interface CustomJwtConfiguration
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.CustomJwtConfiguration |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#CustomJwtConfiguration |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.CustomJwtConfiguration |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.CustomJwtConfiguration |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป CustomJwtConfiguration |
Custom JWT authorizer configuration.
Example
// Create a custom execution role
const executionRole = new iam.Role(this, "GatewayExecutionRole", {
assumedBy: new iam.ServicePrincipal("bedrock-agentcore.amazonaws.com"),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonBedrockAgentCoreGatewayExecutionRolePolicy"),
],
});
// Create gateway with custom execution role
const gateway = new agentcore.Gateway(this, "MyGateway", {
gatewayName: "my-gateway",
description: "Gateway with custom execution role",
protocolConfiguration: new agentcore.McpProtocolConfiguration({
instructions: "Use this gateway to connect to external MCP tools",
searchType: agentcore.McpGatewaySearchType.SEMANTIC,
supportedVersions: [agentcore.MCPProtocolVersion.MCP_2025_03_26],
}),
authorizerConfiguration: agentcore.GatewayAuthorizer.usingCustomJwt({
discoveryUrl: "https://auth.example.com/.well-known/openid-configuration",
allowedAudience: ["my-app"],
allowedClients: ["my-client-id"],
allowedScopes: ["read", "write"],
}),
role: executionRole,
});
Properties
| Name | Type | Description |
|---|---|---|
| discovery | string | This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. |
| allowed | string[] | Represents individual audience values that are validated in the incoming JWT token validation process. |
| allowed | string[] | Represents individual client IDs that are validated in the incoming JWT token validation process. |
| allowed | string[] | Represents individual scopes that are validated in the incoming JWT token validation process. |
| custom | Gateway[] | Custom claims for additional JWT token validation. |
discoveryUrl
Type:
string
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
Pattern: .+/.well-known/openid-configuration Required: Yes
allowedAudience?
Type:
string[]
(optional, default: No audience validation)
Represents individual audience values that are validated in the incoming JWT token validation process.
allowedClients?
Type:
string[]
(optional, default: No client ID validation)
Represents individual client IDs that are validated in the incoming JWT token validation process.
allowedScopes?
Type:
string[]
(optional, default: No scope validation)
Represents individual scopes that are validated in the incoming JWT token validation process.
customClaims?
Type:
Gateway[]
(optional, default: No custom claim validation)
Custom claims for additional JWT token validation.
Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations.