Claude Platform on AWS exposes the first-party Claude API surface (/v1/messages and friends) behind an AWS-authenticated gateway. For Node.js and TypeScript teams, that means the programming model is the familiar Anthropic SDK, while the authentication is AWS SigV4 request signing — AWS's standard scheme for signing HTTP requests with IAM credentials. A dedicated client handles the signing, the region-based endpoint, and the workspace header so your application code stays platform-agnostic.
The right package — a common mix-up
A frequent mistake is reaching for the Bedrock client (AnthropicBedrock) because "it's Claude on AWS." Amazon Bedrock and Claude Platform on AWS are different services with different endpoints, different model ID formats, and different clients. For Claude Platform on AWS, install the dedicated package:
npm install @anthropic-ai/aws-sdk
The client class is AnthropicAws, imported as the package's default export (import AnthropicAws from "@anthropic-ai/aws-sdk") and constructed with new AnthropicAws(). Per the official docs, the platform-specific SDK clients for Claude Platform on AWS are in beta, so pin your version and watch release notes. Model IDs are the bare first-party strings — claude-sonnet-5, claude-opus-4-8 — with no anthropic. prefix and no ARNs.
Required configuration
Two values are required, with no default fallback:
| Value | Environment variable | Constructor option |
|---|---|---|
| AWS region (workspace's bound region) | AWS_REGION (fallback AWS_DEFAULT_REGION) | awsRegion |
| Workspace ID | ANTHROPIC_AWS_WORKSPACE_ID | workspaceId |
If either cannot be resolved, the constructor throws before any request is sent — deliberately stricter than the Bedrock client, which falls back to us-east-1. The region must match where the workspace lives: workspaces are bound to a single AWS region, and a mismatched SigV4 region produces a generic signature-rejection error rather than a helpful diagnostic. Credentials come from the standard AWS default provider chain (environment variables, shared config and SSO profiles, web identity federation for EKS or GitHub Actions, container credentials, EC2 instance metadata), or from an AWS-Console-generated API key via ANTHROPIC_AWS_API_KEY — full precedence in the environment variable reference.
Streaming with TypeScript types
Streaming on Claude Platform on AWS uses server-sent events (SSE), exactly like the first-party Claude API — not AWS's EventStream format that Bedrock's native APIs use. For a TypeScript codebase this is good news: the streaming surface is the standard Anthropic SDK one, so you consume the response as an async iterable of typed stream events (message start, content block deltas, message stop) with the event types the SDK ships. Code written against the first-party SDK's streaming interface carries over; only the client construction differs. If you are proxying streams to a browser, the SSE framing also passes through ordinary HTTP infrastructure without Bedrock-specific decoding.
Validating end to end
Work through this sequence, in order, and you will touch every layer once:
1. Account prerequisite. Run aws iam enable-outbound-web-identity-federation once per AWS account (verify with aws iam get-outbound-web-identity-federation-info). Skipping this is the most common setup error — every request fails with "Outbound web identity federation is disabled for your account" until it is done.
2. Environment. Export ANTHROPIC_AWS_WORKSPACE_ID (the wrkspc_... ID from the AWS Console) and AWS_REGION.
3. Construction. new AnthropicAws() should succeed silently. A throw here means step 2 is incomplete.
4. One non-streaming request. Call client.messages.create(...) with a small max_tokens and check for a text response. A 403 means the request reached the server — check the workspace ID and that your IAM principal has aws-external-anthropic:CreateInference.
5. One streaming request. Iterate the stream and confirm deltas arrive incrementally. If step 4 passed, failures here are almost always in your own buffering or proxy layer, not the platform.
sk-ant-api... keys do not work on this endpoint, and OAuth authentication is not supported. Your two options are SigV4 via AWS credentials or an API key generated in the AWS Console.Where to go next
Compare with the Python setup, lock permissions down with IAM policy templates, or read streaming on Claude Platform on AWS in depth.