAI-compatible proxy in front of Bedrock, but this adds complexity and another service to maintain.
• Stick with AWS SDK chain: Works but requires more setup (IAM users, roles, credentials files) compared to a simple API key.

Additional Context

• Original issue: [Feature]: Support Amazon Bedrock API Key (Bearer Token) Authentication #2251
• opencode implementation reference: https://github.com/anomalyco/opencode/blob/main/packages/web/src/content/docs/providers.mdx#amazon-bedrock
• Current OpenClaw Bedrock docs mention AWS_BEARER_TOKEN_BEDROCK in credential surfacing order but it doesn't appear to be fully implemented

Related Issues

Closes #2251 (when implemented)

[DavidXArnold]

PR ready for review: #45152

This adds support for AWS_BEARER_TOKEN_BEDROCK bearer token authentication for Amazon Bedrock, as described in this issue. The implementation includes:

• Bearer token resolution with precedence over AWS SDK signing
• Auth mode reporting consistency across resolveModelAuthMode and resolveApiKeyForProvider
• Provider alias normalization (bedrock, aws-bedrock, amazon-bedrock)
• Header canonicalization to prevent duplicate Authorization headers
• Scoped injection gated by resolved auth mode (respects explicit api-key/oauth/token overrides)
• Unit tests and an optional live smoke test (BEDROCK_LIVE_TEST=1)
• Documentation in docs/providers/bedrock.md

[sean-codevasp]

Really waiting for this... 🙏🙏

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[johnrobertcobbold]

This has been resolved in v2026.4.5. Bearer token auth via AWS_BEARER_TOKEN_BEDROCK is now supported, with automatic generation from IAM credentials as a bonus. Thanks @wirjo

[wirjo]

Resolved in v2026.4.5

This is now fully supported via the Amazon Bedrock Mantle provider shipped in v2026.4.5.

Two auth paths are available:

1. Manual API Key (Bearer Token from Console)

Set the token from the Bedrock console as an environment variable:

export AWS_BEARER_TOKEN_BEDROCK="your-token-from-console"

The Mantle provider auto-discovers available models and registers them.

2. Automatic IAM Auth (PR #61563)

If you have AWS credentials available (instance roles, SSO, access keys, EKS IRSA), the provider automatically generates bearer tokens using @aws/bedrock-token-generator — no manual token management needed.

What you get:

• OpenAI-compatible surface (chat completions format)
• Auto-discovery of all Mantle-available models (DeepSeek, Mistral, Qwen, GLM, etc.)
• Token caching with 1-hour refresh (tokens valid up to 12 hours)
• Zero config needed if AWS credentials are in the default chain

PRs: #61296 (Mantle provider), #61563 (IAM auth)

This should be closeable now.

[athewsey]

Has the addition of the Mantle provider really fully addressed this?

Some important Bedrock models - notably recent Claude versions - are not currently supported through the Mantle OpenAI-compatible endpoints. You need to use the Bedrock Converse/etc APIs.

If I'm understanding right, there's still no way to configure OpenClaw for API Key-based auth with those?

[wirjo]

Update on @athewsey's question — Mantle confirmed does not serve Claude models, so Bearer auth for Claude on Bedrock requires the Converse API path.

Tested on an EC2 instance: the Bedrock Converse API does accept Bearer tokens via the official bedrock:CallWithBearerToken IAM action. The endpoint recognises the auth format correctly (returns proper 403 for missing permission, not a format error).

Opened an upstream PR on pi-ai to add this support: badlogic/pi-mono#3125 — +34 lines, adds bearerToken option to BedrockOptions and AWS_BEARER_TOKEN_BEDROCK env var support. Once merged, OpenClaw can wire it through the existing Bedrock extension with minimal changes.

This would close the gap: users with a Bedrock API key (bearer token) can use Claude on Bedrock the same way ANTHROPIC_API_KEY works for direct Anthropic API.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.