AISdkClient doesn't support AI SDK providers using non-API-key authentication (e.g., AWS Bedrock with IAM)

[tkhduracell]

Description

AISdkClient currently requires all AI SDK providers to expose an apiKey property, which prevents it from working with providers that use alternative authentication methods like AWS SigV4 (IAM credentials).

Reproduction

When trying to use Amazon Bedrock with IAM credentials (the recommended production approach), Stagehand throws an error:

import { createAmazonBedrock } from '@ai-sdk/amazon-bedrock';
import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
import { AISdkClient, Stagehand } from '@browserbasehq/stagehand';

// Using IAM credentials (ECS task role, instance profile, etc.)
const bedrock = createAmazonBedrock({
  region: 'us-east-1',
  credentialProvider: fromNodeProviderChain(),
});

const bedrockClient = new AISdkClient({
  model: bedrock('anthropic.claude-3-sonnet-20240229-v1:0'),
});

const stagehand = new Stagehand({
  env: 'BROWSERBASE',
  llmClient: bedrockClient,
});

await stagehand.init(); // ❌ Error: modelApiKey is required

Root Cause

The error originates from index.js:38340:

if (!modelApiKey) {
  throw new StagehandAPIError("modelApiKey is required");
}

This check assumes all AI SDK language models have an extractable apiKey property. However:

• Providers with API keys (OpenAI, Google, Anthropic direct): Have apiKey property ✅
• Providers with IAM auth (AWS Bedrock): Use SigV4 signing, no apiKey property ❌

Impact

This prevents using Stagehand with:

• AWS Bedrock with IAM credentials (recommended for production)
• Any other AI SDK provider that uses OAuth, certificate-based auth, or other non-API-key methods

Note: AWS Bedrock does support API keys, but the AI SDK's @ai-sdk/amazon-bedrock provider doesn't implement support for them yet (only IAM credentials).

Workaround

Currently, the only option is to use a different provider that supports simple API key authentication (e.g., Google Gemini).

Suggested Solution

Consider one of these approaches:

1. Make the apiKey check optional when llmClient is provided, since the AI SDK handles authentication internally
2. Add a bypass option like disableAPIKeyCheck: true for custom authentication scenarios
3. Extract credentials differently based on the provider type

Since the AI SDK already handles all authentication internally (including SigV4 signing), Stagehand might not need to extract or validate the apiKey when using llmClient.

Environment

• Stagehand version: 3.0.1
• AI SDK version: Latest
• Provider: @ai-sdk/amazon-bedrock 2.0.44
• Environment: AWS ECS with IAM task roles

Additional Context

AWS documentation for Bedrock IAM authentication:
https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam.html

AI SDK Bedrock provider documentation (shows only IAM auth support):
https://ai-sdk.dev/providers/ai-sdk-providers/amazon-bedrock#authentication