简体中文 · English
OpenCode plugin that lets OpenCode use AWS Kiro (CodeWhisperer) as a model provider — Claude Sonnet, Opus, and Haiku, plus the open-weight models Kiro proxies (DeepSeek, GLM, MiniMax, Qwen3) — with substantial trial quotas.
- Features
- Installation
- Setup / Auth
- Configuration
- Multiple accounts & rotation
- Usage display
- Models
- Troubleshooting
- Migration
- Local plugin development
- Development
- Storage
- Acknowledgements
- Upstream sync
- Disclaimer
- License
- Multiple auth methods: AWS Builder ID (IDC), IAM Identity Center (custom Start URL), and Kiro Desktop (CLI-based) authentication.
- Auto-sync Kiro CLI: automatically imports and synchronizes active
sessions from your local
kiro-cliSQLite database. - Gradual context truncation: intelligently prevents error 400 by reducing context size dynamically during retries.
- Intelligent account rotation: prioritizes multi-account usage based on lowest available quota.
- High-performance storage: efficient account and usage management using native Bun SQLite.
- Native thinking mode: full support for Claude reasoning capabilities via virtual model mappings.
- Kiro effort mapping: maps OpenCode thinking budgets to Kiro's native effort levels automatically.
- Automated recovery: exponential backoff for rate limits and automated token refresh.
Add the plugin to your opencode.json or opencode.jsonc:
{
"plugin": ["@sunerpy/opencode-kiro-auth"]
}That alone registers the kiro-auth provider with a default model set. To
customize which models are exposed (including thinking variants), see
Models and the full catalog in
docs/MODELS.md.
- Authentication via Kiro CLI (recommended):
- Log in directly in your terminal with
kiro-cli login. - The plugin automatically bootstraps a minimal
kiro-authplaceholder in OpenCode'sauth.jsonwhen it detects the Kiro CLI database, then imports and synchronizes your active session on startup. - For AWS IAM Identity Center (SSO/IDC), the plugin imports both the token
and device registration (OIDC client credentials) from the
kiro-clidatabase.
- Log in directly in your terminal with
- Direct authentication:
- Run
opencode auth login. - Select
Other, typekiro-auth, and press enter. - You'll be prompted for your IAM Identity Center Start URL and
region (
sso_region). Leave it blank for AWS Builder ID, or enter your company's Start URL (e.g.https://your-company.awsapps.com/start) for IAM Identity Center (SSO). - Note: the TUI
/connectflow does not currently run plugin OAuth prompts (Start URL / region), so Identity Center logins may fall back to Builder ID unless you useopencode auth login(or preconfigure defaults in~/.config/opencode/kiro.json). - For IAM Identity Center, you may also need a profile ARN
(
profileArn) — auto-detected fromkiro-cli profileif available, or setidc_profile_arnmanually. - A browser window opens directly to AWS's verification URL (no local auth server). If it doesn't, copy/paste the URL and enter the code OpenCode prints.
- Run
- Configuration is automatically managed at
~/.config/opencode/kiro.db.
Plugin-wide behavior (auth sync, account selection, retry limits, effort
mapping) lives in ~/.config/opencode/kiro.json. See
docs/CONFIGURATION.md for the full example and every
option.
You can register more than one Kiro account and let the plugin spread requests across them for combined quota and automatic failover.
Adding accounts, two ways:
- Run
opencode auth login, selectkiro-auth, and complete a Builder ID or IAM Identity Center login. Run this once per account — each distinct AWS identity is stored separately inkiro.db. Re-running login for the same identity updates it in place; logging in with a different identity adds a new account. - Auto-sync from Kiro CLI: with
auto_sync_kiro_cli: true(the default), the plugin imports credentials from your localkiro-clidatabase. Switching or adding accounts viakiro-cli loginflows into the plugin automatically, no extra step needed.
Rotation strategy — set account_selection_strategy in
~/.config/opencode/kiro.json:
| Strategy | Behavior | Default |
|---|---|---|
lowest-usage |
Each request picks the healthy account with the lowest used quota | ✅ |
round-robin |
Cycles through accounts in order | |
sticky |
Always uses the first account; switches only when it becomes unhealthy |
Automatic failover requires no configuration: a rate-limited or 403 account is marked unhealthy and the next healthy account takes over. If every account is rate-limited, the plugin waits out the minimum reset time and retries. A circuit breaker trips after 10 consecutive selection failures to avoid a hot loop.
Removing an account: run opencode auth login, select kiro-auth,
choose "Remove a Kiro account (N stored)", then pick the account from the
dropdown (or cancel).
Note: removal is persistent. Once you remove an account it stays removed across restarts and Kiro CLI auto-sync — it won't come back on its own. To re-add it, just log in with that account again via
opencode auth login. See Removing accounts & the removal tombstone for how this works.
Full config key reference: docs/CONFIGURATION.md.
The plugin reads real quota from Kiro's usage API (usedCount/limitCount
per account, e.g. 929/10000) and surfaces it in three places:
- Auth menu label — running
opencode auth loginand selectingkiro-authshows[current: <email> <used>/<limit> (<pct>%)]on the first login method; with multiple accounts they're joined with·, capped at 3 with a+N moresuffix. - Startup toast — once per plugin init, a toast shows
Kiro usage (<email>): <used>/<limit> (<pct>%)a few seconds after OpenCode starts, turning yellow (warning) at ≥90% usage. - Runtime warning — a warning toast fires whenever a selected account is at ≥90% usage.
There is no persistent usage widget in the TUI status bar — usage only
shows up via the label and toasts above. To check usage at any time, either
restart OpenCode (triggers the startup toast) or query kiro.db directly:
python3 -c "import sqlite3;r=sqlite3.connect('$HOME/.config/opencode/kiro.db').execute('SELECT email,used_count,limit_count FROM accounts').fetchall();[print(f'{e}: {u}/{l} (left {l-u})') for e,u,l in r]"The default install exposes Claude Sonnet/Opus/Haiku plus the open-weight
models Kiro proxies. To pin an exact model list or configure thinking-budget
variants, paste the full catalog from docs/MODELS.md into
your provider.kiro-auth.models block.
Thinking budgets map to Kiro's native effort field automatically:
| OpenCode budget | Kiro effort |
|---|---|
<= 10000 |
low |
<= 20000 |
medium |
<= 28000 |
high |
> 28000 |
max |
Details and the full JSON example: docs/MODELS.md.
Note: OpenCode's per-agent thinking level (
--variant/ an agent'svariantinoh-my-openagent.json) isn't honored per agent by this plugin — OpenCode consumes it upstream. Use the globaleffortkey inkiro.jsoninstead. See Reasoning effort for details.
Note: Reasoning-capable Kiro models (Claude Opus 4.x and other reasoning-capable models) stream their chain-of-thought as a separate event, which the plugin surfaces as OpenCode's own reasoning block — shown as "Thought:
<duration>" above the final reply. No config needed. See Reasoning display for details.
Note: Per-request thinking level via model variants — pick
kiro-auth/claude-opus-4-8-xhigh(or similar) straight from the model list to pin an explicit Kiro effort level for that model, nokiro.jsonedit needed. Base models likeclaude-opus-4-8remain available and keep using the globaleffortsetting. See docs/VARIANTS.md for the full variant list and why they exist.
Common issues — 403/AccessDeniedException with IAM Identity Center, "No
accounts", /connect vs opencode auth login, and Kiro CLI OAuth users whose
sync doesn't start — are covered in
docs/TROUBLESHOOTING.md.
If you're upgrading from a version that used the provider id kiro instead of
kiro-auth:
- A stale
kirokey in OpenCode'sauth.jsonwill be claimed by OpenCode's built-inkiroprovider (models.dev provider #91), not this plugin. Remove or ignore that key — this plugin now bootstraps and useskiro-auth. - Any config or session string of the form
kiro/<model>must becomekiro-auth/<model>(e.g.kiro/claude-sonnet-4-5→kiro-auth/claude-sonnet-4-5).
Point OpenCode directly at your local repo path in opencode.json or
opencode.jsonc:
{
"plugin": ["/path/to/opencode-kiro-auth"]
}Then build and restart OpenCode to pick up changes: bun run build.
This project uses Bun. The Makefile is the single source of truth for local checks and mirrors CI:
make install # bun install
make ci # typecheck + fmt-check + test (what CI runs)
make build # tsc + fix-esm-imports -> dist/Agent contributors: see AGENTS.md for the codebase architecture map, invariants that must not break, and the CodeGraph-assisted workflow.
Releases are automated with release-please:
- Use Conventional Commits for commit
messages and pull request titles (
feat:,fix:,chore:, …) — these drive the next version bump automatically. - release-please opens and maintains a release pull request on
main. Merging that PR cuts the git tag + GitHub Release and triggers the workflow that runs typecheck/test/build and then publishes to npm. - Contributors never hand-edit the version in
package.jsonor the files underchangelog/— release-please maintains both.
Linux/macOS:
- SQLite database:
~/.config/opencode/kiro.db - Plugin config:
~/.config/opencode/kiro.json
Windows:
- SQLite database:
%APPDATA%\opencode\kiro.db - Plugin config:
%APPDATA%\opencode\kiro.json
Special thanks to AIClient-2-API for providing the foundational Kiro authentication logic and request patterns.
This package is a fork of
tickernelz/opencode-kiro-auth.
Upstream fixes and improvements are tracked via the upstream git remote
(https://github.com/tickernelz/opencode-kiro-auth.git) and cherry-picked into
this fork as needed.
Note: AIClient-2-API (credited above) is licensed under GPLv3, a strong copyleft license. Because this project's Kiro authentication logic and request patterns are derived from it, this project is now licensed under GPLv3 as well, to comply with AIClient-2-API's copyleft requirements.
This plugin is provided strictly for learning and educational purposes. It is an independent implementation and is not affiliated with, endorsed by, or supported by Amazon Web Services (AWS) or Anthropic. Use of this plugin is at your own risk.
Feel free to open a PR to optimize this plugin further.
GPL-3.0-or-later, see LICENSE