opencode-kiro-multi-auth

OpenCode Kiro Multi-Auth

Production-hardened multi-account authentication plugin for OpenCode — provides access to Claude models via AWS Kiro with intelligent account rotation, encrypted token storage, and automatic failover.

Architecture

src/
├── core/
│   ├── auth/           Token refresh (single-flight), OAuth device flow, CLI sync
│   ├── request/        Request handler, retry strategy, error classification
│   └── account/        Account selection (sticky/round-robin/lowest-usage), usage tracking
├── plugin/
│   ├── storage/        SQLite with AES-256-GCM encryption, WAL mode
│   ├── streaming/      AWS event stream → OpenAI SSE conversion
│   ├── config/         Zod-validated config with env overrides
│   ├── sync/           Kiro CLI database import/export
│   └── ...             Token refresh, HTTP utilities, redaction, logging
├── kiro/               OAuth IDC device code flow, token encoding
├── tui.ts              Interactive account manager (raw ANSI)
├── cli.ts              CLI entry point with guided-add flow
└── plugin.ts           OpenCode plugin registration

Features

• Multi-Account Rotation — sticky, round-robin, or lowest-usage strategies with automatic failover
• Encrypted Storage — AES-256-GCM encryption for all tokens at rest
• Fast-Fail Recovery — detects when all accounts are broken and stops immediately instead of burning iterations
• Single-Flight Refresh — prevents concurrent token refreshes from racing
• Streaming — full AWS event stream → OpenAI SSE conversion with thinking mode support
• TUI Account Manager — interactive terminal UI for managing accounts
• Auto-Sync — imports sessions from Kiro CLI automatically
• Production Hardened — body read timeouts, JSON depth limits, monotonic timing, log redaction

Installation

{
  "plugin": ["opencode-kiro-multi-auth"],
  "provider": {
    "kiro": {
      "models": {
        "claude-sonnet-4-6": {
          "name": "Claude Sonnet 4.6",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "claude-sonnet-4-6-thinking": {
          "name": "Claude Sonnet 4.6 Thinking",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
          }
        },
        "claude-opus-4-6": {
          "name": "Claude Opus 4.6",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] }
        },
        "claude-opus-4-6-thinking": {
          "name": "Claude Opus 4.6 Thinking",
          "limit": { "context": 200000, "output": 64000 },
          "modalities": { "input": ["text", "image", "pdf"], "output": ["text"] },
          "variants": {
            "low": { "thinkingConfig": { "thinkingBudget": 8192 } },
            "medium": { "thinkingConfig": { "thinkingBudget": 16384 } },
            "max": { "thinkingConfig": { "thinkingBudget": 32768 } }
          }
        }
      }
    }
  }
}

See the full model list in the Models section.

Setup

Option 1: Kiro CLI (Recommended)

kiro-cli login

The plugin auto-imports your session on startup via auto_sync_kiro_cli: true.

Option 2: Direct OAuth

opencode auth login
# Select "Other" → type "kiro" → follow prompts

For IAM Identity Center, you'll be prompted for Start URL and region.

Option 3: CLI Account Manager

kiro-multi-auth tui    # Interactive TUI
kiro-multi-auth add    # Guided add flow

Configuration

Edit ~/.config/opencode/kiro.json:

{
  "account_selection_strategy": "lowest-usage",
  "default_region": "us-east-1",
  "auto_sync_kiro_cli": true,
  "max_request_iterations": 50,
  "request_timeout_ms": 120000,
  "token_expiry_buffer_ms": 120000,
  "rate_limit_retry_delay_ms": 5000,
  "rate_limit_max_retries": 3,
  "usage_tracking_enabled": true,
  "reAuthCooldownMs": 60000
}

Key Options

Option	Default	Description
account_selection_strategy	lowest-usage	sticky, round-robin, or lowest-usage
auto_sync_kiro_cli	true	Import sessions from Kiro CLI on startup
max_request_iterations	50	Max retry loop iterations before failing
request_timeout_ms	120000	Total request timeout (ms)
token_expiry_buffer_ms	120000	Refresh tokens this far before expiry
reAuthCooldownMs	60000	Cooldown after failed re-auth attempt
idc_start_url	—	IAM Identity Center Start URL
idc_region	—	IAM Identity Center region (sso_region)
idc_profile_arn	—	CodeWhisperer/Q Developer profile ARN

Environment Overrides

All config options can be overridden via KIRO_* environment variables:

• KIRO_LOG — log level (debug, info, warn, error)
• KIRO_RATE_LIMIT_RETRY_DELAY_MS, KIRO_REQUEST_TIMEOUT_MS, etc.

Models

All Claude models available through Kiro:

Model	Context	Thinking
claude-sonnet-4-6	200K	—
claude-sonnet-4-6-thinking	200K	✓
claude-sonnet-4-6-1m	1M	—
claude-sonnet-4-6-1m-thinking	1M	✓
claude-sonnet-4-5	200K	—
claude-sonnet-4-5-thinking	200K	✓
claude-opus-4-6	200K	—
claude-opus-4-6-thinking	200K	✓
claude-opus-4-6-1m	1M	—
claude-opus-4-6-1m-thinking	1M	✓
claude-opus-4-5	200K	—
claude-opus-4-5-thinking	200K	✓
claude-haiku-4-5	200K	—
claude-haiku-4-5-thinking	200K	✓

Security

• Token Encryption — AES-256-GCM with per-machine key (~/.config/opencode/.kiro-key)
• Log Redaction — JWTs, bearer tokens, and sensitive keys are scrubbed from all log output
• File Ownership — Kiro CLI database ownership verified before import (Unix)
• HTTPS Only — All OAuth URLs validated as HTTPS before use
• Bounded Reads — Response bodies capped to prevent memory exhaustion
• JSON Depth Limit — Parsed responses limited to 20 levels of nesting

Storage

Platform	Database	Config
Linux/macOS	~/.config/opencode/kiro.db	~/.config/opencode/kiro.json
Windows	%APPDATA%\opencode\kiro.db	%APPDATA%\opencode\kiro.json

Troubleshooting

"Exceeded max iterations"

All accounts failed authentication. Run kiro-multi-auth tui to check account health, or kiro-cli login to refresh credentials.

"All Kiro accounts are rate-limited"

Wait for the cooldown period shown in the error message, or add more accounts.

"403 / User is not authorized"

IAM Identity Center requires a profile ARN. Run kiro-cli profile to select one, or set idc_profile_arn in config.

"No accounts"

Ensure kiro-cli login succeeds and auto_sync_kiro_cli is true in config.

CLI Commands

kiro-multi-auth                    Interactive TUI
kiro-multi-auth accounts list      List all saved accounts
kiro-multi-auth accounts add       Guided add flow
kiro-multi-auth accounts sync      Import current Kiro CLI session
kiro-multi-auth accounts switch N  Set account N as active
kiro-multi-auth accounts enable N  Enable account N
kiro-multi-auth accounts disable N Disable account N
kiro-multi-auth accounts reset N   Reset health markers
kiro-multi-auth accounts remove N  Delete saved account

License

MIT