AWS Bedrock
Prerequisites
- An AWS account with Bedrock model access enabled for the models you want to use
- Either the AWS CLI configured with SSO OR an IAM user with
bedrock:InvokeModelpermissions
Setup
- Open Settings > AI Text Enhancement > Enterprise > AWS Bedrock
-
Pick an authentication method:
- SSO profile (recommended)
- Access keys
Enter the name of your AWS CLI profile (e.g.default,my-sso-profile).OpenWhispr usesfromNodeProviderChainto resolve credentials — any profile configured viaaws configure ssooraws configureworks.If the profile uses SSO, runaws sso login --profile <name>before using OpenWhispr. The connection test will surface a copy-paste command if your session has expired. -
Pick a region (e.g.
us-east-1,eu-west-1) - Pick a model from the suggested list, click Browse all models to load your account’s full Bedrock catalog, or enter a custom Bedrock model ID
- Click Test Connection — a successful test means credentials resolve and the model is reachable
Curated models
Model IDs are region-aware: the suggested list uses the cross-region inference profile prefix (
us., eu., or apac.) that matches your selected region, and changing the region rewrites an already-picked model to the new geography. Click Browse all models to load your account’s full Bedrock catalog live — resolved against your own credentials and region, so a picked model is always invocable — or enter a custom model ID for anything not in the list.
Troubleshooting
The connection test surfaces all of these with copy-paste remediation commands where applicable.
Agent Mode
Agent Mode (the AI agent overlay with tool-calling) now works with AWS Bedrock, not just text cleanup. Configure Bedrock under Settings > AI Text Enhancement > Enterprise, then select it in Settings > Agent Mode. Enterprise model streams are proxied through the app’s main process for credential signing, so tools, step limits, and streaming behave the same as with the built-in providers.Credentials storage
Enterprise credentials are encrypted at rest using your OS keychain (Keychain on macOS, DPAPI on Windows, libsecret on Linux) via Electron’ssafeStorage API. They are never sent to OpenWhispr’s servers.
Encrypted blobs live alongside your other secrets under the user-data directory:
- macOS:
~/Library/Application Support/OpenWhispr/secure-keys/ - Windows:
%APPDATA%\OpenWhispr\secure-keys\ - Linux:
~/.config/OpenWhispr/secure-keys/
.env in the same directory. On Linux systems without a keyring, secrets fall back to plaintext in .env.