feat(bedrock): use auth header for mantle client (#734)

cameron-mcateer · stainless-app[bot] · commit 702322cb92b6 · 2026-04-14T19:03:24.000Z
diff --git a/bedrock/bedrockmantle.go b/bedrock/bedrockmantle.go
@@ -109,6 +109,7 @@ func mantleResolveParams() awsauth.ResolveParams {
 		EnvBaseURL:        "ANTHROPIC_BEDROCK_MANTLE_BASE_URL",
 		DeriveBaseURL:     func(region string) string { return fmt.Sprintf("https://bedrock-mantle.%s.api.aws/anthropic", region) },
 		ServiceName:       mantleServiceName,
+		UseBearerAuth:     true,
 	}
 }
 
diff --git a/bedrock/bedrockmantle_test.go b/bedrock/bedrockmantle_test.go
@@ -123,11 +123,11 @@ func TestMantleAPIKeyModeHeaders(t *testing.T) {
 	})
 	sendTestMantleRequest(t, client)
 
-	if got := captured.Headers.Get("X-Api-Key"); got != "my-api-key" {
-		t.Errorf("expected x-api-key %q, got %q", "my-api-key", got)
+	if got := captured.Headers.Get("Authorization"); got != "Bearer my-api-key" {
+		t.Errorf("expected Authorization %q, got %q", "Bearer my-api-key", got)
 	}
-	if captured.Headers.Get("Authorization") != "" {
-		t.Error("expected no Authorization header in API key mode")
+	if captured.Headers.Get("X-Api-Key") != "" {
+		t.Error("expected no X-Api-Key header in bearer auth mode")
 	}
 }
 
@@ -200,8 +200,8 @@ func TestMantleAPIKeyFallbackToAWSEnv(t *testing.T) {
 	client, captured := newTestMantleClient(t, MantleClientConfig{})
 	sendTestMantleRequest(t, client)
 
-	if got := captured.Headers.Get("X-Api-Key"); got != "aws-fallback-key" {
-		t.Errorf("expected x-api-key %q (AWS fallback), got %q", "aws-fallback-key", got)
+	if got := captured.Headers.Get("Authorization"); got != "Bearer aws-fallback-key" {
+		t.Errorf("expected Authorization %q (AWS fallback), got %q", "Bearer aws-fallback-key", got)
 	}
 }
 
@@ -213,8 +213,8 @@ func TestMantleAPIKeyMantleEnvOverridesAWSEnv(t *testing.T) {
 	client, captured := newTestMantleClient(t, MantleClientConfig{})
 	sendTestMantleRequest(t, client)
 
-	if got := captured.Headers.Get("X-Api-Key"); got != "mantle-key" {
-		t.Errorf("expected x-api-key %q (mantle-specific), got %q", "mantle-key", got)
+	if got := captured.Headers.Get("Authorization"); got != "Bearer mantle-key" {
+		t.Errorf("expected Authorization %q (mantle-specific), got %q", "Bearer mantle-key", got)
 	}
 }
 
@@ -314,8 +314,8 @@ func TestNewMantleClientMessages(t *testing.T) {
 	})
 	sendTestMantleRequest(t, client)
 
-	if got := captured.Headers.Get("X-Api-Key"); got != "test-key" {
-		t.Errorf("expected x-api-key %q, got %q", "test-key", got)
+	if got := captured.Headers.Get("Authorization"); got != "Bearer test-key" {
+		t.Errorf("expected Authorization %q, got %q", "Bearer test-key", got)
 	}
 }
 
@@ -369,15 +369,15 @@ func TestMantleClientRequestOptionsOverrideInternal(t *testing.T) {
 	t.Setenv("AWS_BEARER_TOKEN_BEDROCK", "")
 	t.Setenv("ANTHROPIC_AWS_API_KEY", "")
 
-	// User-provided opts should override internal opts (e.g. override the API key header)
+	// User-provided opts should override internal opts (e.g. override the Authorization header)
 	client, captured := newTestMantleClient(t, MantleClientConfig{
 		APIKey:    "internal-key",
 		AWSRegion: "us-east-1",
-	}, option.WithAPIKey("override-key"))
+	}, option.WithHeader("Authorization", "Bearer override-key"))
 	sendTestMantleRequest(t, client)
 
-	if got := captured.Headers.Get("X-Api-Key"); got != "override-key" {
-		t.Errorf("expected X-Api-Key %q (from RequestOption override), got %q", "override-key", got)
+	if got := captured.Headers.Get("Authorization"); got != "Bearer override-key" {
+		t.Errorf("expected Authorization %q (from RequestOption override), got %q", "Bearer override-key", got)
 	}
 }
 
@@ -447,6 +447,10 @@ func TestMantleDoesNotLeakAnthropicAPIKey(t *testing.T) {
 	sendTestMantleRequest(t, client)
 
 	if got := captured.Headers.Get("X-Api-Key"); got != "" {
-		t.Errorf("expected no x-api-key header when using SigV4, got %q", got)
+		t.Errorf("expected no X-Api-Key header when using SigV4, got %q", got)
+	}
+	// Authorization header should be SigV4, not Bearer
+	if auth := captured.Headers.Get("Authorization"); !strings.HasPrefix(auth, "AWS4-HMAC-SHA256") {
+		t.Errorf("expected SigV4 Authorization header, got %q", auth)
 	}
 }
diff --git a/internal/awsauth/awsauth.go b/internal/awsauth/awsauth.go
@@ -58,6 +58,10 @@ type ResolveParams struct {
 
 	// ServiceName is the AWS service name used in SigV4 signing.
 	ServiceName string
+
+	// UseBearerAuth, when true, sends the API key as an Authorization: Bearer header
+	// instead of the default X-Api-Key header.
+	UseBearerAuth bool
 }
 
 // ResolvedConfig holds the fully resolved configuration after applying defaults and env vars.
@@ -253,7 +257,11 @@ func CreateClientOptions(ctx context.Context, cfg ClientConfig, params ResolvePa
 	}
 
 	if resolved.APIKey != "" {
-		opts = append(opts, option.WithAPIKey(resolved.APIKey))
+		if params.UseBearerAuth {
+			opts = append(opts, option.WithHeader("Authorization", "Bearer "+resolved.APIKey))
+		} else {
+			opts = append(opts, option.WithAPIKey(resolved.APIKey))
+		}
 	}
 	if resolved.WorkspaceID != "" {
 		opts = append(opts, option.WithHeader("anthropic-workspace-id", resolved.WorkspaceID))

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,7 @@ func mantleResolveParams() awsauth.ResolveParams {`
`109`	`109`	`EnvBaseURL: "ANTHROPIC_BEDROCK_MANTLE_BASE_URL",`
`110`	`110`	`DeriveBaseURL: func(region string) string { return fmt.Sprintf("https://bedrock-mantle.%s.api.aws/anthropic", region) },`
`111`	`111`	`ServiceName: mantleServiceName,`
	`112`	`+ UseBearerAuth: true,`
`112`	`113`	`}`
`113`	`114`	`}`
`114`	`115`
Original file line number	Diff line number	Diff line change
`@@ -123,11 +123,11 @@ func TestMantleAPIKeyModeHeaders(t *testing.T) {`
`123`	`123`	`})`
`124`	`124`	`sendTestMantleRequest(t, client)`
`125`	`125`
`126`		`- if got := captured.Headers.Get("X-Api-Key"); got != "my-api-key" {`
`127`		`- t.Errorf("expected x-api-key %q, got %q", "my-api-key", got)`
	`126`	`+ if got := captured.Headers.Get("Authorization"); got != "Bearer my-api-key" {`
	`127`	`+ t.Errorf("expected Authorization %q, got %q", "Bearer my-api-key", got)`
`128`	`128`	`}`
`129`		`- if captured.Headers.Get("Authorization") != "" {`
`130`		`- t.Error("expected no Authorization header in API key mode")`
	`129`	`+ if captured.Headers.Get("X-Api-Key") != "" {`
	`130`	`+ t.Error("expected no X-Api-Key header in bearer auth mode")`
`131`	`131`	`}`
`132`	`132`	`}`
`133`	`133`
`@@ -200,8 +200,8 @@ func TestMantleAPIKeyFallbackToAWSEnv(t *testing.T) {`
`200`	`200`	`client, captured := newTestMantleClient(t, MantleClientConfig{})`
`201`	`201`	`sendTestMantleRequest(t, client)`
`202`	`202`
`203`		`- if got := captured.Headers.Get("X-Api-Key"); got != "aws-fallback-key" {`
`204`		`- t.Errorf("expected x-api-key %q (AWS fallback), got %q", "aws-fallback-key", got)`
	`203`	`+ if got := captured.Headers.Get("Authorization"); got != "Bearer aws-fallback-key" {`
	`204`	`+ t.Errorf("expected Authorization %q (AWS fallback), got %q", "Bearer aws-fallback-key", got)`
`205`	`205`	`}`
`206`	`206`	`}`
`207`	`207`
`@@ -213,8 +213,8 @@ func TestMantleAPIKeyMantleEnvOverridesAWSEnv(t *testing.T) {`
`213`	`213`	`client, captured := newTestMantleClient(t, MantleClientConfig{})`
`214`	`214`	`sendTestMantleRequest(t, client)`
`215`	`215`
`216`		`- if got := captured.Headers.Get("X-Api-Key"); got != "mantle-key" {`
`217`		`- t.Errorf("expected x-api-key %q (mantle-specific), got %q", "mantle-key", got)`
	`216`	`+ if got := captured.Headers.Get("Authorization"); got != "Bearer mantle-key" {`
	`217`	`+ t.Errorf("expected Authorization %q (mantle-specific), got %q", "Bearer mantle-key", got)`
`218`	`218`	`}`
`219`	`219`	`}`
`220`	`220`
`@@ -314,8 +314,8 @@ func TestNewMantleClientMessages(t *testing.T) {`
`314`	`314`	`})`
`315`	`315`	`sendTestMantleRequest(t, client)`
`316`	`316`
`317`		`- if got := captured.Headers.Get("X-Api-Key"); got != "test-key" {`
`318`		`- t.Errorf("expected x-api-key %q, got %q", "test-key", got)`
	`317`	`+ if got := captured.Headers.Get("Authorization"); got != "Bearer test-key" {`
	`318`	`+ t.Errorf("expected Authorization %q, got %q", "Bearer test-key", got)`
`319`	`319`	`}`
`320`	`320`	`}`
`321`	`321`
`@@ -369,15 +369,15 @@ func TestMantleClientRequestOptionsOverrideInternal(t *testing.T) {`
`369`	`369`	`t.Setenv("AWS_BEARER_TOKEN_BEDROCK", "")`
`370`	`370`	`t.Setenv("ANTHROPIC_AWS_API_KEY", "")`
`371`	`371`
`372`		`- // User-provided opts should override internal opts (e.g. override the API key header)`
	`372`	`+ // User-provided opts should override internal opts (e.g. override the Authorization header)`
`373`	`373`	`client, captured := newTestMantleClient(t, MantleClientConfig{`
`374`	`374`	`APIKey: "internal-key",`
`375`	`375`	`AWSRegion: "us-east-1",`
`376`		`- }, option.WithAPIKey("override-key"))`
	`376`	`+ }, option.WithHeader("Authorization", "Bearer override-key"))`
`377`	`377`	`sendTestMantleRequest(t, client)`
`378`	`378`
`379`		`- if got := captured.Headers.Get("X-Api-Key"); got != "override-key" {`
`380`		`- t.Errorf("expected X-Api-Key %q (from RequestOption override), got %q", "override-key", got)`
	`379`	`+ if got := captured.Headers.Get("Authorization"); got != "Bearer override-key" {`
	`380`	`+ t.Errorf("expected Authorization %q (from RequestOption override), got %q", "Bearer override-key", got)`
`381`	`381`	`}`
`382`	`382`	`}`
`383`	`383`
`@@ -447,6 +447,10 @@ func TestMantleDoesNotLeakAnthropicAPIKey(t *testing.T) {`
`447`	`447`	`sendTestMantleRequest(t, client)`
`448`	`448`
`449`	`449`	`if got := captured.Headers.Get("X-Api-Key"); got != "" {`
`450`		`- t.Errorf("expected no x-api-key header when using SigV4, got %q", got)`
	`450`	`+ t.Errorf("expected no X-Api-Key header when using SigV4, got %q", got)`
	`451`	`+ }`
	`452`	`+ // Authorization header should be SigV4, not Bearer`
	`453`	`+ if auth := captured.Headers.Get("Authorization"); !strings.HasPrefix(auth, "AWS4-HMAC-SHA256") {`
	`454`	`+ t.Errorf("expected SigV4 Authorization header, got %q", auth)`
`451`	`455`	`}`
`452`	`456`	`}`