A lightweight library for generating short-term bearer tokens for AWS Bedrock API authentication.
- ✅ Simple API: Async functions that generate bearer tokens
- ✅ Secure: Uses AWS SigV4 signing with configurable token expiration (up to 12 hours)
- ✅ AWS SDK Integration: Seamlessly works with AWS credential providers
- ✅ Lightweight: Minimal dependencies, focused functionality
- ✅ Well-tested: Comprehensive unit tests with multiple scenarios
- ✅ TypeScript: Full type definitions for better IDE experience
npm install @aws/bedrock-token-generatorimport { getTokenProvider } from "@aws/bedrock-token-generator";
// Create a token provider that uses default credentials and region providers.
// You can configure it to use other credential providers.
const provideToken = getTokenProvider();
async function example() {
const token = await provideToken();
// Use the token for API calls. The token has a default expiration of 12 hour.
// If the expiresInSeconds parameter is specified during token creation, the
// expiration can be configured up to a maximum of 12 hours. However, the actual
// token validity period will always be the minimum of the requested expiration
// time and the AWS credentials' expiry time
console.log(`Bearer Token: ${token}`);
}You can find the supported credentials provider here.
import { getTokenProvider } from "@aws/bedrock-token-generator";
import { fromTemporaryCredentials } from "@aws-sdk/credential-providers";
const provideToken = getTokenProvider({
credentials: fromTemporaryCredentials({
params: {
RoleArn: "arn:aws:iam::123456789012:role/BedrockRole",
},
}),
region: "us-east-1",
});
async function example() {
const token = await provideToken();
// Use the token for API calls. The token has a default expiration of 12 hour.
// If the expiresInSeconds parameter is specified during token creation, the
// expiration can be configured up to a maximum of 12 hours. However, the actual
// token validity period will always be the minimum of the requested expiration
// time and the AWS credentials' expiry time
console.log(`Bearer Token: ${token}`);
}import { getTokenProvider } from "@aws/bedrock-token-generator";
const credentials = {
accessKeyId: "YOUR_ACCESS_KEY_ID",
secretAccessKey: "YOUR_SECRET_ACCESS_KEY",
sessionToken: "YOUR_SESSION_TOKEN",
};
const provideToken = getTokenProvider({
credentials,
region: "us-east-1",
expiresInSeconds: 7200,
});
async function example() {
const token = await provideToken();
// Use the token for API calls. The token has an expiration of 2 hour. However, the actual token validity period
// will always be the minimum of the requested expiration time and the AWS credentials' expiry time
console.log(`Bearer Token: ${token}`);
}import { getToken } from "@aws/bedrock-token-generator";
async function example() {
const credentials = {
accessKeyId: "YOUR_ACCESS_KEY_ID",
secretAccessKey: "YOUR_SECRET_ACCESS_KEY",
sessionToken: "YOUR_SESSION_TOKEN",
};
const token = await getToken({
credentials,
region: "us-east-1",
expiresInSeconds: 7200,
});
// Use the token for API calls. The token has an expiration of 2 hour. However, the actual token validity period
// will always be the minimum of the requested expiration time and the AWS credentials' expiry time
console.log(`Bearer Token: ${token}`);
}- API Reference - Detailed API documentation
The generated tokens follow this format:
bedrock-api-key-<base64-encoded-presigned-url>&Version=1
-
Prefix:
bedrock-api-key-identifies the token type - Payload: Base64-encoded presigned URL with embedded credentials
-
Version:
&Version=1for future compatibility - Expiration: The token has a default expiration of 12 hour. If the expiresInSeconds parameter is specified during token creation, the expiration can be configured up to a maximum of 12 hours. However, the actual token validity period will always be the minimum of the requested expiration time and the AWS credentials' expiry time.
- Token Expiration: The token has a default expiration of 12 hour. If the expiresInSeconds parameter is specified during token creation, the expiration can be configured up to a maximum of 12 hours. However, the actual token validity period will always be the minimum of the requested expiration time and the AWS credentials' expiry time. The token must be generated again once it expires, as it cannot be refreshed or extended.
- Secure Storage: Store tokens securely and avoid logging them
- Credential Management: Use IAM roles and temporary credentials when possible
- Network Security: Always use HTTPS when transmitting tokens
- Principle of Least Privilege: Ensure underlying credentials have minimal required permissions
- Node.js: 16.0.0 or later
- TypeScript: 4.7.0 or later (for TypeScript users)
# Clone the repository
git clone https://github.com/aws/aws-bedrock-token-generator-js.git
cd aws-bedrock-token-generator-js
# Install dependencies
npm install
# Build the project
npm run build
# Run tests
npm test# Run all tests
npm test
# Run tests in watch mode
npm run test:watch
# Run linter
npm run lint
# Format code
npm run formatWe welcome contributions! Please see CONTRIBUTING.md for details.
- Fork the repository
-
Create a feature branch:
git checkout -b feature-name - Make changes and add tests
-
Run tests:
npm test -
Format code:
npm run format - Submit a pull request
- Documentation: AWS Bedrock Documentation
- Issues: GitHub Issues
- AWS Support: AWS Support Center
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- AWS SDK for JavaScript
- AWS Bedrock Token Generator for Java
- AWS Bedrock Token Generator for Python
- AWS Bedrock Documentation
See CHANGELOG.md for a list of changes and version history.