[GH-ISSUE #53] BUG: We encountered an issue when using your API key: Streaming error in CURSOR IDE

kerem commented

2026-02-27 07:17:35 +03:00

Owner

Originally created by @imrishabhchauhan on GitHub (Jan 23, 2026).
Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/53

Kiro Gateway Version

v2.1 (latest)

What happened?

@jwadow Got an error saying "{"error":{"type":"provider","reason":"provider_error","message":"Provider returned 504","retryable":true,"provider":{"status":504,"body":"{"detail":"Streaming failed after 3 attempts. Last error: ConnectError"}"}}}" in Cursor chat.

Note: All the Debug Logs are attached. Thanks.

I have done "git pull" already. Everything is configured in Cursor, Kiro Gateway, and Cloudflared.

I sent this message in Cursor chat "Hello this is a message."

Cursor Error Heading: Unable to reach the Model provider - We encountered an issue when using your API key: Streaming error

Kiro Gateway Screenshot:

Cursor Screenshot:

Cloudflared Tunnel Screenshot:

Debug Logs

Debug Logs are attached:
app_logs.txt
error_info.json
kiro_request_body.json
request_body.json

Originally created by @imrishabhchauhan on GitHub (Jan 23, 2026). Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/53 ### Kiro Gateway Version v2.1 (latest) ### What happened? @jwadow Got an error saying "{"error":{"type":"provider","reason":"provider_error","message":"Provider returned 504","retryable":true,"provider":{"status":504,"body":"{\"detail\":\"Streaming failed after 3 attempts. Last error: ConnectError\"}"}}}" in Cursor chat. Note: All the Debug Logs are attached. Thanks. I have done "git pull" already. Everything is configured in Cursor, Kiro Gateway, and Cloudflared. I sent this message in Cursor chat "**Hello this is a message.**" Cursor Error Heading: Unable to reach the Model provider - We encountered an issue when using your API key: Streaming error **Kiro Gateway Screenshot:** <img width="1490" height="816" alt="Image" src="https://github.com/user-attachments/assets/8afbade3-26c3-4386-880e-2e7519646f91" /> **Cursor Screenshot:** <img width="1454" height="719" alt="Image" src="https://github.com/user-attachments/assets/e373526e-fb3c-482f-8ed0-f1bd9cbd05fa" /> **Cloudflared Tunnel Screenshot:** <img width="1113" height="626" alt="Image" src="https://github.com/user-attachments/assets/934b3bde-fc2c-4f68-a748-e9a250a92806" /> ### Debug Logs **Debug Logs are attached:** [app_logs.txt](https://github.com/user-attachments/files/24818323/app_logs.txt) [error_info.json](https://github.com/user-attachments/files/24818324/error_info.json) [kiro_request_body.json](https://github.com/user-attachments/files/24818325/kiro_request_body.json) [request_body.json](https://github.com/user-attachments/files/24818326/request_body.json)

kerem added the

upstream

invalid

labels

2026-02-27 07:17:35 +03:00

kerem commented

2026-02-27 07:17:36 +03:00

Author

Owner

@somehow-paul commented on GitHub (Jan 23, 2026):

It looks like there's an issue with your Kiro authentication.

@somehow-paul commented on GitHub (Jan 23, 2026): It looks like there's an issue with your Kiro authentication.

kerem commented

2026-02-27 07:17:37 +03:00

Author

Owner

@jwadow commented on GitHub (Jan 23, 2026):

Hey @imrishabhchauhan!

Looking at your logs, the issue is DNS-related - your system can't resolve the AWS domain name (that's what [Errno 11001] getaddrinfo failed means). This is why both the model list fetch at startup and your actual requests are failing.

What's interesting is that you mentioned in discussions that everything worked fine in the Kiro IDE. If that's the case, it's weird that Python is having issues. This could mean different network environment between IDE and Python process, or some proxy/VPN that affects Python but not the IDE.

Quick diagnostic - run this in your Python environment where Kiro Gateway runs:

python -c "import socket; print('DNS test:', socket.gethostbyname('bedrock-runtime.us-east-1.amazonaws.com'))"

If that fails, try:
python -c "import socket; print('Internet test:', socket.gethostbyname('google.com'))"

If DNS fails:

Check Windows DNS settings (Control Panel → Network → Change adapter settings → Properties → IPv4 → DNS)
Try Google DNS (8.8.8.8) or Cloudflare (1.1.1.1)
Temporarily disable VPN/proxy
Check if antivirus/firewall is blocking Python

If DNS works but Kiro still fails, share the output of those tests and check for proxy environment variables (HTTP_PROXY, HTTPS_PROXY).

Let me know what the diagnostic shows!

@jwadow commented on GitHub (Jan 23, 2026): Hey @imrishabhchauhan! Looking at your logs, the issue is DNS-related - your system can't resolve the AWS domain name (that's what `[Errno 11001] getaddrinfo failed` means). This is why both the model list fetch at startup and your actual requests are failing. What's interesting is that you mentioned in discussions that everything worked fine in the Kiro IDE. If that's the case, it's weird that Python is having issues. This could mean different network environment between IDE and Python process, or some proxy/VPN that affects Python but not the IDE. Quick diagnostic - run this in your Python environment where Kiro Gateway runs: `python -c "import socket; print('DNS test:', socket.gethostbyname('bedrock-runtime.us-east-1.amazonaws.com'))"` If that fails, try: `python -c "import socket; print('Internet test:', socket.gethostbyname('google.com'))"` If DNS fails: 1. Check Windows DNS settings (Control Panel → Network → Change adapter settings → Properties → IPv4 → DNS) 2. Try Google DNS (8.8.8.8) or Cloudflare (1.1.1.1) 3. Temporarily disable VPN/proxy 4. Check if antivirus/firewall is blocking Python If DNS works but Kiro still fails, share the output of those tests and check for proxy environment variables (`HTTP_PROXY`, `HTTPS_PROXY`). Let me know what the diagnostic shows!

kerem commented

2026-02-27 07:17:37 +03:00

Author

Owner

@imrishabhchauhan commented on GitHub (Jan 23, 2026):

Unfortunately, I tried everything but same issue.

I think maybe Kiro has some restrictions on my region. I live in India.

My Kiro auth token file says:
"authMethod": "IdC",
"provider": "Enterprise",
"region": "ap-south-1"

I tried multiple things step by step:

Google DNS configuration
Cloudflare DNS configuration
My VPN/Proxy was disabled completely + No issues with Firewall (I have allowed firewall).

@imrishabhchauhan commented on GitHub (Jan 23, 2026): Unfortunately, I tried everything but same issue. <img width="1113" height="626" alt="Image" src="https://github.com/user-attachments/assets/32f52322-8aca-4b66-aee9-fe4ca1852bc6" /> I think maybe Kiro has some restrictions on my region. I live in India. My Kiro auth token file says: "authMethod": "IdC", "provider": "Enterprise", "region": "ap-south-1" I tried multiple things step by step: - Google DNS configuration - Cloudflare DNS configuration - My VPN/Proxy was disabled completely + No issues with Firewall (I have allowed firewall).

kerem commented

2026-02-27 07:17:37 +03:00

Author

Owner

@imrishabhchauhan commented on GitHub (Feb 8, 2026):

@jwadow I am back to say a huge thanks to you :)

Finally my issue got fixed. My issue was:

Since I live in India, my Kiro was using ap-south-1 (in C:\Users\imris.aws\sso\cache\kiro-auth-token.json). And the same getting fetched every time - no matter what I have included in .env).
So I changed the region in my Kiro Auth Token file.
This fixed everything. Now I am able to use my Kiro tokens in Cursor without issues.
Thanks a lot for this amazing project.

Thanks a lot.

@imrishabhchauhan commented on GitHub (Feb 8, 2026): @jwadow I am back to say a huge thanks to you :) Finally my issue got fixed. My issue was: - Since I live in India, my Kiro was using ap-south-1 (in C:\Users\imris\.aws\sso\cache\kiro-auth-token.json). And the same getting fetched every time - no matter what I have included in .env). - So I changed the region in my Kiro Auth Token file. - This fixed everything. Now I am able to use my Kiro tokens in Cursor without issues. Thanks a lot for this amazing project. --- Thanks a lot.

kerem commented

2026-02-27 07:17:37 +03:00

Author

Owner

@imrishabhchauhan commented on GitHub (Feb 8, 2026):

Hey @jwadow, sorry for tagging again. Sharing a few insights from my experience.

I noticed that now my Kiro Gateway works 100% fine, and I am able to use my Kiro Credits in my Cursor account without any issues. However, I noticed that after 5-10 minutes or more, it starts asking me for authentication. In other words, when I check my Kiro Gateway locks, it says "invalid refresh token" or something like that.

Then I asked ChatGPT about the issue, and ChatGPT told me that I have to manually re-lock into my Kiro ID and then use the new auth token or something like that. I asked ChatGPT to create a GitHub issue, so ChatGPT provided me the below:

TLDR: everything is fine, but after some point Kiro Gateway stops working as intended, and then I have to manually log into Kiro IDE again and then use the new tokens again.

AWS SSO OIDC refresh invalid_grant causes gateway to return 500 and breaks Cursor sessions

Hi, I’m using kiro-gateway with Kiro IDE SSO (AWS IAM Identity Center / SSO OIDC). Intermittently, requests to /v1/chat/completions fail because the gateway attempts an AWS OIDC refresh and receives invalid_grant (“Invalid refresh token provided”). The gateway then returns HTTP 500 to the client (Cursor), which breaks the workflow.

Logs (key lines):

Refresh attempt: https://oidc.us-east-1.amazonaws.com/token
Response: 400 {"error":"invalid_grant","error_description":"Invalid refresh token provided"}
Then: HTTP 500 - POST /v1/chat/completions
(Full log attached)

This happens even though Kiro IDE itself continues working (it can re-auth interactively), but the gateway cannot.

Expected behaviour:

Do not refresh on every request; only refresh on expiry or 401/403 from Kiro API.
If refresh fails with invalid_grant, do not return 500. Return 401/503 with a clear message like “Kiro SSO session expired, re-login in Kiro IDE.”
Keep the gateway running and expose auth state on /health so clients can detect degraded auth cleanly.
When refresh fails, re-read the credentials cache file (e.g. ~/.aws/sso/cache/kiro-auth-token.json) and retry once—Kiro IDE may have updated it.

Environment:

Windows
Auth type: AWS SSO OIDC (Kiro IDE)
Region: us-east-1

Attachments attached :)

app_logs.txt
error_info.json
kiro_request_body.json
request_body.json

@imrishabhchauhan commented on GitHub (Feb 8, 2026): Hey @jwadow, sorry for tagging again. Sharing a few insights from my experience. --- I noticed that now my Kiro Gateway works 100% fine, and I am able to use my Kiro Credits in my Cursor account without any issues. However, I noticed that after 5-10 minutes or more, it starts asking me for authentication. In other words, when I check my Kiro Gateway locks, it says "invalid refresh token" or something like that. Then I asked ChatGPT about the issue, and ChatGPT told me that I have to manually re-lock into my Kiro ID and then use the new auth token or something like that. I asked ChatGPT to create a GitHub issue, so ChatGPT provided me the below: TLDR: everything is fine, but after some point Kiro Gateway stops working as intended, and then I have to manually log into Kiro IDE again and then use the new tokens again. --- **AWS SSO OIDC refresh invalid_grant causes gateway to return 500 and breaks Cursor sessions** Hi, I’m using `kiro-gateway` with Kiro IDE SSO (AWS IAM Identity Center / SSO OIDC). Intermittently, requests to `/v1/chat/completions` fail because the gateway attempts an AWS OIDC refresh and receives `invalid_grant` (“Invalid refresh token provided”). The gateway then returns HTTP 500 to the client (Cursor), which breaks the workflow. **Logs (key lines):** * Refresh attempt: `https://oidc.us-east-1.amazonaws.com/token` * Response: `400 {"error":"invalid_grant","error_description":"Invalid refresh token provided"}` * Then: `HTTP 500 - POST /v1/chat/completions` (Full log attached) This happens even though Kiro IDE itself continues working (it can re-auth interactively), but the gateway cannot. **Expected behaviour:** 1. Do not refresh on every request; only refresh on expiry or 401/403 from Kiro API. 2. If refresh fails with `invalid_grant`, do not return 500. Return 401/503 with a clear message like “Kiro SSO session expired, re-login in Kiro IDE.” 3. Keep the gateway running and expose auth state on `/health` so clients can detect degraded auth cleanly. 4. When refresh fails, re-read the credentials cache file (e.g. `~/.aws/sso/cache/kiro-auth-token.json`) and retry once—Kiro IDE may have updated it. **Environment:** * Windows * Auth type: AWS SSO OIDC (Kiro IDE) * Region: us-east-1 Attachments attached :) [app_logs.txt](https://github.com/user-attachments/files/25158068/app_logs.txt) [error_info.json](https://github.com/user-attachments/files/25158066/error_info.json) [kiro_request_body.json](https://github.com/user-attachments/files/25158067/kiro_request_body.json) [request_body.json](https://github.com/user-attachments/files/25158069/request_body.json)

kerem referenced this issue

2026-02-27 07:17:49 +03:00

[PR #36] [CLOSED] fix: Migrate to Q endpoints & update headers to Kiro IDE 0.8.86 #68

Rows
Columns

[GH-ISSUE #53] BUG: We encountered an issue when using your API key: Streaming error in CURSOR IDE #36

Kiro Gateway Version

What happened?

Debug Logs