Step 1: Create your agent Step 2: Deploy your agent Step 3: Invoke your agent with custom headers Step 4: (Optional) Pass the JWT token used for OAuth based inbound access to your agent

Pass custom headers to Amazon Bedrock AgentCore Runtime

Custom headers let you pass contextual information from your application directly to your agent code without cluttering the main request payload. This includes authentication tokens like JWT (JSON Web Tokens, which contain user identity and authorization claims) through the Authorization header, allowing your agent to make decisions based on who is calling it. You can also pass custom metadata like user preferences, session identifiers, or trace context using headers prefixed with X-Amzn-Bedrock-AgentCore-Runtime-Custom-, giving your agent access to up to 20 pieces of runtime context that travel alongside each request. This information can be also used in downstream systems like AgentCore Memory that you can namespace based on those characteristics like user_id or aud in claims like line of business.

Amazon Bedrock AgentCore Runtime lets you pass headers in a request to your agent code provided the headers match the following criteria:

Header name is one of the following:
- Starts with X-Amzn-Bedrock-AgentCore-Runtime-Custom-
- Equal to Authorization. This is reserved for agents with OAuth inbound access to pass in the incoming JWT token to the agent code.
Header value is not greater than 4KB in size.
Up to 20 headers can be configured per runtime.

Topics

Step 1: Create your agent
Step 2: Deploy your agent
Step 3: Invoke your agent with custom headers
Step 4: (Optional) Pass the JWT token used for OAuth based inbound access to your agent

Step 1: Create your agent

Start by creating a basic agent with the following project structure:



your_project_directory/
├── agent_example.py # Your main agent code
└── requirements.txt # Dependencies for your agent

Create the following files:

agent_example.py

Create your main agent code file and add the following code:


import json
from bedrock_agentcore import BedrockAgentCoreApp, RequestContext
from strands import Agent

app = BedrockAgentCoreApp()
agent = Agent()

@app.entrypoint
def agent_invocation(payload, context: RequestContext):
    """Handler for agent invocation"""
    user_message = payload.get(
        "prompt", "No prompt found in input, please guide customer to create a json payload with prompt key"
    )
    app.logger.info("invoking agent with user message: %s", payload)
    response = agent(user_message)

    # access request headers here
    request_headers = context.request_headers
    app.logger.info("Headers: %s", json.dumps(request_headers))
    return response

app.run()

requirements.txt

Create your dependencies file and add the following dependencies:



strands-agents
bedrock-agentcore

Step 2: Deploy your agent

Configure your agent with the starter toolkit:


agentcore configure --entrypoint agent_example.py \
--name hello_agent \
--execution-role your-execution-role-arn \
--disable-otel \
--requirements-file requirements.txt \
--request-header-allowlist "X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1"

Deploy your agent with the starter toolkit:



agentcore launch

Note the agent runtime ARN from the output. you need it in the next step.

Step 3: Invoke your agent with custom headers

Step 4: (Optional) Pass the JWT token used for OAuth based inbound access to your agent

For information about setting up an agent with OAuth inbound access and enabling an Authorization header to be passed into AgentCore Runtime, see Authenticate and authorize with Inbound Auth and Outbound Auth.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Stream agent responses

Authenticate and authorize with Inbound Auth and Outbound Auth