interface CustomJwtConfiguration
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.CustomJwtConfiguration |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#CustomJwtConfiguration |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.CustomJwtConfiguration |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.CustomJwtConfiguration |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป CustomJwtConfiguration |
Custom JWT authorizer configuration.
Example
// Create a KMS key for encryption
const encryptionKey = new kms.Key(this, "GatewayEncryptionKey", {
enableKeyRotation: true,
description: "KMS key for gateway encryption",
});
// Create gateway with KMS encryption
const gateway = new agentcore.Gateway(this, "MyGateway", {
gatewayName: "my-encrypted-gateway",
description: "Gateway with KMS encryption",
protocolConfiguration: new agentcore.McpProtocolConfiguration({
instructions: "Use this gateway to connect to external MCP tools",
searchType: agentcore.McpGatewaySearchType.SEMANTIC,
supportedVersions: [agentcore.MCPProtocolVersion.MCP_2025_03_26],
}),
authorizerConfiguration: agentcore.GatewayAuthorizer.usingCustomJwt({
discoveryUrl: "https://auth.example.com/.well-known/openid-configuration",
allowedAudience: ["my-app"],
allowedClients: ["my-client-id"],
}),
kmsKey: encryptionKey,
exceptionLevel: agentcore.GatewayExceptionLevel.DEBUG,
});
Properties
| Name | Type | Description |
|---|---|---|
| discovery | string | This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. |
| allowed | string[] | Represents individual audience values that are validated in the incoming JWT token validation process. |
| allowed | string[] | Represents individual client IDs that are validated in the incoming JWT token validation process. |
discoveryUrl
Type:
string
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
Pattern: .+/.well-known/openid-configuration Required: Yes
allowedAudience?
Type:
string[]
(optional, default: No audience validation)
Represents individual audience values that are validated in the incoming JWT token validation process.
allowedClients?
Type:
string[]
(optional, default: No client ID validation)
Represents individual client IDs that are validated in the incoming JWT token validation process.