> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ccs.kaitran.ca/llms.txt
> Use this file to discover all available pages before exploring further.

# Kiro Provider

> Kiro OAuth with Builder ID, IDC, token import, and browser-mode control

# Kiro Provider

Access Kiro through CCS with AWS Builder ID, IAM Identity Center (IDC), and
token-import flows. CCS also adds browser-mode control and multi-account
management on top of the upstream auth paths.

## Quick Start

```bash theme={null}
# Default Builder ID flow
ccs kiro --auth

# AWS Builder ID auth-code flow with manual callback paste
ccs kiro --auth --kiro-auth-method aws-authcode --paste-callback

# IAM Identity Center (IDC) flow
ccs kiro --auth --kiro-auth-method idc --kiro-idc-start-url https://d-xxx.awsapps.com/start

# Import an existing token from Kiro IDE
ccs kiro --import
```

<Note>
  Kiro provides a free tier via AWS Builder ID, so the default `aws` path is the
  best starting point for most users.
</Note>

## Authentication

### Auth Methods

| Method         | Availability                      | Typical use                                             |
| -------------- | --------------------------------- | ------------------------------------------------------- |
| `aws`          | CLI + dashboard                   | Default AWS Builder ID device-code flow                 |
| `aws-authcode` | CLI + dashboard                   | AWS Builder ID auth-code flow via local callback server |
| `google`       | CLI + dashboard                   | Google OAuth auth-code flow                             |
| `idc`          | CLI + dashboard                   | IAM Identity Center with required start URL             |
| `github`       | Dashboard account-management flow | Management-only social OAuth flow                       |

The default `ccs kiro --auth` path is `aws`. When upstream shows a Builder ID
vs IDC chooser, CCS auto-selects the Builder ID option instead of waiting for
manual input.

### Callback And Paste-Callback

Callback-based methods can use `--paste-callback` when CCS cannot receive the
redirect directly:

```bash theme={null}
ccs kiro --auth --kiro-auth-method aws-authcode --paste-callback
ccs kiro --auth --kiro-auth-method google --paste-callback
```

Use this when you are authenticating through SSH, reverse proxies, or other
environments where the local callback listener is blocked.

### IDC

IDC requires a start URL:

```bash theme={null}
ccs kiro --auth --kiro-auth-method idc \
  --kiro-idc-start-url https://d-xxx.awsapps.com/start
```

Optional IDC flags:

```bash theme={null}
ccs kiro --auth --kiro-auth-method idc \
  --kiro-idc-start-url https://d-xxx.awsapps.com/start \
  --kiro-idc-region us-east-1 \
  --kiro-idc-flow device
```

`--kiro-idc-flow` defaults to `authcode`. Use `device` only when you
intentionally want the device-code variant.

## Browser Mode

Kiro defaults to normal browser mode in current CCS releases:

```yaml theme={null}
cliproxy:
  kiro_no_incognito: true
```

That keeps AWS login state available for re-auth and avoids common Linux
incognito failures. Use `--no-incognito` when you want to make that choice
explicit from the CLI.

## Token Import From Kiro IDE

```bash theme={null}
ccs kiro --import
```

CCS scans the local Kiro IDE installation, copies the token into
`~/.ccs/cliproxy/auth/`, and registers the account for normal CCS usage.

<Note>
  Import is the fastest recovery path when Kiro IDE is already authenticated.
</Note>

## Multi-Account Support

Kiro accounts use filename-derived identifiers instead of email:

```bash theme={null}
ccs kiro --auth --add
ccs kiro --accounts
ccs kiro --use github-XYZ789
ccs kiro --nickname work-aws
ccs kiro --logout
```

This keeps account identity stable even when the provider does not expose an
email address.

## Configuration

```yaml theme={null}
cliproxy:
  kiro_no_incognito: true
  auth:
    api_key: "ccs-internal-managed"
    management_secret: "ccs"
```

## Commands Reference

```bash theme={null}
# Start default Builder ID auth
ccs kiro --auth

# Use a specific CLI auth method
ccs kiro --auth --kiro-auth-method aws-authcode
ccs kiro --auth --kiro-auth-method google
ccs kiro --auth --kiro-auth-method idc --kiro-idc-start-url https://d-xxx.awsapps.com/start

# Use manual callback paste for callback-based methods
ccs kiro --auth --kiro-auth-method aws-authcode --paste-callback

# Import from IDE instead of browser auth
ccs kiro --import
```

GitHub-backed Kiro account addition is handled from the dashboard account flow,
not from the direct CLI launch path.

## Troubleshooting

### Kiro auth keeps failing on Linux

* Keep `cliproxy.kiro_no_incognito: true`
* Prefer the Builder ID device flow first: `ccs kiro --auth`
* Use `--paste-callback` for callback-based flows when redirects cannot reach CCS

### IDC fails immediately

* Make sure `--kiro-idc-start-url` is present
* Check that the start URL belongs to the expected AWS Identity Center tenant
* Try `--kiro-idc-flow device` if authcode flow is blocked in your environment

### Import cannot find a token

* Confirm Kiro IDE is installed and already authenticated
* If import still fails, fall back to `ccs kiro --auth`

### The wrong account is being used

* Run `ccs kiro --accounts`
* Switch with `ccs kiro --use <account-id>`
* Rename the intended account with `ccs kiro --nickname <name>` if the current
  filename-derived ID is too ambiguous

## Next Steps

* [Provider Overview](/providers/concepts/overview)
* [CLI Commands](/reference/cli-commands)
* [CLI Flags](/reference/cli-flags)
* [Headless Workflow](/features/workflow/headless-workflow)