@anthropic-ai/aws-sdk 0.2.0

package/internal/utils.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.mjs","sourceRoot":"","sources":["../src/internal/utils.ts"],"names":[],"mappings":"AAAA,sFAAsF"}

package/package.json

@@ -0,0 +1,87 @@
+{
+  "name": "@anthropic-ai/aws-sdk",
+  "version": "0.2.0",
+  "description": "The official TypeScript library for the Anthropic AWS API",
+  "author": "Anthropic <support@anthropic.com>",
+  "types": "./index.d.ts",
+  "main": "./index.js",
+  "type": "commonjs",
+  "repository": "github:anthropics/anthropic-sdk-typescript",
+  "license": "MIT",
+  "packageManager": "yarn@1.22.21",
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "test": "jest",
+    "build": "bash ./build",
+    "format": "prettier --write --cache --cache-strategy metadata . !dist",
+    "tsn": "ts-node -r tsconfig-paths/register",
+    "lint": "eslint --ext ts,js .",
+    "fix": "eslint --fix --ext ts,js ."
+  },
+  "dependencies": {
+    "@anthropic-ai/sdk": ">=0.50.3 <1",
+    "@aws-crypto/sha256-js": "^4.0.0",
+    "@aws-sdk/credential-providers": "^3.796.0",
+    "@smithy/fetch-http-handler": "^5.0.4",
+    "@smithy/protocol-http": "^3.0.6",
+    "@smithy/signature-v4": "^3.1.1",
+    "@smithy/types": "^2.3.4"
+  },
+  "imports": {
+    "@anthropic-ai/aws-sdk": ".",
+    "@anthropic-ai/aws-sdk/*": "./src/*"
+  },
+  "exports": {
+    ".": {
+      "require": {
+        "types": "./index.d.ts",
+        "default": "./index.js"
+      },
+      "types": "./index.d.mts",
+      "default": "./index.mjs"
+    },
+    "./.github/*.mjs": {
+      "default": "./.github/*.mjs"
+    },
+    "./.github/*.js": {
+      "default": "./.github/*.js"
+    },
+    "./.github/*": {
+      "import": "./.github/*.mjs",
+      "require": "./.github/*.js"
+    },
+    "./client": {
+      "import": "./client.mjs",
+      "require": "./client.js"
+    },
+    "./client.js": {
+      "default": "./client.js"
+    },
+    "./client.mjs": {
+      "default": "./client.mjs"
+    },
+    "./core/*.mjs": {
+      "default": "./core/*.mjs"
+    },
+    "./core/*.js": {
+      "default": "./core/*.js"
+    },
+    "./core/*": {
+      "import": "./core/*.mjs",
+      "require": "./core/*.js"
+    },
+    "./index": {
+      "import": "./index.mjs",
+      "require": "./index.js"
+    },
+    "./index.js": {
+      "default": "./index.js"
+    },
+    "./index.mjs": {
+      "default": "./index.mjs"
+    }
+  }
+}

package/src/client.ts

@@ -0,0 +1,239 @@
+import type { NullableHeaders } from './internal/headers';
+import { buildHeaders } from './internal/headers';
+import * as Errors from './core/error';
+import { readEnv } from './internal/utils';
+import { Anthropic, ClientOptions } from '@anthropic-ai/sdk/client';
+export { BaseAnthropic } from '@anthropic-ai/sdk/client';
+import { AwsCredentialIdentityProvider } from '@smithy/types';
+import { getAuthHeaders } from './core/auth';
+import { FinalRequestOptions } from './internal/request-options';
+import { FinalizedRequestInit } from './internal/types';
+
+const DEFAULT_SERVICE_NAME = 'aws-external-anthropic';
+
+export interface AwsClientOptions extends ClientOptions {
+  /**
+   * AWS region for the API gateway.
+   *
+   * Resolved by precedence: `awsRegion` arg > `AWS_REGION` env var > `AWS_DEFAULT_REGION` env var.
+   */
+  awsRegion?: string | undefined;
+
+  /**
+   * API key for x-api-key authentication.
+   *
+   * Takes precedence over AWS credential options. If neither `apiKey` nor
+   * AWS credentials are provided, falls back to the `ANTHROPIC_AWS_API_KEY`
+   * environment variable, then to the default AWS credential chain.
+   */
+  apiKey?: string | undefined;
+
+  /**
+   * AWS access key ID for SigV4 authentication.
+   *
+   * Must be provided together with `awsSecretAccessKey`.
+   */
+  awsAccessKey?: string | null | undefined;
+
+  /**
+   * AWS secret access key for SigV4 authentication.
+   *
+   * Must be provided together with `awsAccessKey`.
+   */
+  awsSecretAccessKey?: string | null | undefined;
+
+  /**
+   * AWS session token for temporary credentials.
+   */
+  awsSessionToken?: string | null | undefined;
+
+  /**
+   * AWS named profile for credential resolution.
+   *
+   * When set, credentials are loaded from the AWS credential chain
+   * using this profile.
+   */
+  awsProfile?: string | undefined;
+
+  /**
+   * Custom provider chain resolver for AWS credentials.
+   * Useful for non-Node environments, like edge workers, where the default
+   * credential provider chain may not work.
+   */
+  providerChainResolver?: (() => Promise<AwsCredentialIdentityProvider>) | null;
+
+  /**
+   * Workspace ID sent on every request as the `anthropic-workspace-id` header.
+   *
+   * Resolved by precedence: `workspaceId` arg > `ANTHROPIC_AWS_WORKSPACE_ID` env var.
+   */
+  workspaceId?: string | undefined;
+
+  /**
+   * Skip authentication for requests. This is useful when you have a gateway
+   * or proxy that handles authentication on your behalf.
+   *
+   * @default false
+   */
+  skipAuth?: boolean;
+}
+
+/** API Client for interfacing with the Anthropic AWS API. */
+export class AnthropicAws extends Anthropic {
+  awsRegion: string | undefined;
+  awsAccessKey: string | null;
+  awsSecretAccessKey: string | null;
+  awsSessionToken: string | null;
+  awsProfile: string | null;
+  providerChainResolver: (() => Promise<AwsCredentialIdentityProvider>) | null;
+  workspaceId: string | undefined;
+  skipAuth: boolean = false;
+
+  private _useSigV4: boolean;
+
+  /**
+   * API Client for interfacing with the Anthropic AWS API.
+   *
+   * Auth is resolved by precedence: `apiKey` constructor arg > explicit AWS
+   * credentials > `awsProfile` > `ANTHROPIC_AWS_API_KEY` env var > default
+   * AWS credential chain.
+   *
+   * @param {string | undefined} [opts.apiKey] - API key for x-api-key authentication.
+   * @param {string | null | undefined} [opts.awsAccessKey] - AWS access key ID for SigV4 authentication.
+   * @param {string | null | undefined} [opts.awsSecretAccessKey] - AWS secret access key for SigV4 authentication.
+   * @param {string | null | undefined} [opts.awsSessionToken] - AWS session token for temporary credentials.
+   * @param {string | undefined} [opts.awsProfile] - AWS named profile for credential resolution.
+   * @param {string | undefined} [opts.awsRegion] - AWS region. Resolved by precedence: arg > `AWS_REGION` env > `AWS_DEFAULT_REGION` env.
+   * @param {(() => Promise<AwsCredentialIdentityProvider>) | null} [opts.providerChainResolver] - Custom provider chain resolver for AWS credentials.
+   * @param {string | undefined} [opts.workspaceId] - Workspace ID sent as `anthropic-workspace-id` header. Resolved by precedence: arg > `ANTHROPIC_AWS_WORKSPACE_ID` env var.
+   * @param {string} [opts.baseURL=process.env['ANTHROPIC_AWS_BASE_URL'] ?? https://aws-external-anthropic.{awsRegion}.api.aws] - Override the default base URL for the API.
+   * @param {number} [opts.timeout=10 minutes] - The maximum amount of time (in milliseconds) the client will wait for a response before timing out.
+   * @param {MergedRequestInit} [opts.fetchOptions] - Additional `RequestInit` options to be passed to `fetch` calls.
+   * @param {Fetch} [opts.fetch] - Specify a custom `fetch` function implementation.
+   * @param {number} [opts.maxRetries=2] - The maximum number of times the client will retry a request.
+   * @param {HeadersLike} opts.defaultHeaders - Default headers to include with every request to the API.
+   * @param {Record<string, string | undefined>} opts.defaultQuery - Default query parameters to include with every request to the API.
+   * @param {boolean} [opts.dangerouslyAllowBrowser=false] - By default, client-side use of this library is not allowed, as it risks exposing your secret API credentials to attackers.
+   * @param {boolean} [opts.skipAuth=false] - Skip authentication for requests. This is useful when you have a gateway or proxy that handles authentication on your behalf.
+   */
+  constructor({
+    awsRegion,
+    baseURL,
+    apiKey,
+    awsAccessKey = null,
+    awsSecretAccessKey = null,
+    awsSessionToken = null,
+    awsProfile,
+    providerChainResolver = null,
+    workspaceId,
+    skipAuth = false,
+    ...opts
+  }: AwsClientOptions = {}) {
+    // Region resolution: arg > AWS_REGION env > AWS_DEFAULT_REGION env
+    const resolvedRegion = awsRegion ?? readEnv('AWS_REGION') ?? readEnv('AWS_DEFAULT_REGION');
+
+    const resolvedBaseURL =
+      baseURL ??
+      readEnv('ANTHROPIC_AWS_BASE_URL') ??
+      (resolvedRegion ? `https://aws-external-anthropic.${resolvedRegion}.api.aws` : undefined);
+
+    if (!resolvedBaseURL && !skipAuth) {
+      throw new Errors.AnthropicError(
+        'No AWS region or base URL found. Set `awsRegion` in the constructor, the `AWS_REGION` / `AWS_DEFAULT_REGION` environment variable, or provide a `baseURL` / `ANTHROPIC_AWS_BASE_URL` environment variable.',
+      );
+    }
+
+    // Precedence-based auth resolution:
+    // 1. apiKey constructor arg
+    // 2. awsAccessKey/awsSecretAccessKey constructor args (SigV4)
+    // 3. awsProfile constructor arg (SigV4)
+    // 4. ANTHROPIC_AWS_API_KEY env var
+    // 5. Default AWS credential chain (SigV4)
+    const hasExplicitApiKey = apiKey != null;
+    const hasPartialAwsCreds = (awsAccessKey != null) !== (awsSecretAccessKey != null);
+    if (hasPartialAwsCreds) {
+      throw new Errors.AnthropicError(
+        '`awsAccessKey` and `awsSecretAccessKey` must be provided together. You provided only one.',
+      );
+    }
+    const hasExplicitAwsCreds = awsAccessKey != null && awsSecretAccessKey != null;
+    const hasAwsProfile = awsProfile != null;
+
+    let resolvedApiKey: string | undefined;
+    if (hasExplicitApiKey) {
+      resolvedApiKey = apiKey;
+    } else if (!hasExplicitAwsCreds && !hasAwsProfile) {
+      resolvedApiKey = readEnv('ANTHROPIC_AWS_API_KEY') ?? undefined;
+    }
+
+    const resolvedWorkspaceId = workspaceId ?? readEnv('ANTHROPIC_AWS_WORKSPACE_ID');
+    if (!resolvedWorkspaceId && !skipAuth) {
+      throw new Errors.AnthropicError(
+        'No workspace ID found. Set `workspaceId` in the constructor or the `ANTHROPIC_AWS_WORKSPACE_ID` environment variable.',
+      );
+    }
+
+    super({
+      apiKey: resolvedApiKey,
+      baseURL: resolvedBaseURL,
+      ...opts,
+      defaultHeaders: buildHeaders([{ 'anthropic-workspace-id': resolvedWorkspaceId }, opts.defaultHeaders]),
+    });
+
+    this.awsRegion = resolvedRegion;
+    this.awsAccessKey = awsAccessKey;
+    this.awsSecretAccessKey = awsSecretAccessKey;
+    this.awsSessionToken = awsSessionToken;
+    this.awsProfile = awsProfile ?? null;
+    this.providerChainResolver = providerChainResolver;
+    this.workspaceId = resolvedWorkspaceId;
+    this.skipAuth = skipAuth;
+    this._useSigV4 = resolvedApiKey == null;
+  }
+
+  protected override async authHeaders(opts: FinalRequestOptions): Promise<NullableHeaders | undefined> {
+    if (this.skipAuth) {
+      return undefined;
+    }
+
+    if (!this._useSigV4) {
+      // API key mode — use inherited x-api-key auth
+      return super.authHeaders(opts);
+    }
+
+    // SigV4 mode — auth is handled in prepareRequest since it needs the full request
+    return undefined;
+  }
+
+  protected override validateHeaders(): void {
+    // Auth validation is handled in the constructor and prepareRequest
+  }
+
+  protected override async prepareRequest(
+    request: FinalizedRequestInit,
+    { url, options }: { url: string; options: FinalRequestOptions },
+  ): Promise<void> {
+    if (this.skipAuth || !this._useSigV4) {
+      return;
+    }
+
+    const regionName = this.awsRegion;
+    if (!regionName) {
+      throw new Errors.AnthropicError(
+        'No AWS region found. Set `awsRegion` in the constructor or the `AWS_REGION` / `AWS_DEFAULT_REGION` environment variable.',
+      );
+    }
+
+    const headers = await getAuthHeaders(request, {
+      url,
+      regionName,
+      serviceName: DEFAULT_SERVICE_NAME,
+      awsAccessKey: this.awsAccessKey,
+      awsSecretAccessKey: this.awsSecretAccessKey,
+      awsSessionToken: this.awsSessionToken,
+      awsProfile: this.awsProfile,
+      providerChainResolver: this.providerChainResolver,
+    });
+    request.headers = buildHeaders([headers, request.headers]).values;
+  }
+}

package/src/core/auth.ts

@@ -0,0 +1,101 @@
+import { Sha256 } from '@aws-crypto/sha256-js';
+import { FetchHttpHandler } from '@smithy/fetch-http-handler';
+import { HttpRequest } from '@smithy/protocol-http';
+import { SignatureV4 } from '@smithy/signature-v4';
+import { AwsCredentialIdentityProvider } from '@smithy/types';
+import assert from 'assert';
+import { MergedRequestInit } from '../internal/types';
+
+export type AuthProps = {
+  url: string;
+  regionName: string;
+  serviceName: string;
+  awsAccessKey: string | null | undefined;
+  awsSecretAccessKey: string | null | undefined;
+  awsSessionToken: string | null | undefined;
+  awsProfile?: string | null | undefined;
+  fetchOptions?: MergedRequestInit | undefined;
+  providerChainResolver?: (() => Promise<AwsCredentialIdentityProvider>) | null;
+};
+
+const defaultProviderChainResolver = (profile?: string | null): Promise<AwsCredentialIdentityProvider> =>
+  import('@aws-sdk/credential-providers')
+    .then(({ fromNodeProviderChain }) =>
+      fromNodeProviderChain({
+        ...(profile != null ? { profile } : {}),
+        clientConfig: {
+          requestHandler: new FetchHttpHandler({
+            requestInit: (httpRequest) => {
+              return {
+                ...httpRequest,
+              } as RequestInit;
+            },
+          }),
+        },
+      }),
+    )
+    .catch((error) => {
+      throw new Error(
+        `Failed to import '@aws-sdk/credential-providers'. ` +
+          `You can provide a custom \`providerChainResolver\` in the client options if your runtime does not have access to '@aws-sdk/credential-providers': ` +
+          `\`new AnthropicAws({ providerChainResolver })\` ` +
+          `Original error: ${error.message}`,
+      );
+    });
+
+export const getAuthHeaders = async (req: RequestInit, props: AuthProps): Promise<Record<string, string>> => {
+  assert(req.method, 'Expected request method property to be set');
+
+  let credentials;
+  if (props.awsAccessKey && props.awsSecretAccessKey) {
+    credentials = {
+      accessKeyId: props.awsAccessKey,
+      secretAccessKey: props.awsSecretAccessKey,
+      ...(props.awsSessionToken != null && { sessionToken: props.awsSessionToken }),
+    };
+  } else if (props.providerChainResolver) {
+    const provider = await props.providerChainResolver();
+    credentials = await provider();
+  } else {
+    const provider = await defaultProviderChainResolver(props.awsProfile);
+    credentials = await provider();
+  }
+
+  const signer = new SignatureV4({
+    service: props.serviceName,
+    region: props.regionName,
+    credentials,
+    sha256: Sha256,
+  });
+
+  const url = new URL(props.url);
+
+  const headers =
+    !req.headers ? {}
+    : Symbol.iterator in req.headers ?
+      Object.fromEntries(Array.from(req.headers).map((header) => [...header]))
+    : { ...req.headers };
+
+  // The connection header may be stripped by a proxy somewhere, so the receiver
+  // of this message may not see this header, so we remove it from the set of headers
+  // that are signed.
+  delete headers['connection'];
+  headers['host'] = url.hostname;
+
+  const query: Record<string, string> = {};
+  url.searchParams.forEach((value, key) => {
+    query[key] = value;
+  });
+
+  const request = new HttpRequest({
+    method: req.method.toUpperCase(),
+    protocol: url.protocol,
+    path: url.pathname,
+    query,
+    headers,
+    body: req.body,
+  });
+
+  const signed = await signer.sign(request);
+  return signed.headers;
+};

package/src/core/error.ts

@@ -0,0 +1 @@
+export * from '@anthropic-ai/sdk/core/error';

package/src/core/pagination.ts

@@ -0,0 +1 @@
+export * from '@anthropic-ai/sdk/core/pagination';

package/src/core/streaming.ts

@@ -0,0 +1 @@
+export * from '@anthropic-ai/sdk/core/streaming';

package/src/index.ts

@@ -0,0 +1,4 @@
+// Auth internals are shared via symlink, not via package exports.
+export * from './client';
+export { AnthropicAws as default } from './client';
+export type { AwsClientOptions } from './client';

package/src/internal/README.md

@@ -0,0 +1,3 @@
+# `internal`
+
+The modules in this directory are not importable outside this package and will change between releases.

package/src/internal/builtin-types.ts

@@ -0,0 +1,93 @@
+// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+export type Fetch = (input: string | URL | Request, init?: RequestInit) => Promise<Response>;
+
+/**
+ * An alias to the builtin `RequestInit` type so we can
+ * easily alias it in import statements if there are name clashes.
+ *
+ * https://developer.mozilla.org/docs/Web/API/RequestInit
+ */
+type _RequestInit = RequestInit;
+
+/**
+ * An alias to the builtin `Response` type so we can
+ * easily alias it in import statements if there are name clashes.
+ *
+ * https://developer.mozilla.org/docs/Web/API/Response
+ */
+type _Response = Response;
+
+/**
+ * The type for the first argument to `fetch`.
+ *
+ * https://developer.mozilla.org/docs/Web/API/Window/fetch#resource
+ */
+type _RequestInfo = Request | URL | string;
+
+/**
+ * The type for constructing `RequestInit` Headers.
+ *
+ * https://developer.mozilla.org/docs/Web/API/RequestInit#setting_headers
+ */
+type _HeadersInit = RequestInit['headers'];
+
+/**
+ * The type for constructing `RequestInit` body.
+ *
+ * https://developer.mozilla.org/docs/Web/API/RequestInit#body
+ */
+type _BodyInit = RequestInit['body'];
+
+/**
+ * An alias to the builtin `Array<T>` type so we can
+ * easily alias it in import statements if there are name clashes.
+ */
+type _Array<T> = Array<T>;
+
+/**
+ * An alias to the builtin `Record<K, T>` type so we can
+ * easily alias it in import statements if there are name clashes.
+ */
+type _Record<K extends keyof any, T> = Record<K, T>;
+
+export type {
+  _Array as Array,
+  _BodyInit as BodyInit,
+  _HeadersInit as HeadersInit,
+  _Record as Record,
+  _RequestInfo as RequestInfo,
+  _RequestInit as RequestInit,
+  _Response as Response,
+};
+
+/**
+ * A copy of the builtin `EndingType` type as it isn't fully supported in certain
+ * environments and attempting to reference the global version will error.
+ *
+ * https://github.com/microsoft/TypeScript/blob/49ad1a3917a0ea57f5ff248159256e12bb1cb705/src/lib/dom.generated.d.ts#L27941
+ */
+type EndingType = 'native' | 'transparent';
+
+/**
+ * A copy of the builtin `BlobPropertyBag` type as it isn't fully supported in certain
+ * environments and attempting to reference the global version will error.
+ *
+ * https://github.com/microsoft/TypeScript/blob/49ad1a3917a0ea57f5ff248159256e12bb1cb705/src/lib/dom.generated.d.ts#L154
+ * https://developer.mozilla.org/en-US/docs/Web/API/Blob/Blob#options
+ */
+export interface BlobPropertyBag {
+  endings?: EndingType;
+  type?: string;
+}
+
+/**
+ * A copy of the builtin `FilePropertyBag` type as it isn't fully supported in certain
+ * environments and attempting to reference the global version will error.
+ *
+ * https://github.com/microsoft/TypeScript/blob/49ad1a3917a0ea57f5ff248159256e12bb1cb705/src/lib/dom.generated.d.ts#L503
+ * https://developer.mozilla.org/en-US/docs/Web/API/File/File#options
+ */
+export interface FilePropertyBag extends BlobPropertyBag {
+  lastModified?: number;
+}

package/src/internal/constants.ts

@@ -0,0 +1,15 @@
+// File containing shared constants
+
+/**
+ * Model-specific timeout constraints for non-streaming requests
+ */
+export const MODEL_NONSTREAMING_TOKENS: Record<string, number> = {
+  'claude-opus-4-20250514': 8192,
+  'claude-opus-4-0': 8192,
+  'claude-4-opus-20250514': 8192,
+  'anthropic.claude-opus-4-20250514-v1:0': 8192,
+  'claude-opus-4@20250514': 8192,
+  'claude-opus-4-1-20250805': 8192,
+  'anthropic.claude-opus-4-1-20250805-v1:0': 8192,
+  'claude-opus-4-1@20250805': 8192,
+};

package/src/internal/decoders/jsonl.ts

@@ -0,0 +1,48 @@
+import { AnthropicError } from '../../core/error';
+import { ReadableStreamToAsyncIterable } from '../shims';
+import { LineDecoder, type Bytes } from './line';
+
+export class JSONLDecoder<T> {
+  controller: AbortController;
+
+  constructor(
+    private iterator: AsyncIterableIterator<Bytes>,
+    controller: AbortController,
+  ) {
+    this.controller = controller;
+  }
+
+  private async *decoder(): AsyncIterator<T, any, undefined> {
+    const lineDecoder = new LineDecoder();
+    for await (const chunk of this.iterator) {
+      for (const line of lineDecoder.decode(chunk)) {
+        yield JSON.parse(line) as T;
+      }
+    }
+
+    for (const line of lineDecoder.flush()) {
+      yield JSON.parse(line) as T;
+    }
+  }
+
+  [Symbol.asyncIterator](): AsyncIterator<T> {
+    return this.decoder();
+  }
+
+  static fromResponse<T>(response: Response, controller: AbortController): JSONLDecoder<T> {
+    if (!response.body) {
+      controller.abort();
+      if (
+        typeof (globalThis as any).navigator !== 'undefined' &&
+        (globalThis as any).navigator.product === 'ReactNative'
+      ) {
+        throw new AnthropicError(
+          `The default react-native fetch implementation does not support streaming. Please use expo/fetch: https://docs.expo.dev/versions/latest/sdk/expo/#expofetch-api`,
+        );
+      }
+      throw new AnthropicError(`Attempted to iterate over a response with no body`);
+    }
+
+    return new JSONLDecoder(ReadableStreamToAsyncIterable<Bytes>(response.body), controller);
+  }
+}