OpenCode Kiro Auth Plugin

OpenCode plugin for AWS Kiro (CodeWhisperer) providing access to Claude Sonnet and Haiku models with substantial trial quotas.

Features

• Multiple Auth Methods: Supports AWS Builder ID (IDC) and Kiro Desktop (CLI-based) authentication.
• Auto-Sync Kiro CLI: Automatically imports and synchronizes active sessions from your local kiro-cli SQLite database.
• Gradual Context Truncation: Intelligently prevents error 400 by reducing context size dynamically during retries.
• Intelligent Account Rotation: Prioritizes multi-account usage based on lowest available quota.
• High-Performance Storage: Efficient account and usage management using native Bun SQLite.
• Native Thinking Mode: Full support for Claude reasoning capabilities via virtual model mappings.
• Automated Recovery: Exponential backoff for rate limits and automated token refresh.

Installation

Add the plugin to your opencode.json or opencode.jsonc:

{
  "plugin": ["@zhafron/opencode-kiro-auth"],
  "provider": {
    "kiro": {
      "models": {
        "claude-sonnet-4-5": {
          "name": "Claude Sonnet 4.5",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "claude-sonnet-4-5-thinking": {
          "name": "Claude Sonnet 4.5 Thinking",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
          }
        },
        "claude-haiku-4-5": {
          "name": "Claude Haiku 4.5",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image"], "output": ["text"] }
        },
        "claude-opus-4-5": {
          "name": "Claude Opus 4.5",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "claude-opus-4-5-thinking": {
          "name": "Claude Opus 4.5 Thinking",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
          }
        }
      }
    }
  }
}

Setup

1. Authentication via Kiro CLI (Recommended):
   • Perform login directly in your terminal using kiro-cli login.
   • The plugin will automatically detect and import your session on startup.
   • For AWS IAM Identity Center (SSO/IDC), the plugin imports both the token and device registration (OIDC client credentials) from the kiro-cli database.
2. Direct Authentication:
   • Run opencode auth login.
   • Select Other, type kiro, and press enter.
   • Follow the instructions for AWS Builder ID (IDC).
3. Configuration will be automatically managed at ~/.config/opencode/kiro.db.

Troubleshooting

Error: No accounts

This happens when the plugin has no records in ~/.config/opencode/kiro.db.

1. Ensure kiro-cli login succeeds.
2. Ensure auto_sync_kiro_cli is true in ~/.config/opencode/kiro.json.
3. Retry the request; the plugin will attempt a Kiro CLI sync when it detects zero accounts.

Note for IDC/SSO (ODIC): the plugin may temporarily create an account with a placeholder email if it cannot fetch the real email during sync (e.g. offline). It will replace it with the real email once usage/email lookup succeeds.

Configuration

The plugin supports extensive configuration options. Edit ~/.config/opencode/kiro.json:

{
  "auto_sync_kiro_cli": true,
  "account_selection_strategy": "lowest-usage",
  "default_region": "us-east-1",
  "rate_limit_retry_delay_ms": 5000,
  "rate_limit_max_retries": 3,
  "max_request_iterations": 20,
  "request_timeout_ms": 120000,
  "token_expiry_buffer_ms": 120000,
  "usage_sync_max_retries": 3,
  "auth_server_port_start": 19847,
  "auth_server_port_range": 10,
  "usage_tracking_enabled": true,
  "enable_log_api_request": false
}

Configuration Options

• auto_sync_kiro_cli: Automatically sync sessions from Kiro CLI (default: true).
• account_selection_strategy: Account rotation strategy (sticky, round-robin, lowest-usage).
• default_region: AWS region (us-east-1, us-west-2).
• rate_limit_retry_delay_ms: Delay between rate limit retries (1000-60000ms).
• rate_limit_max_retries: Maximum retry attempts for rate limits (0-10).
• max_request_iterations: Maximum loop iterations to prevent hangs (10-1000).
• request_timeout_ms: Request timeout in milliseconds (60000-600000ms).
• token_expiry_buffer_ms: Token refresh buffer time (30000-300000ms).
• usage_sync_max_retries: Retry attempts for usage sync (0-5).
• auth_server_port_start: Starting port for auth server (1024-65535).
• auth_server_port_range: Number of ports to try (1-100).
• usage_tracking_enabled: Enable usage tracking and toast notifications.
• enable_log_api_request: Enable detailed API request logging.

Storage

Linux/macOS:

• SQLite Database: ~/.config/opencode/kiro.db
• Plugin Config: ~/.config/opencode/kiro.json

Windows:

• SQLite Database: %APPDATA%\opencode\kiro.db
• Plugin Config: %APPDATA%\opencode\kiro.json

Acknowledgements

Special thanks to AIClient-2-API for providing the foundational Kiro authentication logic and request patterns.

Disclaimer

This plugin is provided strictly for learning and educational purposes. It is an independent implementation and is not affiliated with, endorsed by, or supported by Amazon Web Services (AWS) or Anthropic. Use of this plugin is at your own risk.

Feel free to open a PR to optimize this plugin further.