# Configure an OAuth client Configure an OAuth client An OAuth client enables your agent to securely access external services on behalf of users without requiring them to share their credentials directly. For example, your agent can access a user’s Google Drive files or Microsoft calendar events through OAuth authentication. **Topics** + [ # Add OAuth client using included provider ](identity-add-oauth-client-included.md) + [ # Add OAuth client using custom provider ](identity-add-oauth-client-custom.md) + [ # Update OAuth client ](identity-update-oauth-client.md) + [ # Delete OAuth client ](identity-delete-oauth-client.md) # Add OAuth client using included provider Add OAuth client using included provider Built-in providers offer streamlined setup for popular services including Google, GitHub, Slack, and Salesforce. These providers have pre-configured authorization server endpoints and provider-specific parameters to reduce development effort. **To add an OAuth client using an included provider** 1. Open the [AgentCore Identity](https://console.aws.amazon.com/bedrock-agentcore/identity) console. 1. In the **Outbound Auth** section, choose **Add OAuth client / API key** , and then select **Add OAuth client**. 1. For **Name** , you can either use the auto-generated name or enter your own descriptive name to help you identify this OAuth client in your account. Use alphanumeric characters, hyphens, and underscores only, with a maximum length of 50 characters. 1. For **Provider** , choose **Included provider**. 1. Choose your identity provider from the available options (Google, GitHub, Microsoft, Salesforce, or Slack). 1. In the **Provider configurations** section, enter your client credentials: 1. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider. 1. For **Client secret** , enter the confidential key associated with your client ID. AgentCore Identity securely stores this value for authentication. 1. Choose **Add OAuth Client**. After creating the OAuth client, AgentCore Identity provides an ARN that you can reference in your agent code to request authentication tokens without embedding sensitive credentials in your application. You can find this ARN in the properties page of the OAuth client (Choose the client name in the **Outbound Auth** section). # Add OAuth client using custom provider Add OAuth client using custom provider Custom providers enable you to connect to any OAuth2-compatible resource server beyond the built-in provider options. You can configure custom providers by having the system retrieve configuration details automatically, or by providing the server information manually. **To add an OAuth client using a custom provider** 1. Open the [AgentCore Identity](https://console.aws.amazon.com/bedrock-agentcore/identity) console. 1. In the **Outbound Auth** section, choose **Add OAuth client / API key** , and then select **Add OAuth client**. 1. For **Name** , you can either use the auto-generated name or enter your own descriptive name to help you identify this OAuth client in your account. Use alphanumeric characters, hyphens, and underscores only, with a maximum length of 50 characters. 1. For **Provider** , choose **Custom provider**. 1. In the **Provider configurations** section, depending on your provider requirements, choose one of the following options: 1. **Discovery URL** (recommended) – Choose this option to have AgentCore Identity automatically retrieve configuration details from your provider. You provide the discovery URL where your provider publishes its OpenID Connect configuration, and AgentCore Identity handles the endpoint discovery process. This is the recommended approach when available as it reduces manual configuration. 1. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider. 1. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication. 1. For **Discovery URL** , enter the URL where your provider publishes its OpenID Connect configuration. Discovery URLs must end with `.well-known/openid-configuration` . For example, https:// *example.com* /.well-known/openid-configuration. 1. **Manual config** – Choose this option to specify server information directly when your provider doesn’t support automatic discovery. You’ll define each endpoint URL individually, giving you complete control over the configuration details. 1. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider. 1. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication. 1. For **Issuer** , enter the base URL that identifies your authorization server. This value appears in the `iss` claim of issued tokens and helps verify token authenticity. 1. For **Authorization endpoint** , enter the URL where users will be directed to grant permission to your application. This is the entry point for the OAuth authorization flow. 1. For **Token endpoint** , enter the URL where your agent exchanges authorization codes for access tokens. This endpoint handles the credential exchange process. 1. (Optional) In the **Response types** section, configure how your OAuth client receives authentication responses by choosing **Add response type** and selecting the token formats your provider should return. Common types include `code` for authorization code flow or `token` for implicit flow. 1. Choose **Add OAuth Client**. After completing either configuration, AgentCore Identity securely stores your OAuth settings and provides an ARN you can reference in your agent code, enabling token requests without embedding sensitive credentials in your application. You can find this ARN in the properties page of the OAuth client (Choose the client name in the **Outbound Auth** section). # Update OAuth client Update OAuth client You can modify the configuration settings for your existing OAuth client. For example, you can update your client credentials (Client ID and Client secret) when they’ve been rotated or changed by your identity provider. **To update an OAuth client** 1. Open the [AgentCore Identity](https://console.aws.amazon.com/bedrock-agentcore/identity) console. 1. In the **Outbound Auth** section, select the OAuth client you want to update. 1. Choose **Edit**. 1. On the **Update OAuth Client** page, update the information as needed. 1. Choose **Update OAuth Client** to save your configuration settings. The updated OAuth client configuration takes effect immediately and will be used for all subsequent authentication requests made by your agents. # Delete OAuth client Delete OAuth client When you no longer need an OAuth client, you can delete it from your account. Deleting an OAuth client removes the stored configuration and credentials, making them unavailable to your agents. Any invocations that reference the deleted OAuth client will fail once it’s removed, and this outbound authentication might be used across multiple runtimes and gateways. **To delete an OAuth client** 1. Open the [AgentCore Identity](https://console.aws.amazon.com/bedrock-agentcore/identity) console. 1. In the **Outbound Auth** section, select the OAuth client you want to delete. 1. Choose **Delete**. 1. In the confirmation dialog, type `Delete` to confirm the deletion. 1. Choose **Delete**. The OAuth client is permanently removed from your account. Any agents or applications that reference this OAuth client’s ARN will no longer be able to access the stored credentials.