A lightweight utility library that generates short-term bearer tokens for AWS External Anthropic API authentication using SigV4 presigned URLs.
<dependency>
<groupId>software.amazon.awsexternalanthropic</groupId>
<artifactId>token-generator-for-aws-external-anthropic</artifactId>
<version>1.0.0</version>
</dependency>implementation 'software.amazon.awsexternalanthropic:token-generator-for-aws-external-anthropic:1.0.0'Token duration can be customized (1 second to 12 hours). The actual token lifetime will be:
min(specified duration, credentials expiry, 12 hours). Default is 12 hours.
Credentials and region are resolved from the default provider chains.
import software.amazon.awsexternalanthropic.token.TokenGenerator;
TokenGenerator generator = TokenGenerator.create();
String token = generator.getToken();This example uses STS Assume Role. You can use any supported credentials provider.
import software.amazon.awsexternalanthropic.token.TokenGenerator;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.regions.Region;
import java.time.Duration;
AwsCredentialsProvider assumeRoleProvider = StsAssumeRoleCredentialsProvider.builder()
.refreshRequest(AssumeRoleRequest.builder()
.roleArn("arn:aws:iam::123456789012:role/MyRole")
.roleSessionName("token-session")
.durationSeconds(3600)
.build())
.build();
TokenGenerator generator = TokenGenerator.builder()
.region(Region.US_EAST_1)
.credentialsProvider(assumeRoleProvider)
.expiry(Duration.ofHours(1))
.build();
String token = generator.getToken();Pass credentials, region, and expiry directly. No instance needed.
import software.amazon.awsexternalanthropic.token.TokenGenerator;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import java.time.Duration;
String token = TokenGenerator.getToken(
DefaultCredentialsProvider.create().resolveCredentials(),
Region.US_WEST_2,
Duration.ofHours(6));The generated token has the format:
aws-external-anthropic-api-key-<base64-encoded-payload>
The payload is a Base64-encoded SigV4 presigned URL scoped to the aws-external-anthropic service. The token can be decoded for debugging purposes but should be treated as an opaque string in production.
- Java 8+
- AWS SDK for Java v2 (2.25.28+)
- Token Expiration: Tokens are short-lived with a maximum lifetime of 12 hours. The actual expiry is
min(specified duration, credentials expiry, 12 hours). Use the shortest practical duration for your use case. - Secure Storage: Do not log or store tokens in plain text. Treat them as sensitive credentials.
- No Embedded Credentials: No long-term credentials are embedded in the token. The token contains a SigV4 presigned URL, not the signing keys themselves.
- Credential Management: Use IAM roles or temporary credentials instead of long-term access keys where possible.
- Network Security: Always transmit tokens over HTTPS.
- Least Privilege: Scope IAM permissions to the minimum required for your use case.
- Region Scoping: Tokens are scoped to a specific AWS region and cannot be used across regions.
git clone https://github.com/aws/token-generator-for-aws-external-anthropic-java.git
cd token-generator-for-aws-external-anthropic-java
# Build
mvn clean compile
# Run tests
mvn test
# Create JAR
mvn package -Dgpg.skip=trueSee CONTRIBUTING for more information.
- Prerequisites: Java 8+, Maven 3.6+
- Clone:
git clone https://github.com/aws/token-generator-for-aws-external-anthropic-java.git - Build:
mvn clean compile - Test:
mvn test
This project is licensed under the Apache License, Version 2.0. See the LICENSE file for details.
See CHANGELOG for release history.