Conduit

Self-hosted, per-user proxy that lets you point Claude Code (and any OpenAI/Anthropic-compatible client) at Temple's AWS Kiro credits via Temple SSO. No more kiro-cli.

Repo github.com/continue-com/conduit Version 2.4.0+temple.1 SSO temple-inc.awsapps.com Listens 127.0.0.1:8765

1. Install (one command)

From a clean machine. Prerequisites: python ≥ 3.10, git, gh CLI authenticated, repo read access.

gh api repos/continue-com/conduit/contents/install.sh \
  -H "Accept: application/vnd.github.raw" \
  | CONDUIT_REPO_URL=git@github.com:continue-com/conduit.git bash

What it does:

Clones the repo into ~/.conduit/src/
Builds an isolated venv at ~/.conduit/venv/
Installs the conduit CLI into ~/.local/bin/

If ~/.local/bin isn't on your PATH, add export PATH="$HOME/.local/bin:$PATH" to your ~/.zshrc / ~/.bashrc.

2. First start

conduit start

This:

Spawns the daemon on 127.0.0.1:8765
Generates a per-user PROXY_API_KEY at ~/.conduit/api-key (mode 0600)
Opens your browser to http://127.0.0.1:8765/login for Temple SSO
Writes ANTHROPIC_BASE_URL + ANTHROPIC_API_KEY into ~/.claude/settings.json
One-time backup at ~/.claude/settings.json.conduit.bak

3. Use Claude Code

claude

That's it. Claude Code reads ANTHROPIC_BASE_URL + ANTHROPIC_API_KEY from settings.json, talks to Conduit, which forwards via your SSO tokens to runtime.{region}.kiro.dev.

4. How the auth flow works

┌──────────────┐ ┌─────────────────────────┐ │ Claude Code │ POST /v1/messages │ AWS IAM Identity │ │ (or curl) │ Authorization: Bearer <PROXY_API_KEY> │ Center: ap-south-1 │ └──────┬───────┘ │ (temple-inc SSO) │ │ └─────────▲───────────────┘ ▼ │ ┌────────────────────────────────┐ │ OIDC device flow │ Conduit @ 127.0.0.1:8765 │ RFC 8628 device-authorization │ (one-time on /login) │ - /v1/messages (Anthropic) ├──────────────────────────────────┘ │ - /v1/chat/completions (OAI) │ │ - /login (Temple SSO) │ ┌────────────────────────────────┐ │ - kiro-auth-token.json (0600) ├─▶│ AWS Q / CodeWhisperer runtime │ └────────────────────────────────┘ │ runtime.us-east-1.kiro.dev │ │ (profile ARN from Q profile) │ └────────────────────────────────┘

5. Cheat sheet

Command	What it does
`conduit start`	Start daemon in background. Opens /login if no creds. Auto-writes Claude settings.
`conduit start --no-configure-claude`	Same, skip auto-writing `~/.claude/settings.json`.
`conduit stop`	SIGTERM, then SIGKILL after grace period.
`conduit restart`	stop + start.
`conduit status`	Running? Port? Healthy? Credentials loaded?
`conduit logs`	Tail `~/.conduit/logs/gateway.log`. `-f` to follow.
`conduit login`	Reopen browser to `/login` (e.g., when SSO session expires).
`conduit api-key`	Interactive: configures Claude + prints summary.
`conduit api-key --raw`	Piped output: only the key (for scripts).
`conduit configure-claude`	Re-write `~/.claude/settings.json` env block.
`conduit enable-autostart`	Install launchd plist (macOS) / systemd user unit (Linux).
`conduit update`	git pull + reinstall + restart (install.sh mode only).
`conduit uninstall --purge`	Stop, remove autostart, delete `~/.conduit/`.

6. Filesystem layout

~/.conduit/ ├── src/ git checkout (origin=continue-com/conduit) ├── venv/ isolated Python env ├── data/ │ ├── credentials.json account registry (refs kiro-auth-token.json) │ ├── kiro-auth-token.json OIDC tokens (accessToken, refreshToken, profileArn) — 0600 │ ├── client_registration.json cached OIDC client (~90d TTL) — 0600 │ └── state.json multi-account scheduler state (unused unless ACCOUNT_SYSTEM=true) ├── logs/gateway.log per-request URL + status (no prompts unless DEBUG_MODE=all) ├── run/{pid,port} daemon liveness markers └── api-key per-user PROXY_API_KEY — 0600 ~/.claude/settings.json updated env block ~/.claude/settings.json.conduit.bak one-time backup before first write

7. Troubleshooting

Symptom	Cause	Fix
`gh api ... 404`	Repo private + no read access.	Ping #infra to be added to `continue-com/conduit` readers.
install.sh exits with “Need Python 3.10+”	System python is 3.9.	`brew install python@3.13` on macOS, `apt install python3.12` on Linux. Then re-run installer.
`conduit: command not found`	`~/.local/bin` not on `PATH`.	Add `export PATH="$HOME/.local/bin:$PATH"` to shell rc, then `source` it.
/login browser shows blank or refuses	Loopback-only mode + you opened via non-loopback URL (e.g. LAN IP).	Use exactly `http://127.0.0.1:8765/login`.
`Profile ARN not found` after sign-in	Your IAM Identity Center user has no Q/CodeWhisperer profile entitlement.	Ping IT to attach a CodeWhisperer profile (us-east-1) to your account.
Claude Code says `401 Unauthorized`	Stale `ANTHROPIC_API_KEY` in `settings.json`.	`conduit configure-claude` to refresh, restart Claude Code.
“Token expired” loops	SSO refresh failed (e.g., 90-day client registration aged out).	`rm ~/.conduit/data/client_registration.json && conduit login`.
Daemon not running but pid file exists	OS killed process without cleanup.	`rm ~/.conduit/run/*.pid && conduit start`.
Bad upstream Kiro response causes infinite retries	Auto-retry on first-token timeout.	Lower `FIRST_TOKEN_MAX_RETRIES=1` in `~/.conduit/src/.env` and restart.

8. Security posture

Loopback-only

Daemon binds 127.0.0.1. Not reachable from LAN. /login refuses non-loopback connections by default.

Per-user API key

Auto-generated PROXY_API_KEY at ~/.conduit/api-key (0600). Upstream's public default key is refused at startup.

Per-user creds

Each dev signs in via their own Temple SSO. Tokens live under ~/.conduit/data/ (0600). No shared service account.

No token logging

Access/refresh/client-secret values are never written to logs. Audited.

Settings backup

One-time backup of ~/.claude/settings.json created before first env-block modification. Restore by moving .conduit.bak back.

Updates explicit

conduit update requires the user to run it. No silent fetching. Pin CONDUIT_REPO_BRANCH to a SHA for stability.

9. Day-2 recipes

Sanity-check the gateway with curl

curl -s -X POST http://127.0.0.1:8765/v1/messages \
  -H "Authorization: Bearer $(conduit api-key --raw)" \
  -H "anthropic-version: 2023-06-01" \
  -H "Content-Type: application/json" \
  -d '{"model":"claude-sonnet-4.5","max_tokens":50,
       "messages":[{"role":"user","content":"reply with OK"}]}'

List available models

curl -s -H "Authorization: Bearer $(conduit api-key --raw)" \
  http://127.0.0.1:8765/v1/models | jq .

Tail live request log

conduit logs -f

Reset to a fresh state without uninstalling

conduit stop
rm -rf ~/.conduit/data
conduit start
conduit login

Fully revert (back to vanilla Claude Code)

conduit stop
mv ~/.claude/settings.json.conduit.bak ~/.claude/settings.json
rm ~/.local/bin/conduit
rm -rf ~/.conduit
# log back into Claude Code: /login inside `claude`

10. Glossary

`PROXY_API_KEY`	The key your local Claude Code uses to authenticate to Conduit. Per-user, auto-generated. Has nothing to do with Anthropic's API.
`profileArn`	AWS CodeWhisperer/Q profile identifier. Conduit auto-discovers this after first login via `ListAvailableProfiles`. Determines which AWS region your requests route to.
`SSO region` vs `API region`	SSO is in `ap-south-1` (Temple's IAM Identity Center). Q API lives in `us-east-1` or `eu-central-1`. Conduit handles the split automatically.
`kiro-auth-token.json`	On-disk format inherited from upstream Kiro IDE. Stores SSO tokens and profile ARN.
`client_registration.json`	OIDC client registration cached for ~90 days. Avoids re-registering on every login.