API keys
Amazon Bedrock API keys let you authenticate API requests using a bearer token instead of AWS credentials. There are two types:
-
Short-term – Lasts up to 12 hours (or the duration of your session, whichever is shorter). Inherits permissions from the IAM principal used to generate it. Recommended for production use.
-
Long-term – Lasts until a configured expiration date. Creates an IAM user with attached policies. Recommended only for exploration.
All API calls are logged in AWS CloudTrail. API keys are passed as authorization headers and are not logged.
Generate a short-term API key
Choose the tab for your preferred method, and then follow the steps:
- Console
-
Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at
https://console.aws.amazon.com/bedrock.
In the left navigation pane, select API keys.
In the Short-term API keys tab, choose Generate short-term API keys.
The key expires when your console session expires (max 12 hours). To generate a key for a different Region, switch Regions in the console first.
- Python
-
Install the token generator:
pip install aws-bedrock-token-generator
Generate a token:
from aws_bedrock_token_generator import provide_token
token = provide_token()
print(f"Token: {token}")
- Javascript
-
Install the token generator:
npm install @aws/bedrock-token-generator
Generate a token:
import { getTokenProvider } from "@aws/bedrock-token-generator";
const provideToken = getTokenProvider();
const token = await provideToken();
console.log(`Bearer Token: ${token}`);
- Java
-
Add the dependency (Maven):
<dependency>
<groupId>software.amazon.bedrock</groupId>
<artifactId>aws-bedrock-token-generator</artifactId>
<version>1.1.0</version>
</dependency>
Generate a token:
import software.amazon.bedrock.token.BedrockTokenGenerator;
BedrockTokenGenerator tokenGenerator = BedrockTokenGenerator.builder().build();
String token = tokenGenerator.getToken();
Generate a long-term API key
Choose the tab for your preferred method, and then follow the steps:
- Console
-
Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at
https://console.aws.amazon.com/bedrock.
In the left navigation pane, select API keys.
In the Long-term API keys tab, choose Generate long-term API keys.
Choose an expiration time and optionally add permissions in Advanced permissions.
Choose Generate.
- CLI
-
# Create an IAM user
aws iam create-user --user-name bedrock-api-user
# Attach permissions
aws iam attach-user-policy --user-name bedrock-api-user \
--policy-arn arn:aws:iam::aws:policy/AmazonBedrockLimitedAccess
# Generate the API key (replace NUMBER-OF-DAYS)
aws iam create-service-specific-credential \
--user-name bedrock-api-user \
--service-name bedrock.amazonaws.com \
--credential-age-days ${NUMBER-OF-DAYS}
The ServiceApiKeyValue in the response is your API key.
- Python
-
import boto3
iam_client = boto3.client("iam")
# Create IAM user
iam_client.create_user(UserName="bedrock-api-user")
# Attach permissions
iam_client.attach_user_policy(
UserName="bedrock-api-user",
PolicyArn="arn:aws:iam::aws:policy/AmazonBedrockLimitedAccess"
)
# Generate API key
response = iam_client.create_service_specific_credential(
UserName="bedrock-api-user",
ServiceName="bedrock.amazonaws.com",
CredentialAgeDays=30
)
api_key = response["ServiceSpecificCredential"]["ServiceApiKeyValue"]
print(api_key)
Use an API key
Set the key as an environment variable:
# macOS/Linux
export AWS_BEARER_TOKEN_BEDROCK=${api-key}
# Windows
setx AWS_BEARER_TOKEN_BEDROCK "${api-key}"
Or pass it directly in the Authorization header:
Authorization: Bearer ${api-key}
Example: Make a Converse request
choose the tab for your preferred method, and then follow the steps:
- cURL
-
curl -X POST "https://bedrock-runtime.us-east-1.amazonaws.com/model/us.anthropic.claude-sonnet-4-6/converse" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $AWS_BEARER_TOKEN_BEDROCK" \
-d '{
"messages": [{"role": "user", "content": [{"text": "Hello"}]}]
}'
- Python (boto3)
-
import os
import boto3
os.environ['AWS_BEARER_TOKEN_BEDROCK'] = "${api-key}"
client = boto3.client("bedrock-runtime", region_name="us-east-1")
response = client.converse(
modelId="us.anthropic.claude-sonnet-4-6",
messages=[{"role": "user", "content": [{"text": "Hello"}]}]
)
Auto-refresh short-term keys
For long-running applications, call the token generator before each request. It returns a cached token if still valid or generates a new one automatically:
- Python
-
from aws_bedrock_token_generator import provide_token
import requests
url = "https://bedrock-runtime.us-west-2.amazonaws.com/model/us.anthropic.claude-sonnet-4-6/converse"
payload = {"messages": [{"role": "user", "content": [{"text": "Hello"}]}]}
# Call provide_token() before each request — it handles caching/refresh
token = provide_token()
headers = {"Content-Type": "application/json", "Authorization": f"Bearer {token}"}
response = requests.post(url, headers=headers, json=payload)
print(response.json())
- Javascript
-
import { getTokenProvider } from "@aws/bedrock-token-generator";
const provideToken = getTokenProvider();
const url = "https://bedrock-runtime.us-east-1.amazonaws.com/model/us.anthropic.claude-sonnet-4-6/converse";
const payload = {messages: [{role: "user", content: [{text: "Hello"}]}]};
// provideToken() handles caching/refresh automatically
const headers = {
"Content-Type": "application/json",
"Authorization": `Bearer ${await provideToken()}`
};
await fetch(url, {method: 'POST', headers, body: JSON.stringify(payload)});
For more examples, see the token generator documentation: Python | Javascript | Java.
Modify permissions
A long-term API key is associated with an IAM user. To change its permissions, modify the policies attached to that user. See Adding and removing IAM identity permissions.
From the console: go to API keys > Long-term API keys > select your key > Manage in IAM Console.
Compromised keys
If a key is compromised, take one of the following actions:
| Action |
Key type |
How |
| Deactivate |
Long-term |
Console: API keys > select key > Actions > Deactivate. API: UpdateServiceSpecificCredential with Status=Inactive. |
| Reset |
Long-term |
Console: Actions > Reset key. API: ResetServiceSpecificCredential. |
| Delete |
Long-term |
Console: Actions > Delete. API: DeleteServiceSpecificCredential. |
| Invalidate session |
Short-term |
Attach an IAM policy to the identity that denies bedrock:CallWithBearerToken, or invalidate the session used to generate the key. |
Control who can generate and use API keys
Two IAM actions control API key generation and usage:
-
iam:CreateServiceSpecificCredential – Controls generation of long-term keys. Use the iam:ServiceSpecificCredentialAgeDays condition key to limit expiration (e.g., max 90 days).
-
bedrock:CallWithBearerToken – Controls usage of any API key. Use the bedrock:bearerTokenType condition key with values SHORT_TERM or LONG_TERM to target specific key types.
Example: Prevent an identity from using any API key
Attach this policy to the identity:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "bedrock:CallWithBearerToken",
"Resource": "*"
}
]
}
Example: Allow only short-lived keys (max 90 days)
Attach this policy to the identity:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceSpecificCredential",
"Resource": "*",
"Condition": {
"NumericLessThanEquals": {
"iam:ServiceSpecificCredentialAgeDays": "90"
},
"StringEquals": {
"iam:ServiceSpecificCredentialServiceName": "bedrock.amazonaws.com"
}
}
}
]
}
For more detailed policy examples, see API keys reference.
