Amazon Bedrock
June 24, 2026 ยท View on GitHub
To use this library with Amazon Bedrock's OpenAI-compatible API, configure the standard OpenAI client with the Bedrock provider:
import OpenAI from 'openai';
import { bedrock } from 'openai/providers/bedrock/aws';
const client = new OpenAI({
provider: bedrock({ region: 'us-west-2' }),
});
const response = await client.responses.create({
model: 'openai.gpt-5.4',
input: 'Say hello!',
});
console.log(response.output_text);
Use a model that supports the Responses API. A model returned by the Models API may support a different Bedrock inference API instead.
The provider uses the regional https://bedrock-mantle.<region>.api.aws/openai/v1 endpoint and the normal SDK resources. AWS controls which endpoints and features are supported; unsupported calls surface the provider's normal HTTP errors through the SDK.
The region defaults to AWS_REGION or AWS_DEFAULT_REGION. Pass baseURL or set AWS_BEDROCK_BASE_URL to override the derived endpoint:
const client = new OpenAI({
provider: bedrock({
region: 'us-west-2',
baseURL: 'https://bedrock.example.com/openai/v1',
}),
});
Authentication
The AWS entrypoint selects authentication in this order:
- One explicit mode passed to
bedrock(...):apiKeyortokenProvider, static AWS credentials,profile, orcredentialProvider. - The Amazon Bedrock API key in
AWS_BEARER_TOKEN_BEDROCK. - The default AWS credential chain.
Explicit bearer and AWS credential modes are mutually exclusive. Similarly, configure only one AWS credential mode at a time.
Bearer authentication
Pass a Bedrock API key directly, set AWS_BEARER_TOKEN_BEDROCK, or use tokenProvider to resolve a fresh token before every request attempt:
const client = new OpenAI({
provider: bedrock({
region: 'us-west-2',
apiKey: process.env['BEDROCK_API_KEY'],
}),
});
For a refreshable bearer credential:
const client = new OpenAI({
provider: bedrock({
region: 'us-west-2',
tokenProvider: async () => refreshBedrockToken(),
}),
});
Bearer authentication does not require any additional dependencies when imported from the dependency-free entrypoint:
import { bedrock } from 'openai/providers/bedrock';
const client = new OpenAI({
provider: bedrock({
region: 'us-west-2',
apiKey: process.env['AWS_BEARER_TOKEN_BEDROCK'],
}),
});
The dependency-free entrypoint supports only apiKey, tokenProvider, and AWS_BEARER_TOKEN_BEDROCK. Use the AWS entrypoint for SigV4 authentication.
AWS credentials and SigV4
Install the AWS entrypoint's peer dependencies to sign requests with SigV4:
npm install @aws-sdk/credential-provider-node @smithy/hash-node @smithy/signature-v4
The AWS entrypoint uses normal static imports so Vite, Webpack, and serverless packagers can include these dependencies. If one is missing, importing openai/providers/bedrock/aws fails immediately with the runtime's normal module-not-found error, for example:
Cannot find module '@aws-sdk/credential-provider-node'
Import the AWS entrypoint, then omit explicit authentication to use the default AWS credential chain or select a shared-config profile:
import { bedrock } from 'openai/providers/bedrock/aws';
const client = new OpenAI({
provider: bedrock({
region: 'us-west-2',
profile: 'my-profile',
}),
});
Pass temporary AWS credentials directly, including the session token:
const client = new OpenAI({
provider: bedrock({
region: 'us-west-2',
accessKeyId: process.env['AWS_ACCESS_KEY_ID'],
secretAccessKey: process.env['AWS_SECRET_ACCESS_KEY'],
sessionToken: process.env['AWS_SESSION_TOKEN'],
}),
});
For credentials that can change, pass a provider. It is called before every request attempt, including retries:
const client = new OpenAI({
provider: bedrock({
region: 'us-west-2',
credentialProvider: async () => ({
accessKeyId: process.env['AWS_ACCESS_KEY_ID']!,
secretAccessKey: process.env['AWS_SECRET_ACCESS_KEY']!,
sessionToken: process.env['AWS_SESSION_TOKEN'],
}),
}),
});
SigV4 authentication is supported in Node.js and compatible server runtimes. Bearer authentication can be used in other runtimes without loading the AWS packages by importing from openai/providers/bedrock.
The SDK's current SigV4 mode requires a replayable, buffered body such as a string, ArrayBuffer, or typed-array view. The standard JSON API methods already meet this requirement. Custom FormData, readable streams, and other non-replayable request bodies are rejected before sending; response streaming is unaffected. Signed requests also do not automatically follow redirects, because the redirect target would require a new signature.
Bedrock Mantle also supports UNSIGNED-PAYLOAD and AWS-chunked request signing, but this SDK does not enable those modes. Mantle waits for the complete request body before authentication and authorization, so streaming a request body does not reduce request latency.
Legacy BedrockOpenAI class
The BedrockOpenAI class remains available for existing bearer-authenticated applications. It accepts the awsRegion and bedrockTokenProvider option names and uses the same /openai/v1 endpoint as the provider:
import { BedrockOpenAI } from 'openai';
const client = new BedrockOpenAI({
awsRegion: 'us-west-2',
apiKey: process.env['AWS_BEARER_TOKEN_BEDROCK'],
});
New applications using AWS credentials should prefer new OpenAI({ provider: bedrock(...) }) with the openai/providers/bedrock/aws entrypoint.