feat(bedrock): use auth header for mantle client (#866)

use this token in an `authorization: Bearer <key>` header instead of
`x-api-key`

Author: cameron-mcateer

packages/bedrock-sdk/src/mantle-client.ts

@@ -20,7 +20,7 @@ export interface BedrockMantleClientOptions extends ClientOptions {
   awsRegion?: string | undefined;
 
   /**
-   * API key for x-api-key authentication.
+   * API key for Bearer token authentication.
    *
    * Takes precedence over AWS credential options. If neither `apiKey` nor
    * AWS credentials are provided, falls back to the `AWS_BEARER_TOKEN_BEDROCK`
@@ -100,7 +100,7 @@ export class AnthropicBedrockMantle extends BaseAnthropic {
    * credentials > `awsProfile` > `AWS_BEARER_TOKEN_BEDROCK` env var > default
    * AWS credential chain.
    *
-   * @param {string | undefined} [opts.apiKey] - API key for x-api-key authentication.
+   * @param {string | undefined} [opts.apiKey] - API key for Bearer token authentication.
    * @param {string | null | undefined} [opts.awsAccessKey] - AWS access key ID for SigV4 authentication.
    * @param {string | null | undefined} [opts.awsSecretAccessKey] - AWS secret access key for SigV4 authentication.
    * @param {string | null | undefined} [opts.awsSessionToken] - AWS session token for temporary credentials.
@@ -188,8 +188,8 @@ export class AnthropicBedrockMantle extends BaseAnthropic {
     }
 
     if (!this._useSigV4) {
-      // API key mode — use inherited x-api-key auth
-      return super.authHeaders(opts);
+      // API key / bearer token mode — use Authorization: Bearer header
+      return buildHeaders([{ Authorization: `Bearer ${this.apiKey}` }]);
     }
 
     // SigV4 mode — auth is handled in prepareRequest since it needs the full request

packages/bedrock-sdk/tests/bedrock-mantle.test.ts

@@ -120,6 +120,52 @@ describe('AnthropicBedrockMantle', () => {
     });
   });
 
+  describe('bearer token auth', () => {
+    test('sends Authorization: Bearer header when using apiKey', async () => {
+      const client = new AnthropicBedrockMantle({
+        apiKey: 'test-bearer-token',
+        awsRegion: 'us-east-1',
+        maxRetries: 0,
+      });
+
+      await makeRequest(client);
+
+      const requestInit = mockFetch.mock.calls[0]![1] as RequestInit;
+      const headers = new Headers(requestInit.headers as HeadersInit);
+      expect(headers.get('authorization')).toBe('Bearer test-bearer-token');
+      expect(headers.get('x-api-key')).toBeNull();
+    });
+
+    test('sends Authorization: Bearer header when using AWS_BEARER_TOKEN_BEDROCK env var', async () => {
+      process.env['AWS_BEARER_TOKEN_BEDROCK'] = 'env-bearer-token';
+
+      const client = new AnthropicBedrockMantle({
+        awsRegion: 'us-east-1',
+        maxRetries: 0,
+      });
+
+      await makeRequest(client);
+
+      const requestInit = mockFetch.mock.calls[0]![1] as RequestInit;
+      const headers = new Headers(requestInit.headers as HeadersInit);
+      expect(headers.get('authorization')).toBe('Bearer env-bearer-token');
+      expect(headers.get('x-api-key')).toBeNull();
+    });
+
+    test('does not send Authorization: Bearer header when using SigV4', async () => {
+      const client = new AnthropicBedrockMantle({
+        awsAccessKey: 'my-access-key',
+        awsSecretAccessKey: 'my-secret-key',
+        awsRegion: 'us-east-1',
+        maxRetries: 0,
+      });
+
+      await makeRequest(client);
+
+      expect(mockGetAuthHeaders).toHaveBeenCalledTimes(1);
+    });
+  });
+
   describe('endpoint restrictions', () => {
     test('completions resource is not available', () => {
       const client = new AnthropicBedrockMantle({