@zhafron/opencode-kiro-auth
v1.7.0
Published
OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude models
Maintainers
zhafronReadme
OpenCode Kiro Auth Plugin
OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude Sonnet and Haiku models with substantial trial quotas.
Features
- Multiple Auth Methods: Supports AWS Builder ID (IDC), IAM Identity Center (custom Start URL), and Kiro Desktop (CLI-based) authentication.
- Auto-Sync Kiro CLI: Automatically imports and synchronizes active sessions from your local
kiro-cliSQLite database. - Gradual Context Truncation: Intelligently prevents error 400 by reducing context size dynamically during retries.
- Intelligent Account Rotation: Prioritizes multi-account usage based on lowest available quota.
- High-Performance Storage: Efficient account and usage management using native Bun SQLite.
- Native Thinking Mode: Full support for Claude reasoning capabilities via virtual model mappings.
- Automated Recovery: Exponential backoff for rate limits and automated token refresh.
Installation
Add the plugin to your opencode.json or opencode.jsonc:
{
"plugin": ["@zhafron/opencode-kiro-auth"],
"provider": {
"kiro": {
"models": {
"claude-sonnet-4-5": {
"name": "Claude Sonnet 4.5",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-sonnet-4-5-thinking": {
"name": "Claude Sonnet 4.5 Thinking",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
"variants": {
"low": { "thinkingConfig": { "thinkingBudget": 8192 } },
"medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
"max": { "thinkingConfig": { "thinkingBudget": 32768 } }
}
},
"claude-sonnet-4-6": {
"name": "Claude Sonnet 4.6",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-sonnet-4-6-thinking": {
"name": "Claude Sonnet 4.6 Thinking",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
"variants": {
"low": { "thinkingConfig": { "thinkingBudget": 8192 } },
"medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
"max": { "thinkingConfig": { "thinkingBudget": 32768 } }
}
},
"claude-haiku-4-5": {
"name": "Claude Haiku 4.5",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image"], "output": ["text"] }
},
"claude-opus-4-5": {
"name": "Claude Opus 4.5",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-opus-4-5-thinking": {
"name": "Claude Opus 4.5 Thinking",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
"variants": {
"low": { "thinkingConfig": { "thinkingBudget": 8192 } },
"medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
"max": { "thinkingConfig": { "thinkingBudget": 32768 } }
}
},
"claude-opus-4-6": {
"name": "Claude Opus 4.6",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-opus-4-6-thinking": {
"name": "Claude Opus 4.6 Thinking",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
"variants": {
"low": { "thinkingConfig": { "thinkingBudget": 8192 } },
"medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
"max": { "thinkingConfig": { "thinkingBudget": 32768 } }
}
},
"claude-opus-4-6-1m": {
"name": "Claude Opus 4.6 (1M Context)",
"limit": { "context": 1000000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-opus-4-6-1m-thinking": {
"name": "Claude Opus 4.6 (1M Context) Thinking",
"limit": { "context": 1000000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
"variants": {
"low": { "thinkingConfig": { "thinkingBudget": 8192 } },
"medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
"max": { "thinkingConfig": { "thinkingBudget": 32768 } }
}
},
"claude-sonnet-4-5-1m": {
"name": "Claude Sonnet 4.5 (1M Context)",
"limit": { "context": 1000000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-sonnet-4-6-1m": {
"name": "Claude Sonnet 4.6 (1M Context)",
"limit": { "context": 1000000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
},
"claude-sonnet-4-6-1m-thinking": {
"name": "Claude Sonnet 4.6 (1M Context) Thinking",
"limit": { "context": 1000000, "output": 64000 },
"modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
"variants": {
"low": { "thinkingConfig": { "thinkingBudget": 8192 } },
"medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
"max": { "thinkingConfig": { "thinkingBudget": 32768 } }
}
},
"qwen3-coder-480b": {
"name": "Qwen3 Coder 480B",
"limit": { "context": 200000, "output": 64000 },
"modalities": { "input": ["text"], "output": ["text"] }
}
}
}
}
}Setup
- Authentication via Kiro CLI (Recommended):
- Perform login directly in your terminal using
kiro-cli login. - The plugin will automatically detect and import your session on startup.
- For AWS IAM Identity Center (SSO/IDC), the plugin imports both the token and device registration (OIDC client credentials) from the
kiro-clidatabase.
- Perform login directly in your terminal using
- Direct Authentication:
- Run
opencode auth login. - Select
Other, typekiro, and press enter. - You'll be prompted for your IAM Identity Center Start URL and IAM Identity Center region (
sso_region).- Leave it blank to sign in with AWS Builder ID.
- Enter your company's Start URL (e.g.
https://your-company.awsapps.com/start) to use IAM Identity Center (SSO).
- Note: the TUI
/connectflow currently does not run plugin OAuth prompts (Start URL / region), so Identity Center logins may fall back to Builder ID unless you useopencode auth login(or preconfigure defaults in~/.config/opencode/kiro.json). - For IAM Identity Center, you may also need a profile ARN (
profileArn).- If
kiro-cliis installed and you've selected a profile once (kiro-cli profile), the plugin auto-detects it. - Otherwise, set
idc_profile_arnin~/.config/opencode/kiro.json.
- If
- A browser window will open directly to AWS' verification URL (no local auth server). If it doesn't, copy/paste the URL and enter the code printed by OpenCode.
- You can also pre-configure defaults in
~/.config/opencode/kiro.jsonviaidc_start_urlandidc_region.
- Run
- Configuration will be automatically managed at
~/.config/opencode/kiro.db.
Local plugin development
OpenCode installs plugins into a cache directory (typically ~/.cache/opencode/node_modules).
The simplest way to test local changes (without publishing to npm) is to build this repo and hot-swap the cached plugin dist/ folder:
- Build this repo:
bun run build(ornpm run build) - Hot-swap
dist/(creates a timestamped backup):
PLUGIN_DIR="$HOME/.cache/opencode/node_modules/@zhafron/opencode-kiro-auth"
TS=$(date +%Y%m%d-%H%M%S)
cp -a "$PLUGIN_DIR/dist" "$PLUGIN_DIR/dist.bak.$TS"
rm -rf "$PLUGIN_DIR/dist"
cp -a "/absolute/path/to/opencode-kiro-auth/dist" "$PLUGIN_DIR/dist"
echo "Backup at: $PLUGIN_DIR/dist.bak.$TS"Revert:
PLUGIN_DIR="$HOME/.cache/opencode/node_modules/@zhafron/opencode-kiro-auth"
rm -rf "$PLUGIN_DIR/dist"
mv "$PLUGIN_DIR/dist.bak.YYYYMMDD-HHMMSS" "$PLUGIN_DIR/dist"Troubleshooting
Error: Status: 403 (AccessDeniedException / User is not authorized)
If you're using IAM Identity Center (a custom Start URL), the Q Developer / CodeWhisperer APIs typically require a profile ARN.
This plugin reads the active profile ARN from your local kiro-cli database (state.key = api.codewhisperer.profile) and sends it as profileArn.
Fix:
- Run
kiro-cli profileand select a profile (e.g.QDevProfile-us-east-1). - Retry
opencode auth login(or restart OpenCode so it re-syncs).
Error: No accounts
This happens when the plugin has no records in ~/.config/opencode/kiro.db.
- Ensure
kiro-cli loginsucceeds. - Ensure
auto_sync_kiro_cliistruein~/.config/opencode/kiro.json. - Retry the request; the plugin will attempt a Kiro CLI sync when it detects zero accounts.
Note: /connect vs opencode auth login
If you need to enter provider-specific values for an OAuth login (like IAM Identity Center Start URL / region), use opencode auth login. The current TUI /connect flow may not display plugin OAuth prompts, so it can’t collect those inputs.
Note for IDC/SSO (ODIC): the plugin may temporarily create an account with a placeholder email if it cannot fetch the real email during sync (e.g. offline). It will replace it with the real email once usage/email lookup succeeds.
Error: ERR_INVALID_URL
TypeError [ERR_INVALID_URL]: "undefined/chat/completions" cannot be parsed as a URL
If this happens, check your auth.json in .local/share/opencode. example:
{
"kiro": {
"type": "api",
"key": "whatever"
}
}Configuration
The plugin supports extensive configuration options. Edit ~/.config/opencode/kiro.json:
{
"auto_sync_kiro_cli": true,
"account_selection_strategy": "lowest-usage",
"default_region": "us-east-1",
"idc_start_url": "https://your-company.awsapps.com/start",
"idc_region": "us-east-1",
"rate_limit_retry_delay_ms": 5000,
"rate_limit_max_retries": 3,
"max_request_iterations": 20,
"request_timeout_ms": 120000,
"token_expiry_buffer_ms": 120000,
"usage_sync_max_retries": 3,
"usage_tracking_enabled": true,
"enable_log_api_request": false
}Configuration Options
auto_sync_kiro_cli: Automatically sync sessions from Kiro CLI (default:true).account_selection_strategy: Account rotation strategy (sticky,round-robin,lowest-usage).default_region: AWS region (us-east-1,us-west-2).idc_start_url: Default IAM Identity Center Start URL (e.g.https://your-company.awsapps.com/start). Leave unset/blank to default to AWS Builder ID.idc_region: IAM Identity Center (SSO OIDC) region (sso_region). Defaults tous-east-1.rate_limit_retry_delay_ms: Delay between rate limit retries (1000-60000ms).rate_limit_max_retries: Maximum retry attempts for rate limits (0-10).max_request_iterations: Maximum loop iterations to prevent hangs (10-1000).request_timeout_ms: Request timeout in milliseconds (60000-600000ms).token_expiry_buffer_ms: Token refresh buffer time (30000-300000ms).usage_sync_max_retries: Retry attempts for usage sync (0-5).auth_server_port_start: Legacy/ignored (no local auth server).auth_server_port_range: Legacy/ignored (no local auth server).usage_tracking_enabled: Enable usage tracking and toast notifications.enable_log_api_request: Enable detailed API request logging.
Storage
Linux/macOS:
- SQLite Database:
~/.config/opencode/kiro.db - Plugin Config:
~/.config/opencode/kiro.json
Windows:
- SQLite Database:
%APPDATA%\opencode\kiro.db - Plugin Config:
%APPDATA%\opencode\kiro.json
Acknowledgements
Special thanks to AIClient-2-API for providing the foundational Kiro authentication logic and request patterns.
Disclaimer
This plugin is provided strictly for learning and educational purposes. It is an independent implementation and is not affiliated with, endorsed by, or supported by Amazon Web Services (AWS) or Anthropic. Use of this plugin is at your own risk.
Feel free to open a PR to optimize this plugin further.